From adff182efefa783d2d2871c24d825d29a0323ebd Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:26:46 -0500 Subject: [PATCH] Update Prebuilt Rule Links for Malicious Site in 8.2 (#4278) * Update URLs in branch 8.2 * Update HTTP links to HTTPS in fix-old-links-in-security-rules-8-2 --- ...rule-0-14-2-creation-of-a-hidden-local-user-account.asciidoc | 2 +- ...rebuilt-rule-0-14-2-remote-file-copy-via-teamviewer.asciidoc | 2 +- ...0-2-account-configured-with-never-expiring-password.asciidoc | 2 +- ...-rule-1-0-2-creation-of-a-hidden-local-user-account.asciidoc | 2 +- ...prebuilt-rule-1-0-2-remote-file-copy-via-teamviewer.asciidoc | 2 +- ...-rule-1-0-2-suspicious-managed-code-hosting-process.asciidoc | 2 +- ...ebuilt-rule-1-0-2-suspicious-werfault-child-process.asciidoc | 2 +- ...1-1-account-configured-with-never-expiring-password.asciidoc | 2 +- ...-rule-8-1-1-creation-of-a-hidden-local-user-account.asciidoc | 2 +- ...prebuilt-rule-8-1-1-remote-file-copy-via-teamviewer.asciidoc | 2 +- ...-rule-8-2-1-creation-of-a-hidden-local-user-account.asciidoc | 2 +- ...prebuilt-rule-8-2-1-remote-file-copy-via-teamviewer.asciidoc | 2 +- ...ebuilt-rule-8-2-1-suspicious-werfault-child-process.asciidoc | 2 +- .../account-configured-with-never-expiring-password.asciidoc | 2 +- .../creation-of-a-hidden-local-user-account.asciidoc | 2 +- .../rule-details/remote-execution-via-file-shares.asciidoc | 2 +- .../rule-details/remote-file-copy-via-teamviewer.asciidoc | 2 +- .../suspicious-managed-code-hosting-process.asciidoc | 2 +- .../rule-details/suspicious-werfault-child-process.asciidoc | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-creation-of-a-hidden-local-user-account.asciidoc index 020e566575..09239daf23 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-creation-of-a-hidden-local-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-creation-of-a-hidden-local-user-account.asciidoc @@ -23,7 +23,7 @@ Identifies the creation of a hidden local user account by appending the dollar s *References*: -* https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html * https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-remote-file-copy-via-teamviewer.asciidoc index 2d5ce573d1..429a555d18 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-remote-file-copy-via-teamviewer.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/0-14-2/prebuilt-rule-0-14-2-remote-file-copy-via-teamviewer.asciidoc @@ -23,7 +23,7 @@ Identifies an executable or script file remotely downloaded via a TeamViewer tra *References*: -* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html +* https://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-account-configured-with-never-expiring-password.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-account-configured-with-never-expiring-password.asciidoc index 18a07bda0f..2c4fed828e 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-account-configured-with-never-expiring-password.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-account-configured-with-never-expiring-password.asciidoc @@ -23,7 +23,7 @@ Detects the creation and modification of an account with the "Don't Expire Passw *References*: * https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire -* https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html +* https://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-creation-of-a-hidden-local-user-account.asciidoc index f57d60146e..c2fca7cb6c 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-creation-of-a-hidden-local-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-creation-of-a-hidden-local-user-account.asciidoc @@ -23,7 +23,7 @@ Identifies the creation of a hidden local user account by appending the dollar s *References*: -* https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html * https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-remote-file-copy-via-teamviewer.asciidoc index 4c0e2a95f0..97d5e5a6a3 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-remote-file-copy-via-teamviewer.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-remote-file-copy-via-teamviewer.asciidoc @@ -23,7 +23,7 @@ Identifies an executable or script file remotely downloaded via a TeamViewer tra *References*: -* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html +* https://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-managed-code-hosting-process.asciidoc index 2c7f451f37..cc3b23750c 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-managed-code-hosting-process.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-managed-code-hosting-process.asciidoc @@ -23,7 +23,7 @@ Identifies a suspicious managed code hosting process which could indicate code i *References*: -* https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +* https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-werfault-child-process.asciidoc index cafdf8ee54..ef2a86868e 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-werfault-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/1-0-2/prebuilt-rule-1-0-2-suspicious-werfault-child-process.asciidoc @@ -25,7 +25,7 @@ A suspicious WerFault child process was detected, which may indicate an attempt * https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ * https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -* https://blog.menasec.net/2021/01/ +* https://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-account-configured-with-never-expiring-password.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-account-configured-with-never-expiring-password.asciidoc index 8b2ae547d7..544388b78b 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-account-configured-with-never-expiring-password.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-account-configured-with-never-expiring-password.asciidoc @@ -23,7 +23,7 @@ Detects the creation and modification of an account with the "Don't Expire Passw *References*: * https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire -* https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html +* https://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-creation-of-a-hidden-local-user-account.asciidoc index 735a3d6056..acff2fd7fe 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-creation-of-a-hidden-local-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-creation-of-a-hidden-local-user-account.asciidoc @@ -23,7 +23,7 @@ Identifies the creation of a hidden local user account by appending the dollar s *References*: -* https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html * https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-remote-file-copy-via-teamviewer.asciidoc index 418ce5d49a..71c9ed2f01 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-remote-file-copy-via-teamviewer.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-1-1/prebuilt-rule-8-1-1-remote-file-copy-via-teamviewer.asciidoc @@ -23,7 +23,7 @@ Identifies an executable or script file remotely downloaded via a TeamViewer tra *References*: -* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html +* https://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-creation-of-a-hidden-local-user-account.asciidoc index 9e7b24a737..a5005d6c76 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-creation-of-a-hidden-local-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-creation-of-a-hidden-local-user-account.asciidoc @@ -23,7 +23,7 @@ Identifies the creation of a hidden local user account by appending the dollar s *References*: -* https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html * https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-remote-file-copy-via-teamviewer.asciidoc index 4b64a71f5c..263baa9d18 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-remote-file-copy-via-teamviewer.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-remote-file-copy-via-teamviewer.asciidoc @@ -23,7 +23,7 @@ Identifies an executable or script file remotely downloaded via a TeamViewer tra *References*: -* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html +* https://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html *Tags*: diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-suspicious-werfault-child-process.asciidoc index 4a6acb4b56..71bba5baca 100644 --- a/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-suspicious-werfault-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-2-1/prebuilt-rule-8-2-1-suspicious-werfault-child-process.asciidoc @@ -25,7 +25,7 @@ A suspicious WerFault child process was detected, which may indicate an attempt * https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ * https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -* https://blog.menasec.net/2021/01/ +* https://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ *Tags*: diff --git a/docs/detections/prebuilt-rules/rule-details/account-configured-with-never-expiring-password.asciidoc b/docs/detections/prebuilt-rules/rule-details/account-configured-with-never-expiring-password.asciidoc index e66478141b..b10f49024b 100644 --- a/docs/detections/prebuilt-rules/rule-details/account-configured-with-never-expiring-password.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/account-configured-with-never-expiring-password.asciidoc @@ -23,7 +23,7 @@ Detects the creation and modification of an account with the "Don't Expire Passw *References*: * https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire -* https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html +* https://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html *Tags*: diff --git a/docs/detections/prebuilt-rules/rule-details/creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-of-a-hidden-local-user-account.asciidoc index 1c44da928c..b09468ddfa 100644 --- a/docs/detections/prebuilt-rules/rule-details/creation-of-a-hidden-local-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/creation-of-a-hidden-local-user-account.asciidoc @@ -23,7 +23,7 @@ Identifies the creation of a hidden local user account by appending the dollar s *References*: -* https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html * https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign *Tags*: diff --git a/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc index e985e7fee9..984ba86ef8 100644 --- a/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc @@ -23,7 +23,7 @@ Identifies the execution of a file that was created by the virtual system proces *References*: -* https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html +* https://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html *Tags*: diff --git a/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc index c03a541082..d0953ebeac 100644 --- a/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/remote-file-copy-via-teamviewer.asciidoc @@ -23,7 +23,7 @@ Identifies an executable or script file remotely downloaded via a TeamViewer tra *References*: -* https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html +* https://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html *Tags*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc index 177d9046ec..f749510ef4 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc @@ -23,7 +23,7 @@ Identifies a suspicious managed code hosting process which could indicate code i *References*: -* https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +* https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html *Tags*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc index c4e9157bf1..0c892ba0ef 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc @@ -25,7 +25,7 @@ A suspicious WerFault child process was detected, which may indicate an attempt * https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ * https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx -* https://blog.menasec.net/2021/01/ +* https://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ *Tags*: