From 60785337cf2611ecf4d7f86569c951eda8750ec1 Mon Sep 17 00:00:00 2001 From: r1chev Date: Tue, 5 Dec 2023 09:50:27 +0000 Subject: [PATCH] Refresh Built-in detection rules documentation --- ...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +- ...41e-af269b45bef1_do_not_edit_manually.json | 2 +- ...7d1-588319e39d71_do_not_edit_manually.json | 2 +- ...5c4-c8174c307e48_do_not_edit_manually.json | 2 +- ...575-9e43af779f9f_do_not_edit_manually.json | 2 +- ...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +- ...02e-e88fe2193365_do_not_edit_manually.json | 2 +- ...803-e7990afe78b6_do_not_edit_manually.json | 2 +- ...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +- ...9b6-76bf5298a617_do_not_edit_manually.json | 2 +- ...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +- ...c24-2d7129137688_do_not_edit_manually.json | 2 +- ...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +- ...46b-974354a107bb_do_not_edit_manually.json | 2 +- ...cfd-43f7d9595777_do_not_edit_manually.json | 2 +- ...d19-67edc91fb063_do_not_edit_manually.json | 2 +- ...e06-7b335e439c29_do_not_edit_manually.json | 2 +- ...916-636c27ba4931_do_not_edit_manually.json | 2 +- ...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +- ...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +- ...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +- ...00a-2b58303cac90_do_not_edit_manually.json | 2 +- ...e47-1574946412b6_do_not_edit_manually.json | 2 +- ...750-5db882ea1266_do_not_edit_manually.json | 2 +- ...033-6f1f887a70f2_do_not_edit_manually.json | 2 +- ...597-d2944a601930_do_not_edit_manually.json | 2 +- ...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +- ...f3b-f73a622c9687_do_not_edit_manually.json | 2 +- ...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +- ...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +- ...d69-684a0b3835fc_do_not_edit_manually.json | 2 +- ...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +- ...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +- ...703-7452882e70da_do_not_edit_manually.json | 2 +- ...2ff-0e1cde564161_do_not_edit_manually.json | 2 +- ...f81-30df7b1963a0_do_not_edit_manually.json | 2 +- ...e09-44d31626b694_do_not_edit_manually.json | 2 +- ...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +- ...47b-ef64dd87c981_do_not_edit_manually.json | 2 +- ...780-b225c59e9f99_do_not_edit_manually.json | 2 +- ...1f3-49e3993c16f5_do_not_edit_manually.json | 2 +- ...f2d-eed5013fe463_do_not_edit_manually.json | 2 +- ...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +- ...c15-3828627ba899_do_not_edit_manually.json | 2 +- ...5de-5c2722fa020e_do_not_edit_manually.json | 2 +- ...70f-fd3b54ba1fe4_do_not_edit_manually.json | 2 +- ...b6d-3f79045f28fa_do_not_edit_manually.json | 2 +- ...a81-31090d723a60_do_not_edit_manually.json | 2 +- ...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +- ...b3d-b7cb7b7db618_do_not_edit_manually.json | 2 +- ...079-3dd25d472e0a_do_not_edit_manually.json | 2 +- ...b6f-a8e4dcac3d1d_do_not_edit_manually.json | 2 +- ...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +- ...563-db21da09cafd_do_not_edit_manually.json | 2 +- ...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +- ...90d-9af2f7be7019_do_not_edit_manually.json | 2 +- ...76c-408472fcfebb_do_not_edit_manually.json | 2 +- ...060-a9d9f2d270db_do_not_edit_manually.json | 2 +- ...afa-595bd430c0cb_do_not_edit_manually.json | 2 +- ...e37-842703494be0_do_not_edit_manually.json | 2 +- ...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +- ...79a-f97be24cc02d_do_not_edit_manually.json | 2 +- ...e56-0242ac120002_do_not_edit_manually.json | 2 +- ...763-aad3451821e5_do_not_edit_manually.json | 2 +- ...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +- ...b7a-4f2d0a518b04_do_not_edit_manually.json | 2 +- ...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +- ...43e-9848cadb1f99_do_not_edit_manually.json | 2 +- ...844-f7f4d7348199_do_not_edit_manually.json | 2 +- ...847-983f38efb8ff_do_not_edit_manually.json | 2 +- ...602-a5994544d9ed_do_not_edit_manually.json | 2 +- ...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +- ...659-4cb814431e29_do_not_edit_manually.json | 2 +- ...fa0-c63661820941_do_not_edit_manually.json | 2 +- ...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +- ...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +- ...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +- ...785-c1276277b5d7_do_not_edit_manually.json | 2 +- ...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +- ...af5-b69c7b679887_do_not_edit_manually.json | 2 +- ...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +- ...399-ddd992d48472_do_not_edit_manually.json | 2 +- ...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +- ...098-fe4a9e0aeaa0_do_not_edit_manually.json | 2 +- ...in_rules_changelog_do_not_edit_manually.md | 5 +- .../built_in_rules_do_not_edit_manually.md | 20 +- ...-b70f-fd3b54ba1fe4_do_not_edit_manually.md | 906 ++++++++++++++++++ ...-943e-9848cadb1f99_do_not_edit_manually.md | 2 +- .../built_in_detection_rules_eventids.md | 2 +- 89 files changed, 1012 insertions(+), 91 deletions(-) diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json index b4d56b0225..ece7bcf6f9 100644 --- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json index a53dcbb1cb..5413175c5b 100644 --- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic, Netsh Port Forwarding, SSH X11 Forwarding"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, SSH Tunnel Traffic, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json index a83495c088..ac193af931 100644 --- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json index 12ea5e40c0..7c3c43b1e0 100644 --- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, WithSecure Elements Critical Severity, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, WithSecure Elements Critical Severity, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, WithSecure Elements Critical Severity, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, WithSecure Elements Critical Severity, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json index 7fc6d15359..d1cb79b37e 100644 --- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Alert, Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Socat Reverse Shell Detection, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Interactive Terminal Spawned via Python, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Koadic Execution, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Microsoft 365 Defender For Endpoint Alert, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft 365 Defender Alert, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft 365 Defender Cloud App Security Alert, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Defender for Office 365 Alert, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft 365 Defender Alert, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, Microsoft 365 Defender For Endpoint Alert, Microsoft 365 Defender Cloud App Security Alert, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Microsoft Defender for Office 365 Alert, Winrshost Wrong Parent, Microsoft 365 Defender Alert, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Wininit Wrong Parent, SolarWinds Suspicious File Creation, Microsoft 365 Defender For Endpoint Alert, Suspicious Commands From MS SQL Server Shell, Microsoft 365 Defender Cloud App Security Alert, Windows Update LolBins, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation, Wininit Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation, Wininit Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Wininit Wrong Parent, Suspicious Commands From MS SQL Server Shell, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft 365 Defender For Endpoint Alert, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, QakBot Process Creation, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, Mshta Suspicious Child Process, Lazarus Loaders, Interactive Terminal Spawned via Python, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft 365 Defender Alert, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender for Office 365 Alert, Socat Reverse Shell Detection, Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Venom Multi-hop Proxy agent detection, Microsoft 365 Defender Cloud App Security Alert"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, SELinux Disabling, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Disabled Service, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, SELinux Disabling, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Disabled Service, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 Defender Alert, Microsoft 365 Defender For Endpoint Alert, Explorer Process Executing HTA File, IcedID Execution Using Excel, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Defender for Office 365 Alert, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft 365 Defender Cloud App Security Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Microsoft 365 Defender Alert, Microsoft 365 Defender For Endpoint Alert, SolarWinds Suspicious File Creation, Wininit Wrong Parent, PsExec Process, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Windows Update LolBins, Microsoft Defender for Office 365 Alert, Suspicious DNS Child Process, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Microsoft 365 Defender Cloud App Security Alert"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wininit Wrong Parent, PsExec Process, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json index 4deae73e42..30e69cd90e 100644 --- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json index 0eb06a14f3..751306a65e 100644 --- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Trend Micro Apex One Malware Alert, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Trend Micro Apex One Malware Alert, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation, PsExec Process, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Phorpiex DriveMgr Command, Trend Micro Apex One Malware Alert, Python Offensive Tools and Packages, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Trend Micro Apex One Data Loss Prevention Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation, PsExec Process, Trend Micro Apex One Data Loss Prevention Alert, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json index afa94be133..4d7a7bab37 100644 --- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Cron Files Alteration, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Custom Rule Alert, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, Suspicious Taskkill Command, SentinelOne EDR Threat Mitigation Report Kill Success, WMIC Uninstall Product, SentinelOne EDR Threat Mitigation Report Remediate Success, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR User Logged In To The Management Console, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR Threat Mitigation Report Quarantine Success, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Lazarus Loaders, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Failed To Log In To The Management Console, MalwareBytes Uninstallation, SentinelOne EDR SSO User Added, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Mitigation Report Quarantine Failed, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Agent Disabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Threat Detected (Malicious), Default Encoding To UTF-8 PowerShell, SentinelOne EDR Threat Detected (Suspicious), Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Success, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Custom Rule Alert, SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious Cmd.exe Command Line, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, Suspicious DLL Loading By Ordinal, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Suspicious), WMIC Uninstall Product, SentinelOne EDR User Failed To Log In To The Management Console, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Threat Detected (Malicious), Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Agent Disabled, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Logged In To The Management Console, MalwareBytes Uninstallation, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious Cmd.exe Command Line, SentinelOne EDR SSO User Added, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), Usage Of Procdump With Common Arguments, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json index cc8a89a9d0..d6e15de958 100644 --- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json index 580c6c9924..d7b176f45a 100644 --- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Suspicious Windows Script Execution, Koadic Execution, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, QakBot Process Creation, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Wrong Child Process, Windows Update LolBins, Usage Of Procdump With Common Arguments, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json index 4b6515f638..7528dae7f3 100644 --- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Windows Credential Editor Registry Key, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Suspicious Driver Loaded, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json index 6ac1f502db..a2cea410cc 100644 --- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json index 89779f257c..d450c7bec8 100644 --- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json index 0be43a01a7..8d12dbd905 100644 --- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json index ce37b4d654..0c3fa16b8a 100644 --- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json index 24367e0f39..7ee40ed3e1 100644 --- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json index 38435086d6..886e825abd 100644 --- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious Taskkill Command, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection Low Severity, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, CrowdStrike Falcon Intrusion Detection Critical Severity, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, CrowdStrike Falcon Intrusion Detection Medium Severity, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Informational Severity, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, CrowdStrike Falcon Intrusion Detection Low Severity, Searchprotocolhost Child Found, Windows Update LolBins, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Intrusion Detection Low Severity, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, CrowdStrike Falcon Intrusion Detection Informational Severity, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, CrowdStrike Falcon Intrusion Detection Medium Severity, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Informational Severity, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection High Severity, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Low Severity, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Low Severity, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection High Severity, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, CrowdStrike Falcon Intrusion Detection Medium Severity, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json index 6894e52b58..d0e81cbbd3 100644 --- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json index 1e7e490aa2..d71ca202e4 100644 --- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, SSH Tunnel Traffic, Netsh Port Forwarding, SSH X11 Forwarding"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Cisco Umbrella Threat Detected, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR Low Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Process Execution Blocked, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR Low Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Process Execution Blocked, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Impacket Secretsdump.py Tool, Active Directory Replication from Non Machine Account, Password Dumper Activity On LSASS, RedMimicry Winnti Playbook Dropped File, SAM Registry Hive Handle Request, Lsass Access Through WinRM, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Mimikatz LSASS Memory Access, Mimikatz Basic Commands, NTDS.dit File In Suspicious Directory, Unsigned Image Loaded Into LSASS Process, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, HackTools Suspicious Names, NetNTLM Downgrade Attack, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs, LSASS Memory Dump, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, DCSync Attack, Credential Dumping By LaZagne, Active Directory Database Dump Via Ntdsutil, LSASS Access From Non System Account, LSASS Memory Dump File Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, User Added to Local Administrators, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, Malspam Execution Registering Malicious DLL, MalwareBytes Uninstallation, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, In-memory PowerShell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Keywords, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, FromBase64String Command Line, Lazarus Loaders, Turla Named Pipes, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Detection of default Mimikatz banner, Elise Backdoor, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, PowerShell Credential Prompt, Venom Multi-hop Proxy agent detection, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Mustang Panda Dropper, Suspicious Scripting In A WMI Consumer, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, MOFComp Execution, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Dynwrapx Module Loading, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, RedMimicry Winnti Playbook Dropped File, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Remote Registry Management Using Reg Utility, Adexplorer Usage, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Python Opening Ports, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable SecurityHealth, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Suspect Svchost Memory Access, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Python Opening Ports, Disable Windows Defender Credential Guard, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Windows Defender Credential Guard, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Cobalt Strike Named Pipes, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Malicious Named Pipe, Dynwrapx Module Loading, Process Herpaderping, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Process Hollowing Detection, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, StoneDrill Service Install, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Cobalt Strike Default Service Creation Usage, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, StoneDrill Service Install, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Cobalt Strike Default Service Creation Usage, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Smbexec.py Service Installation, Rare Lsass Child Found, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Suspicious PsExec Execution, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Smbexec.py Service Installation, Rare Lsass Child Found, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Windows Update LolBins, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Suspicious PsExec Execution, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Cred Dump Tools Dropped Files, Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping Tools Service Execution, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Lsass Access Through WinRM"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, In-memory PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Keywords, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, FromBase64String Command Line, Turla Named Pipes, Mshta Suspicious Child Process, Detection of default Mimikatz banner, Suspicious XOR Encoded PowerShell Command Line, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Secure Deletion With SDelete, Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant, Network Connection Via Certutil"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, PowerView commandlets 2"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Protected Storage Service Access, Admin Share Access, Lsass Access Through WinRM"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Antivirus Password Dumper Detection, Audit CVE Event, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Chafer (APT 39) Activity, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, OceanLotus Registry Activity, RDP Port Change Using Powershell, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, NetNTLM Downgrade Attack, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Eventlog Cleared"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain In Command Line"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Suspicious desktop.ini Action, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, SSH Tunnel Traffic, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, GitLab CVE-2021-22205, Suspicious DNS Child Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, DCSync Attack, HackTools Suspicious Process Names In Command Line, Suspicious SAM Dump, Password Dumper Activity On LSASS, Transfering Files With Credential Data Via Network Shares, DPAPI Domain Backup Key Extraction, Rubeus Tool Command-line, Active Directory Database Dump Via Ntdsutil, NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Cred Dump Tools Dropped Files, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Access From Non System Account, Impacket Secretsdump.py Tool, Process Memory Dump Using Rdrleakdiag, Malicious Service Installations, Dumpert LSASS Process Dumper, Mimikatz LSASS Memory Access, RedMimicry Winnti Playbook Dropped File, Grabbing Sensitive Hives Via Reg Utility, Active Directory Replication from Non Machine Account, LSASS Memory Dump, Lsass Access Through WinRM, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump File Creation, SAM Registry Hive Handle Request, Unsigned Image Loaded Into LSASS Process, NTDS.dit File In Suspicious Directory, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Delegate To KRBTGT Service, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Active Directory User Backdoors"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Mustang Panda Dropper, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, WMIC Uninstall Product, In-memory PowerShell, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, WMImplant Hack Tool, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Mustang Panda Dropper, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Detection of default Mimikatz banner, Microsoft Office Spawning Script, Suspicious Scripting In A WMI Consumer, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Suspicious Outlook Child Process, Elise Backdoor, WMI DLL Loaded Via Office, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Turla Named Pipes, Suspicious Cmd.exe Command Line, Venom Multi-hop Proxy agent detection, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Dynwrapx Module Loading, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, SAM Registry Hive Handle Request, Cred Dump Tools Dropped Files, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Remote Registry Management Using Reg Utility, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, Python Opening Ports, Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Windows Firewall Changes, Suspicious PROCEXP152.sys File Created In Tmp, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack, Powershell AMSI Bypass, Python Opening Ports, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspect Svchost Memory Access, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Disable Windows Defender Credential Guard, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Ryuk Ransomware Command Line, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Windows Defender Deactivation Using PowerShell Script, Disable Windows Defender Credential Guard, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Exclusion Configuration, Ryuk Ransomware Command Line, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, CreateRemoteThread Common Process Injection, Taskhostw Wrong Parent, Process Herpaderping, Cobalt Strike Named Pipes, Dynwrapx Module Loading, Malicious Named Pipe, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, StoneDrill Service Install, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, StoneDrill Service Install, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smbexec.py Service Installation, Gpscript Suspicious Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Winword wrong parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Malicious Service Installations, Lsass Wrong Parent, Suspicious PsExec Execution, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Smbexec.py Service Installation, Gpscript Suspicious Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Winword wrong parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Malicious Service Installations, Lsass Wrong Parent, Suspicious PsExec Execution, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Memory Dump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Process Memory Dump Using Rdrleakdiag, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Password Dumper Activity On LSASS, Dumpert LSASS Process Dumper, Cred Dump Tools Dropped Files, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, In-memory PowerShell, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, Mshta Suspicious Child Process, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Detection of default Mimikatz banner, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Turla Named Pipes, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Eventlog Cleared"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Rclone Process, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Execution From Suspicious Folder, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Protected Storage Service Access, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Lsass Access Through WinRM, Admin Share Access, Smbexec.py Service Installation, Denied Access To Remote Desktop, RDP Login From Localhost, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe, MMC20 Lateral Movement, RDP Port Change Using Powershell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Wmic Service Call, Invoke-TheHash Commandlets, WMI Install Of Binary, Impacket Wmiexec Module, WMI DLL Loaded Via Office, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Suspicious HWP Child Process, Audit CVE Event, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Svchost DLL Search Order Hijack, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack, Werfault DLL Injection, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, Ursnif Registry Key, Disable Security Events Logging Adding Reg Key MiniNt, DHCP Callout DLL Installation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, Chafer (APT 39) Activity, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Suspicious New Printer Ports In Registry, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Scripting In A WMI Consumer, Sticky Key Like Backdoor Usage, WMI Event Subscription, Suspicious Netsh DLL Persistence, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Antivirus Web Shell Detection, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Antivirus Web Shell Detection, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json index a3bed595a3..fb63e4871e 100644 --- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, TrevorC2 HTTP Communication"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json index 6a96b03146..ed3af001d4 100644 --- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Threat Detected, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, xWizard Execution, AccCheckConsole Executing Dll, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Audit CVE Event"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Tampering Detected, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Audit CVE Event"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json index 7228d273c9..f93bf31a6f 100644 --- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json index 6bbe82bbf3..4a43368116 100644 --- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json index 7d4ecb10b4..0feb0e4697 100644 --- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json index 9791341e7b..ac4c3f1c7c 100644 --- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Threat Detected, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Cron Files Alteration, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, HarfangLab EDR High Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Process Execution Blocked, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, xWizard Execution, AccCheckConsole Executing Dll, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Suspicious desktop.ini Action, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Tampering Detected, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Process Execution Blocked, Cobalt Strike Default Beacons Names, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json index 6e98b3d491..dbf3170d73 100644 --- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json index 0f201be725..7f7620a599 100644 --- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Detection, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR Application Blocked, Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR CorePUA Clean"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json index 66cae16bf9..670219b348 100644 --- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json index e57f908314..ea2615a306 100644 --- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Cron Files Alteration, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, Suspicious DNS Child Process"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json index bbe8b1ae18..9d4b7be314 100644 --- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Blocked, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Venom Multi-hop Proxy agent detection, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Phorpiex Process Masquerading"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json index 91ad327472..32b3eb737a 100644 --- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json index 99a03d9ab3..749d7aea8d 100644 --- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json index 07ab908dbe..2961c4b9b4 100644 --- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json index 1987b128fd..4e4fce9787 100644 --- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json index 8ee02437c6..55f1e53d98 100644 --- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json index 46a9e18620..eadd02b827 100644 --- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json index aa76c8542a..08a46d7409 100644 --- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json index d993df90a1..0903010232 100644 --- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json index 7ad28f72e2..e5e37749d2 100644 --- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Sliver DNS Beaconing, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json index 5894dcb044..12f5e6eae5 100644 --- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Socat Reverse Shell Detection, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Interactive Terminal Spawned via Python, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, Lazarus Loaders, PowerShell EncodedCommand, Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Reverse Shell Detection, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, SELinux Disabling, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Disabled Service, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, SELinux Disabling, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Disabled Service, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json index bfb0f1090a..3220e1a67b 100644 --- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json index eae7f8ef8a..6e9fc10b6d 100644 --- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json index 4d0dae6b95..d187c051ee 100644 --- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json index 41af15d053..506c9070c3 100644 --- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, WMIC Uninstall Product, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json index 85d672189e..f0dbe023d3 100644 --- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json index 6d6114fa79..cf310290a0 100644 --- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json index 865cfbb96f..37891ab9a0 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json index 783f635d9f..52517419bf 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json index dbf02cee9f..7abdc8da45 100644 --- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Delete Action"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Delete Action"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Outside Collaborator Detected, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json index 37a7aeb87f..55f14fdecc 100644 --- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json index 54d3dd20fe..0a1ad0a2d6 100644 --- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ManageEngine ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ManageEngine ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json index 98073393c6..57ea7d79cf 100644 --- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, NjRat Registry Changes, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Sliver DNS Beaconing, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, Suspicious DNS Child Process"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Usage Of Procdump With Common Arguments, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json index 0c9957ad29..81e11dc220 100644 --- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, TEHTRIS EDR Alert, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file +{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, TEHTRIS EDR Alert, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, TEHTRIS EDR Alert"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json index 79d9a502a4..80a455922b 100644 --- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json index c181683275..74af2573d6 100644 --- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, User Added to Local Administrators, Add User to Privileged Group, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Secure Deletion With SDelete, Eventlog Cleared, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Remote Registry Management Using Reg Utility, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Windows Defender Credential Guard, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable SecurityHealth, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Suspect Svchost Memory Access, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Python Opening Ports, Disable Windows Defender Credential Guard, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Cobalt Strike Named Pipes, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Process Hollowing Detection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Malicious Named Pipe, Process Herpaderping, Svchost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Impacket Secretsdump.py Tool, Active Directory Replication from Non Machine Account, Password Dumper Activity On LSASS, RedMimicry Winnti Playbook Dropped File, Process Trace Alteration, SAM Registry Hive Handle Request, Lsass Access Through WinRM, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Mimikatz LSASS Memory Access, Mimikatz Basic Commands, NTDS.dit File In Suspicious Directory, Unsigned Image Loaded Into LSASS Process, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, HackTools Suspicious Names, NetNTLM Downgrade Attack, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs, LSASS Memory Dump, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, DCSync Attack, Credential Dumping By LaZagne, Active Directory Database Dump Via Ntdsutil, LSASS Access From Non System Account, LSASS Memory Dump File Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Chafer (APT 39) Activity, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Koadic MSHTML Command, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Sliver DNS Beaconing, TrevorC2 HTTP Communication, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Python HTTP Server, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Antivirus Password Dumper Detection, Download Files From Non-Legitimate TLDs, Audit CVE Event, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR Low Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Process Execution Blocked, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, HarfangLab EDR Low Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Process Execution Blocked, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, Suspicious Hostname"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Network Connection Via Certutil"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, Malspam Execution Registering Malicious DLL, MalwareBytes Uninstallation, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, In-memory PowerShell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Keywords, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, FromBase64String Command Line, Lazarus Loaders, Turla Named Pipes, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Detection of default Mimikatz banner, Elise Backdoor, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, PowerShell Credential Prompt, Venom Multi-hop Proxy agent detection, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Mustang Panda Dropper, Suspicious Scripting In A WMI Consumer, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, WMI DLL Loaded Via Office"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution, MOFComp Execution, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Dynwrapx Module Loading, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, RedMimicry Winnti Playbook Dropped File, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Python Opening Ports, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, StoneDrill Service Install, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Cobalt Strike Default Service Creation Usage, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, StoneDrill Service Install, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Cobalt Strike Default Service Creation Usage, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Smbexec.py Service Installation, Rare Lsass Child Found, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Suspicious PsExec Execution, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Smbexec.py Service Installation, Rare Lsass Child Found, Csrss Child Found, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Windows Update LolBins, Metasploit PSExec Service Creation, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Suspicious PsExec Execution, Malicious Service Installations, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Cred Dump Tools Dropped Files, Process Memory Dump Using Rdrleakdiag, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping Tools Service Execution, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Lsass Access Through WinRM"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, In-memory PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Keywords, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, FromBase64String Command Line, Turla Named Pipes, Mshta Suspicious Child Process, Detection of default Mimikatz banner, Suspicious XOR Encoded PowerShell Command Line, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), Alternate PowerShell Hosts Pipe"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, PowerView commandlets 2"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Protected Storage Service Access, Admin Share Access, Lsass Access Through WinRM"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Chafer (APT 39) Activity, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, OceanLotus Registry Activity, RDP Port Change Using Powershell, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, NetNTLM Downgrade Attack, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, User Added to Local Administrators, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Eventlog Cleared"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Suspicious desktop.ini Action, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Delegate To KRBTGT Service, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Active Directory User Backdoors, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Eventlog Cleared"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Remote Registry Management Using Reg Utility, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious DLL side loading from ProgramData, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack, Werfault DLL Injection, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Windows Defender Deactivation Using PowerShell Script, Disable Windows Defender Credential Guard, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Exclusion Configuration, Ryuk Ransomware Command Line, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Windows Firewall Changes, Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, NetNTLM Downgrade Attack, Powershell AMSI Bypass, Python Opening Ports, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspect Svchost Memory Access, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Configuration Changed, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Disable Windows Defender Credential Guard, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Ryuk Ransomware Command Line, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Process Herpaderping, Dynwrapx Module Loading, Malicious Named Pipe, MavInject Process Injection, Taskhost Wrong Parent, Searchindexer Wrong Parent, CreateRemoteThread Common Process Injection, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Process Hollowing Detection, Smss Wrong Parent, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, DCSync Attack, HackTools Suspicious Process Names In Command Line, Suspicious SAM Dump, Password Dumper Activity On LSASS, Transfering Files With Credential Data Via Network Shares, DPAPI Domain Backup Key Extraction, Rubeus Tool Command-line, Active Directory Database Dump Via Ntdsutil, Process Trace Alteration, NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Cred Dump Tools Dropped Files, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Access From Non System Account, Impacket Secretsdump.py Tool, Process Memory Dump Using Rdrleakdiag, Malicious Service Installations, Dumpert LSASS Process Dumper, Mimikatz LSASS Memory Access, RedMimicry Winnti Playbook Dropped File, Grabbing Sensitive Hives Via Reg Utility, Active Directory Replication from Non Machine Account, LSASS Memory Dump, Lsass Access Through WinRM, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump File Creation, SAM Registry Hive Handle Request, Unsigned Image Loaded Into LSASS Process, NTDS.dit File In Suspicious Directory, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Nimbo-C2 User Agent, Suspicious LDAP-Attributes Used, TrevorC2 HTTP Communication, Bazar Loader DGA (Domain Generation Algorithm), Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Audit CVE Event, Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Antivirus Password Dumper Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Hlai Engine Detection"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Execution From Suspicious Folder, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Rclone Process, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Webshell Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Mustang Panda Dropper, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, WMIC Uninstall Product, In-memory PowerShell, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, WMImplant Hack Tool, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Mustang Panda Dropper, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Detection of default Mimikatz banner, Microsoft Office Spawning Script, Suspicious Scripting In A WMI Consumer, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Suspicious Outlook Child Process, Elise Backdoor, WMI DLL Loaded Via Office, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Turla Named Pipes, Suspicious Cmd.exe Command Line, Venom Multi-hop Proxy agent detection, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Dynwrapx Module Loading, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, SAM Registry Hive Handle Request, Cred Dump Tools Dropped Files, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, Python Opening Ports, Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, StoneDrill Service Install, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, APT29 Fake Google Update Service Install, Cobalt Strike Default Service Creation Usage, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Gpscript Suspicious Parent, WMI Persistence Command Line Event Consumer, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Malicious Service Installations, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, StoneDrill Service Install, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Smbexec.py Service Installation, Gpscript Suspicious Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Winword wrong parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Malicious Service Installations, Lsass Wrong Parent, Suspicious PsExec Execution, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Smbexec.py Service Installation, Gpscript Suspicious Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Winword wrong parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Malicious Service Installations, Lsass Wrong Parent, Suspicious PsExec Execution, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Memory Dump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, LSASS Access From Non System Account, Process Memory Dump Using Rdrleakdiag, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Password Dumper Activity On LSASS, Dumpert LSASS Process Dumper, Cred Dump Tools Dropped Files, Mimikatz LSASS Memory Access, Credential Dumping By LaZagne, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, In-memory PowerShell, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, Mshta Suspicious Child Process, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Detection of default Mimikatz banner, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Turla Named Pipes, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Protected Storage Service Access, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Lsass Access Through WinRM, Admin Share Access, Smbexec.py Service Installation, Denied Access To Remote Desktop, RDP Login From Localhost, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe, MMC20 Lateral Movement, RDP Port Change Using Powershell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Wmic Service Call, Invoke-TheHash Commandlets, WMI Install Of Binary, Impacket Wmiexec Module, WMI DLL Loaded Via Office, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Svchost DLL Search Order Hijack, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, Ursnif Registry Key, Disable Security Events Logging Adding Reg Key MiniNt, DHCP Callout DLL Installation, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, Chafer (APT 39) Activity, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Suspicious New Printer Ports In Registry, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Scripting In A WMI Consumer, Sticky Key Like Backdoor Usage, WMI Event Subscription, Suspicious Netsh DLL Persistence, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json index 97b7702d02..4d60fb1b79 100644 --- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json index 412d98e21b..e4dc874b9e 100644 --- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, New Service Creation, Rare Logonui Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, New Service Creation, Rare Logonui Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Child Found"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Rare Lsass Child Found, Csrss Child Found, Winword wrong parent, Rare Logonui Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Child Found, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Rare Lsass Child Found, Csrss Child Found, Winword wrong parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Child Found, Windows Update LolBins, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Lsass Child Found, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Lsass Child Found, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Rare Logonui Child Found, Windows Update LolBins, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json index d1efb3a289..c6f4e7fe65 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Cybereason EDR Alert, PsExec Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json index f2128947bb..19aa0a208a 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json index d8d96d8ac0..1da576113b 100644 --- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json index 3c9d4cf433..50d7fa7ab5 100644 --- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json index aefaa61cf5..a1d9a49b98 100644 --- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json index 264a8f1cbf..11906b6d78 100644 --- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json index dfa0a06d9a..868ef94306 100644 --- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json index 899800558f..dc543bd8d2 100644 --- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json index 4766f2a394..af7936bdbc 100644 --- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json index 00594530ec..a4ec26f414 100644 --- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, NjRat Registry Changes, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Keywords, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, FromBase64String Command Line, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Suspicious XOR Encoded PowerShell Command Line, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Threat Detected, Suspicious Cmd.exe Command Line, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable SecurityHealth, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable SecurityHealth, Disable .NET ETW Through COMPlus_ETWEnabled, WMIC Uninstall Product, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Tampering Detected, TrustedInstaller Impersonation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Cron Files Alteration, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Process Memory Dump Using Createdump, HackTools Suspicious Names, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, xWizard Execution, AccCheckConsole Executing Dll, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Wininit Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Suspicious PowerShell Keywords, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, FromBase64String Command Line, Mshta Suspicious Child Process, Suspicious XOR Encoded PowerShell Command Line, PowerShell Credential Prompt, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Invoke-TheHash Commandlets, Blue Mockingbird Malware"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Chafer (APT 39) Activity, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, PowerView commandlets 1, NlTest Usage, Phosphorus Domain Controller Discovery, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Suspicious desktop.ini Action, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, WMImplant Hack Tool, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Powershell AMSI Bypass, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Chafer (APT 39) Activity, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, New Service Creation, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Suspicious Commands From MS SQL Server Shell, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, SolarWinds Suspicious File Creation, Wininit Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Microsoft Defender Antivirus Threat Detected, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, WMImplant Hack Tool, FromBase64String Command Line, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious PowerShell Commandlets, Invoke-TheHash Commandlets, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, RTLO Character, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Wmic Service Call, Invoke-TheHash Commandlets, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Login From Localhost, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Stop Backup Services, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json index aee9827e31..d223a5b053 100644 --- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) DLP Policy Removed, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Suspicious Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Mass Download By A Single User, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Filter Rule Deletion"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Repeated Delete, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Mass Download By A Single User, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Mass Download By A Single User, Suspicious Double Extension, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS New Country, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS New Country"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json index 3f5673ca48..20e24d27ef 100644 --- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json index fa6e1cc5fb..e3579c4591 100644 --- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json index d88f65f43b..6649111ca5 100644 --- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail Config Disable Channel/Recorder"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Disable MFA, AWS CloudTrail Config Disable Channel/Recorder"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Important Change, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail GuardDuty Disruption"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json index a77d1c2724..74839d54ce 100644 --- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json index 77464df355..e9f29dbd7c 100644 --- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json index 90403f781a..d6a31468ee 100644 --- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json index fe65029bf0..b2c6f73d43 100644 --- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json index d73d1fda3e..47711dd584 100644 --- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json index 8566ebe3bf..af0e515414 100644 --- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Malware Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spam Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Malware Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json index a7cd30fcc4..ac334d5f1a 100644 --- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Security Threat Configuration Updated, Okta Blacklist Manipulations, Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta MFA Disabled"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application deleted, Okta User Impersonation Access, Okta Application modified, Okta Admin Privilege Granted"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deleted, Okta Network Zone Deactivated"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Blacklist Manipulations, Okta Network Zone Modified, Okta MFA Disabled, Okta Network Zone Deleted, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Impersonation Access, Okta Application deleted, Okta Application modified, Okta User Account Deactivated"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Modified, Okta Network Zone Deactivated"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json index c75937b64a..8e4d440324 100644 --- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Socat Reverse Shell Detection, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Interactive Terminal Spawned via Python, Lazarus Loaders, MalwareBytes Uninstallation, Sysprep On AppData Folder, Elise Backdoor, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Python Offensive Tools and Packages, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Relaying Socket"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, SELinux Disabling, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, Koadic Execution, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Windows Installer Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Control Panel Items, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, Lazarus Loaders, PowerShell EncodedCommand, Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Koadic Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Socat Reverse Shell Detection, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, SELinux Disabling, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Disabled Service, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, SELinux Disabling, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Disabled Service, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Socat Reverse Shell Detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, xWizard Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, CMSTP Execution, Suspicious Mshta Execution, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json index 86d3772722..e1f3476895 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json index 2763569c07..aaf8fa8135 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json index 3303c0e7a0..f8d4f84bd6 100644 --- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json index 3b4c4cb431..78080c6f06 100644 --- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, GitLab CVE-2021-22205, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Koadic MSHTML Command, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json index a3d7180375..961c64c219 100644 --- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, Outlook Registry Access, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Debugging Software Deactivation, Netsh RDP Port Opening, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, NetSh Used To Disable Windows Firewall, Debugging Software Deactivation, Windows Firewall Changes, Clear EventLogs Through CommandLine, ETW Tampering, Netsh RDP Port Opening, Netsh Allow Command, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Netsh Port Forwarding, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, MavInject Process Injection, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Cron Files Alteration, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, Process Trace Alteration, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Koadic Execution, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, QakBot Process Creation, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Trickbot Malware Activity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Powershell Web Request, Lazarus Loaders, MalwareBytes Uninstallation, Mshta Suspicious Child Process, Sysprep On AppData Folder, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Windows Script Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Mshta JavaScript Execution, MOFComp Execution, AccCheckConsole Executing Dll, xWizard Execution, Empire Monkey Activity, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Control Process, CertOC Loading Dll, Suspicious Mshta Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winlogon wrong parent, Dllhost Wrong Parent, Csrss Wrong Parent, Winword wrong parent, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Windows Update LolBins, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Taskhost Wrong Parent, Rare Logonui Child Found, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Searchindexer Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, PsExec Process, Wmiprvse Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Svchost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Bloodhound and Sharphound Tools Usage, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, Wmic Process Call Creation, Impacket Wmiexec Module, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Blue Mockingbird Malware, RDP Sensitive Settings Changed"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Container Credential Access, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, Windows Firewall Changes, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, ETW Tampering, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, MalwareBytes Uninstallation, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Package Manager Alteration, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Raccine Uninstall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Suspicious Taskkill Command, Powershell Web Request, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Mshta Suspicious Child Process, Lazarus Loaders, PowerShell EncodedCommand, Microsoft Defender Antivirus Disabled Base64 Encoded, XSL Script Processing And SquiblyTwo Attack, Sysprep On AppData Folder, Trickbot Malware Activity, Koadic Execution, Microsoft Office Spawning Script, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Phorpiex DriveMgr Command, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows Script Execution, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, CertOC Loading Dll, Empire Monkey Activity, Suspicious Windows Installer Execution, xWizard Execution, MavInject Process Injection, MOFComp Execution, Suspicious Mshta Execution, IcedID Execution Using Excel, AccCheckConsole Executing Dll, CMSTP UAC Bypass via COM Object Access, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, CMSTP Execution, Control Panel Items"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winlogon wrong parent, Userinit Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Csrss Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Logonui Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Taskhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Svchost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, PowerShell Download From URL, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PrinterPorts Creation (CVE-2020-1048), Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, Mshta Suspicious Child Process, Suspicious Taskkill Command, PowerShell EncodedCommand, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, Wmic Service Call, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, Ursnif Registry Key, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Blue Mockingbird Malware"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Trickbot Malware Activity, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Change Default File Association, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md index 6a9b694a85..eea5b62473 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md @@ -1,7 +1,10 @@ -Changelog _last update on 2023-12-01_ +Changelog _last update on 2023-12-05_ ## Changelog +### Microsoft 365 Sign-in With No User Agent + - 04/12/2023 - major - Added `Login:login` request type with a filter for codes indicating failure + ### HTA Infection Chains - 30/11/2023 - minor - Update pattern with new lolbin diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md index 81a294fc93..85165a732e 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md @@ -1,4 +1,4 @@ -Rules catalog includes **779 built-in detection rules** ([_last update on 2023-12-01_](rules_changelog.md)). +Rules catalog includes **779 built-in detection rules** ([_last update on 2023-12-05_](rules_changelog.md)). ## Reconnaissance **Gather Victim Network Information** @@ -8034,10 +8034,14 @@ Rules catalog includes **779 built-in detection rules** ([_last update on 2023-1 ??? abstract "Microsoft 365 Sign-in With No User Agent" - Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing page or a password spraying tool. Sign-ins happening through a regular web browser always have a User-Agent header. Investigate the source IP address. If it is unknown, assume that the account's password is compromised. - **Effort:** elementary + - **Changelog:** + + - 04/12/2023 - major - Added `Login:login` request type with a filter for codes indicating failure + ??? abstract "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses" Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2. @@ -8171,10 +8175,14 @@ Rules catalog includes **779 built-in detection rules** ([_last update on 2023-1 ??? abstract "Microsoft 365 Sign-in With No User Agent" - Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing page or a password spraying tool. Sign-ins happening through a regular web browser always have a User-Agent header. Investigate the source IP address. If it is unknown, assume that the account's password is compromised. - **Effort:** elementary + - **Changelog:** + + - 04/12/2023 - major - Added `Login:login` request type with a filter for codes indicating failure + ??? abstract "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses" Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2. @@ -8866,10 +8874,14 @@ Rules catalog includes **779 built-in detection rules** ([_last update on 2023-1 ??? abstract "Microsoft 365 Sign-in With No User Agent" - Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing page or a password spraying tool. Sign-ins happening through a regular web browser always have a User-Agent header. Investigate the source IP address. If it is unknown, assume that the account's password is compromised. - **Effort:** elementary + - **Changelog:** + + - 04/12/2023 - major - Added `Login:login` request type with a filter for codes indicating failure + ??? abstract "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses" Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md index 476615f23a..f78d5c3915 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md @@ -3,8 +3,914 @@ The following Sekoia.io built-in rules match the intake **Stormshield SNS**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake. [SEKOIA.IO x Stormshield SNS on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json){ .md-button } +??? abstract "AccCheckConsole Executing Dll" + + Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL. + + - **Effort:** advanced + +??? abstract "AdFind Usage" + + Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects + + - **Effort:** elementary + +??? abstract "Add User to Privileged Group" + + Add user in a potential privileged group which can be used to elevate privileges on the system + + - **Effort:** advanced + +??? abstract "Address Space Layout Randomization (ASLR) Alteration" + + ASLR is a security feature used by the Operating System to mitigate memory exploit, attacker might want to disable it + + - **Effort:** intermediate + +??? abstract "Adexplorer Usage" + + Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database. + + - **Effort:** advanced + +??? abstract "Advanced IP Scanner" + + Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. + + - **Effort:** master + +??? abstract "Audio Capture via PowerShell" + + Detects audio capture via PowerShell Cmdlet + + - **Effort:** intermediate + +??? abstract "AzureEdge in Command Line" + + Detects use of azureedge in the command line. + + - **Effort:** advanced + +??? abstract "BITSAdmin Download" + + Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. + + - **Effort:** advanced + +??? abstract "Bazar Loader DGA (Domain Generation Algorithm)" + + Detects Bazar Loader domains based on the Bazar Loader DGA + + - **Effort:** elementary + +??? abstract "BazarLoader Persistence Using Schtasks" + + Detects possible BazarLoader persistence using schtasks. BazarLoader will create a Scheduled Task using a specific command line to establish its persistence. + + - **Effort:** intermediate + +??? abstract "Bloodhound and Sharphound Tools Usage" + + Detects default process names and default command line parameters used by Bloodhound and Sharphound tools. + + - **Effort:** intermediate + +??? abstract "Blue Mockingbird Malware" + + Attempts to detect system changes made by Blue Mockingbird + + - **Effort:** elementary + +??? abstract "CMSTP Execution" + + Detects various indicators of Microsoft Connection Manager Profile Installer execution + + - **Effort:** intermediate + +??? abstract "Capture a network trace with netsh.exe" + + Detects capture a network trace via netsh.exe trace functionality + + - **Effort:** intermediate + +??? abstract "CertOC Loading Dll" + + Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. + + - **Effort:** intermediate + +??? abstract "Certificate Authority Modification" + + Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations. + + - **Effort:** master + +??? abstract "Change Default File Association" + + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. + + - **Effort:** advanced + +??? abstract "Clear EventLogs Through CommandLine" + + Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces. + + - **Effort:** intermediate + +??? abstract "Cmdkey Cached Credentials Recon" + + Detects usage of cmdkey to look for cached credentials. + + - **Effort:** intermediate + +??? abstract "Commonly Used Commands To Stop Services And Remove Backups" + + Detects specific commands used regularly by ransomwares to stop services or remove backups + + - **Effort:** intermediate + +??? abstract "Container Credential Access" + + Adversaries could abuse containers tools to obtain credential like Kubernetes secret or Kubernetes service account access token + + - **Effort:** intermediate + +??? abstract "Control Panel Items" + + Detects the malicious use of a control panel item + + - **Effort:** advanced + +??? abstract "Copying Browser Files With Credentials" + + Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files. + + - **Effort:** elementary + +??? abstract "Copying Sensitive Files With Credential Data" + + Detects copy of files with well-known filenames (sensitive files with credential data) using esentutl. This requires Windows Security event log with the Detailed File Share logging policy enabled. + + - **Effort:** elementary + +??? abstract "DNS Exfiltration and Tunneling Tools Execution" + + Well-known DNS exfiltration tools execution + + - **Effort:** intermediate + +??? abstract "Data Compressed With Rar" + + An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. + + - **Effort:** master + +??? abstract "Data Compressed With Rar With Password" + + An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. This is a more specific one for rar where the arguments allow to encrypt both file data and headers with a given password. + + - **Effort:** intermediate + +??? abstract "Debugging Software Deactivation" + + Deactivation of some debugging softwares using taskkill command. It was observed being used by Ransomware operators. + + - **Effort:** elementary + +??? abstract "Default Encoding To UTF-8 PowerShell" + + Detects PowerShell encoding to UTF-8, which is used by Sliver implants. The command line just sets the default encoding to UTF-8 in PowerShell. + + - **Effort:** advanced + +??? abstract "Disable Task Manager Through Registry Key" + + Detects commands used to disable the Windows Task Manager by modifying the proper registry key in order to impair security tools. This technique is used by the Agent Tesla RAT, among others. + + - **Effort:** elementary + +??? abstract "Disabled IE Security Features" + + Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. This has been used by attackers during Operation Ke3chang. + + - **Effort:** advanced + +??? abstract "Domain Group And Permission Enumeration" + + Detects adversaries attempts to find domain-level groups and permission settings. Commands such as net group /domain of the Net utility can list domain-level groups The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Wizard Spider, FIN6, and other groups used net in their campaigns. + + - **Effort:** advanced + +??? abstract "Domain Trust Discovery Through LDAP" + + Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. "trustedDomain" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc.) + + - **Effort:** elementary + +??? abstract "Dynamic Linker Hijacking From Environment Variable" + + LD_PRELOAD and LD_LIBRARY_PATH are environment variables used by the Operating System at the runtime to load shared objects (library.ies) when executing a new process, attacker can overwrite this variable to attempts a privileges escalation. + + - **Effort:** advanced + +??? abstract "ETW Tampering" + + Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion + + - **Effort:** intermediate + +??? abstract "Elise Backdoor" + + Detects Elise backdoor activity as used by Lotus Blossom + + - **Effort:** elementary + +??? abstract "Empire Monkey Activity" + + Detects EmpireMonkey APT reported Activity + + - **Effort:** elementary + +??? abstract "Equation Group DLL_U Load" + + Detects a specific tool and export used by EquationGroup + + - **Effort:** elementary + +??? abstract "Erase Shell History" + + Malware and attacker try to reduce their fingerprints on compromised host by deleting shell history + + - **Effort:** advanced + +??? abstract "Exchange Mailbox Export" + + Detection of a standard Exchange Mailbox export, which stores all mails from a user in a pst file. + + - **Effort:** intermediate + +??? abstract "Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data" + + Detects PowerShell SnapIn command line, often used with Get-Mailbox to export Exchange mailbox data. + + - **Effort:** intermediate + +??? abstract "Exfiltration And Tunneling Tools Execution" + + Execution of well known tools for data exfiltration and tunneling + + - **Effort:** advanced + +??? abstract "Exfiltration Domain In Command Line" + + Detects commands containing a domain linked to http exfiltration. + + - **Effort:** intermediate + +??? abstract "Explorer Process Executing HTA File" + + Detects a suspicious execution of an HTA file by the explorer.exe process. This unusual activity was observed when running IcedID malspam. + + - **Effort:** intermediate + +??? abstract "Fail2ban Unban IP" + + An IP was ubaned by Fail2ban. It could be use to allow malicous traffic. + + - **Effort:** advanced + +??? abstract "Grabbing Sensitive Hives Via Reg Utility" + + Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials. + + - **Effort:** intermediate + +??? abstract "HackTools Suspicious Process Names In Command Line" + + Detects the default process name of several HackTools and also check in command line. This rule is here for quickwins as it obviously has many blind spots. + + - **Effort:** intermediate + +??? abstract "Hiding Files With Attrib.exe" + + Detects usage of attrib.exe to hide files from users. + + - **Effort:** advanced + +??? abstract "High Privileges Network Share Removal" + + Detects high privileges shares being deleted with the net share command. + + - **Effort:** intermediate + +??? abstract "ICacls Granting Access To All" + + Detects suspicious icacls command granting access to all, used by the ransomware Ryuk to delete every access-based restrictions on files and directories. ICacls is a built-in Windows command to interact with the Discretionary Access Control Lists (DACLs) which can grand adversaries higher permissions on specific files and folders. + + - **Effort:** elementary + +??? abstract "IIS Module Installation Using AppCmd" + + Detects the installation of a new IIS module from the command line. It can used used to backdoor an IIS/OWA/Sharepoint server. + + - **Effort:** intermediate + +??? abstract "Inhibit System Recovery Deleting Backups" + + Detects adversaries attempts to delete backups or inhibit system recovery. This rule relies on differents known techniques using Windows events logs from Sysmon (ID 1), and PowerShell (ID 4103, 4104). + + - **Effort:** intermediate + +??? abstract "KeePass Config XML In Command-Line" + + Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence. + + - **Effort:** intermediate + +??? abstract "Kernel Module Alteration" + + Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. + + - **Effort:** advanced + +??? abstract "Koadic Execution" + + Detects command line parameters used by Koadic hack tool + + - **Effort:** intermediate + +??? abstract "Lazarus Loaders" + + Detects different loaders used by the Lazarus Group APT + + - **Effort:** elementary + +??? abstract "List Shadow Copies" + + Detects command line used to list shadow copies. An adversary may attempt to get information on shadow volumes to perform deletion or extract password hashes from the ntds.dit file. This rule requires command line logging or Windows PowerShell events (4104). + + - **Effort:** master + +??? abstract "Listing Systemd Environment" + + Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host. + + - **Effort:** elementary + +??? abstract "MSBuild Abuse" + + Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload, and on connections made by this process which is unusual. + + - **Effort:** intermediate + +??? abstract "Malicious Browser Extensions" + + Detects browser extensions being loaded with the --load-extension and -base-url options, which works on Chromium-based browsers. We are looking for potentially malicious browser extensions. These extensions can get access to informations. + + - **Effort:** advanced + +??? abstract "MalwareBytes Uninstallation" + + Detects command line being used by attackers to uninstall Malwarebytes. + + - **Effort:** intermediate + +??? abstract "MavInject Process Injection" + + Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS) + + - **Effort:** intermediate + +??? abstract "Meterpreter or Cobalt Strike Getsystem Service Installation" + + Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting some of the techniques being used (technique 1,2 and 5). + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus Disable Scheduled Tasks" + + The rule detects attempts to deactivate/disable Windows Defender scheduled tasks via command line + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Disable Using Registry" + + The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line. + + - **Effort:** master + +??? abstract "Microsoft Defender Antivirus Disabled Base64 Encoded" + + Detects attempts to deactivate/disable Windows Defender through base64 encoded PowerShell command line. + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus History Directory Deleted" + + Windows Defender history directory has been deleted. Could be an attempt by an attacker to remove its traces. + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus Restoration Abuse" + + The rule detects attempts to abuse Windows Defender file restoration tool. The Windows Defender process is allowed to write files in its own protected directory. This functionality can be used by a threat actor to overwrite Windows Defender files in order to prevent it from running correctly or use Windows Defender to execute a malicious DLL. + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Set-MpPreference Base64 Encoded" + + Detects changes of preferences for Windows Defender scan and updates. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities. + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Signatures Removed With MpCmdRun" + + Detects attempts to remove Windows Defender Signatures using MpCmdRun legitimate Windows Defender executable. No signatures mean Windows Defender will be less effective (or completely useless depending on the option used). + + - **Effort:** elementary + +??? abstract "Mshta JavaScript Execution" + + Identifies suspicious mshta.exe commands that execute JavaScript supplied as a command line argument. + + - **Effort:** elementary + +??? abstract "NTDS.dit File Interaction Through Command Line" + + Detects interaction with the file NTDS.dit through command line. This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes. + + - **Effort:** intermediate + +??? abstract "Net.exe User Account Creation" + + Identifies creation of local users via the net.exe command + + - **Effort:** master + +??? abstract "NetSh Used To Disable Windows Firewall" + + Detects NetSh commands used to disable the Windows Firewall + + - **Effort:** intermediate + +??? abstract "Netsh Allow Command" + + Netsh command line to allow a program to pass through firewall. + + - **Effort:** advanced + +??? abstract "Netsh Allowed Python Program" + + Detects netsh command that performs modification on Firewall rules to allow the program python.exe. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else. + + - **Effort:** intermediate + +??? abstract "Netsh Port Forwarding" + + Detects netsh commands that enable a port forwarding between to hosts. This can be used by attackers to tunnel RDP or SMB shares for example. + + - **Effort:** elementary + +??? abstract "Netsh Port Opening" + + Detects netsh commands that opens a specific port. Can be used by malware or attackers for lateralisation/exfiltration (e.g. SMB/RDP opening). + + - **Effort:** master + +??? abstract "Netsh RDP Port Forwarding" + + Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments. + + - **Effort:** elementary + +??? abstract "Netsh RDP Port Opening" + + Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware + + - **Effort:** intermediate + +??? abstract "Network Scanning and Discovery" + + Tools and command lines used for network discovery from current system + + - **Effort:** advanced + +??? abstract "Network Sniffing" + + List of common tools used for network packages sniffing + + - **Effort:** advanced + +??? abstract "Network Sniffing Windows" + + Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. + + - **Effort:** intermediate + +??? abstract "New DLL Added To AppCertDlls Registry Key" + + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** intermediate + +??? abstract "New Service Creation" + + Detects creation of a new service from command line + + - **Effort:** advanced + +??? abstract "Ngrok Process Execution" + + Detects possible Ngrok execution, which can be used by attacker for RDP tunneling. + + - **Effort:** intermediate + +??? abstract "NlTest Usage" + + Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain. + + - **Effort:** intermediate + +??? abstract "Non-Legitimate Executable Using AcceptEula Parameter" + + Detects accepteula in command line with non-legitimate executable name. Some attackers are masquerading SysInternals tools with decoy names to prevent detection. + + - **Effort:** intermediate + +??? abstract "Opening Of a Password File" + + Command line detection of common office software opening some password related file. It could be a security breach if an unauthorized user access it. + + - **Effort:** advanced + +??? abstract "Outlook Registry Access" + + Detection of accesses to Microsoft Outlook registry hive, which might contain sensitive information. + + - **Effort:** elementary + +??? abstract "PasswordDump SecurityXploded Tool" + + Detects the execution of the PasswordDump SecurityXploded Tool + + - **Effort:** elementary + +??? abstract "Phorpiex DriveMgr Command" + + Detects specific command used by the Phorpiex botnet to execute a copy of the loader during its self-spreading stage. As described by Microsoft, this behavior is unique and easily identifiable due to the use of folders named with underscores "__" and the PE name "DriveMgr.exe". + + - **Effort:** elementary + +??? abstract "Potential Azure AD Phishing Page (Adversary-in-the-Middle)" + + Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication. + + - **Effort:** intermediate + +??? abstract "PowerCat Function Loading" + + Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads. + + - **Effort:** intermediate + +??? abstract "PowerShell AMSI Deactivation Bypass Using .NET Reflection" + + Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal. + + - **Effort:** elementary + +??? abstract "PowerShell Downgrade Attack" + + Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 + + - **Effort:** elementary + +??? abstract "PowerShell Download From URL" + + Detects a Powershell process that contains download commands in its command line string + + - **Effort:** advanced + +??? abstract "PowerShell EncodedCommand" + + Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option. + + - **Effort:** advanced + +??? abstract "PowerShell Execution Via Rundll32" + + Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll Rule modified + + - **Effort:** intermediate + +??? abstract "PowerShell Malicious Nishang PowerShell Commandlets" + + Detects Commandlet names and arguments from the Nishang exploitation framework + + - **Effort:** advanced + +??? abstract "Powershell UploadString Function" + + Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host. + + - **Effort:** intermediate + +??? abstract "Powershell Web Request" + + Detects the use of various web request methods executed remotely via Windows PowerShell + + - **Effort:** advanced + +??? abstract "Process Memory Dump Using Comsvcs" + + Detects the use of comsvcs in command line to dump a specific proces memory. This techinique is widlely used by attackers for privilege escalation and pivot. + + - **Effort:** elementary + +??? abstract "Process Memory Dump Using Rdrleakdiag" + + Detects the use of rdrleakdiag.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot. + + - **Effort:** elementary + +??? abstract "Process Trace Alteration" + + PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process. + + - **Effort:** advanced + +??? abstract "PsExec Process" + + Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators. + + - **Effort:** advanced + +??? abstract "Python HTTP Server" + + Detects command used to start a Simple HTTP server in Python. Threat actors could use it for data extraction, hosting a webshell or else. + + - **Effort:** intermediate + +??? abstract "Python Offensive Tools and Packages" + + Track installation and usage of offensive python packages and project that are used for lateral movement + + - **Effort:** master + +??? abstract "Qakbot Persistence Using Schtasks" + + Detects possible Qakbot persistence using schtasks. + + - **Effort:** intermediate + +??? abstract "RDP Session Discovery" + + Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server. + + - **Effort:** advanced + +??? abstract "RYUK Ransomeware - martinstevens Username" + + Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020. + + - **Effort:** elementary + +??? abstract "Raccine Uninstall" + + Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. + + - **Effort:** elementary + +??? abstract "Rclone Process" + + Detects Rclone executable or Rclone execution by using the process name, the execution through a command obfuscated or not. + + - **Effort:** advanced + +??? abstract "RedMimicry Winnti Playbook Registry Manipulation" + + Detects actions caused by the RedMimicry Winnti playbook. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** elementary + +??? abstract "Remote Monitoring and Management Software - AnyDesk" + + Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk. + + - **Effort:** master + +??? abstract "Rubeus Tool Command-line" + + Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it. + + - **Effort:** advanced + ??? abstract "SEKOIA.IO Intelligence Feed" Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team. - **Effort:** elementary + +??? abstract "SOCKS Tunneling Tool" + + Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. + + - **Effort:** intermediate + +??? abstract "Schtasks Persistence With High Privileges" + + Detection of scheduled task with high privileges used by attacker for persistence. + + - **Effort:** elementary + +??? abstract "Spyware Persistence Using Schtasks" + + Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring). + + - **Effort:** intermediate + +??? abstract "Suncrypt Parameters" + + Detects SunCrypt ransomware's parameters, most of which are unique. + + - **Effort:** elementary + +??? abstract "Suspicious Cmd File Copy Command To Network Share" + + Copy suspicious files through Windows cmd prompt to network share + + - **Effort:** intermediate + +??? abstract "Suspicious Control Process" + + Detects suspicious execution of control.exe process when used to execute a DLL file. + + - **Effort:** advanced + +??? abstract "Suspicious DLL Loading By Ordinal" + + Detects suspicious DLL Loading by ordinal number in a non legitimate or rare folders. For example, Sofacy (APT28) used this technique to load their Trojan in a campaign of 2018. + + - **Effort:** intermediate + +??? abstract "Suspicious Double Extension" + + Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns + + - **Effort:** advanced + +??? abstract "Suspicious Finger Usage" + + Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays. An attacker can use finger to silently retrieve a command, a script or a payload from a remote server. For example, the tool Darkfinger-C2 uses this technique to download files from the C2 channel. + + - **Effort:** intermediate + +??? abstract "Suspicious Headless Web Browser Execution To Download File" + + Detects a suspicious command used to execute a Chromium-based web browser (Chrome or Edge) using the headless mode, meaning that the browser window wouldn't be visible, and the dump mode to download a file. This technique can be used to fingerprint the compromised host, in particular by the Ducktail infostealer. + + - **Effort:** elementary + +??? abstract "Suspicious Microsoft Defender Antivirus Exclusion Command" + + Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. These commands can be used by attackers or malware to avoid being detected by Windows Defender. Depending on the environment and the installed software, this detection rule could raise false positives. We recommend customizing this rule by filtering legitimate processes that use Windows Defender exclusion command in your environment. + + - **Effort:** master + +??? abstract "Suspicious Mshta Execution" + + Detects suspicious mshta.exe execution patterns, either involving file polyglotism, remote file (http, ftp or ldap) or suspicious location. This technique is often used by threat actors. + + - **Effort:** intermediate + +??? abstract "Suspicious Netsh DLL Persistence" + + Detects persitence via netsh helper. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. + + - **Effort:** elementary + +??? abstract "Suspicious Network Args In Command Line" + + Detection on some commonly observed suspicious processes command lines using HTTP schema with port 443. + + - **Effort:** intermediate + +??? abstract "Suspicious PowerShell Invocations - Specific" + + Detects suspicious PowerShell invocation command parameters + + - **Effort:** intermediate + +??? abstract "Suspicious PrinterPorts Creation (CVE-2020-1048)" + + Detects new commands that add new printer port which point to suspicious file + + - **Effort:** advanced + +??? abstract "Suspicious Rundll32.exe Execution" + + The process rundll32.exe executes a newly dropped DLL with update /i in the command line. This specific technic was observed at least being used by the IcedID loading mechanism dubbed Gziploader. + + - **Effort:** intermediate + +??? abstract "Suspicious Taskkill Command" + + Detects rare taskkill command being used. It could be related to Baby Shark malware. + + - **Effort:** intermediate + +??? abstract "Suspicious VBS Execution Parameter" + + Detects suspicious VBS file execution with a specific parameter by cscript. It was observed in the Operation CloudHopper. + + - **Effort:** elementary + +??? abstract "Suspicious Windows Installer Execution" + + Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server. + + - **Effort:** intermediate + +??? abstract "Suspicious Windows Script Execution" + + Detects wscript.exe or cscript.exe executing a script in user directories (C:\ProgramData or C:\Users) with a .txt extension, which is very suspicious. It could strongly correspond to a malware dropper, as seen during SquirrelWaffle maldoc campaign. + + - **Effort:** intermediate + +??? abstract "Suspicious certutil command" + + Detects suspicious certutil command which can be used by threat actors to download and/or decode payload. + + - **Effort:** intermediate + +??? abstract "Sysprep On AppData Folder" + + Detects suspicious Sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec). Sysprep is a Windows tool used to change Windows images from a generalized state to a specialized state, and then back to a generalized state. It can be used to remove all system-specific information and reset the computer. + + - **Effort:** intermediate + +??? abstract "System Info Discovery" + + System info discovery, attempt to detects basic command use to fingerprint a host + + - **Effort:** master + +??? abstract "Usage Of Procdump With Common Arguments" + + Detects the usage of Procdump sysinternals tool with some common arguments and followed by common patterns. + + - **Effort:** intermediate + +??? abstract "WMI Install Of Binary" + + Detection of WMI used to install a binary on the host. It is often used by attackers as a signed binary to infect an host. + + - **Effort:** elementary + +??? abstract "WMIC Uninstall Product" + + Detects products being uninstalled using WMIC command. + + - **Effort:** intermediate + +??? abstract "WiFi Credentials Harvesting Using Netsh" + + Detects the harvesting of WiFi credentials using netsh.exe. + + - **Effort:** advanced + +??? abstract "Windows Firewall Changes" + + Detects changes on Windows Firewall configuration + + - **Effort:** master + +??? abstract "Wmic Process Call Creation" + + The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. Although WMI is supposed to be an administration tool, it is wildy abused by threat actors. One of the reasons is WMI is quite stealthy. This rule detects the wmic command line launching a process on a remote or local host. + + - **Effort:** intermediate + +??? abstract "Wmic Service Call" + + Detects either remote or local code execution using wmic tool. + + - **Effort:** intermediate + +??? abstract "XCopy Suspicious Usage" + + Detects the usage of xcopy with suspicious command line options (used by Judgment Panda APT in the past). The rule is based on command line only in case xcopy is renamed. + + - **Effort:** advanced + +??? abstract "XSL Script Processing And SquiblyTwo Attack" + + Detection of an attack where adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Another variation of this technique, dubbed "Squiblytwo", involves to invoke JScript or VBScript within an XSL file. + + - **Effort:** intermediate + +??? abstract "xWizard Execution" + + Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. + + - **Effort:** master diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md index cc13712a60..8f5b3de189 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md @@ -281,7 +281,7 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office ??? abstract "Microsoft 365 Sign-in With No User Agent" - Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing page or a password spraying tool. Sign-ins happening through a regular web browser always have a User-Agent header. Investigate the source IP address. If it is unknown, assume that the account's password is compromised. - **Effort:** elementary diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md index 9b4b004189..b5b67abe2b 100644 --- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md +++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md @@ -1,6 +1,6 @@ # Built-in detection rules, EventIDs and EventProviders relations SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture. -This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-12-01_ +This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-12-05_ The colors of the EventIDs in this page should be interpreted as follow: