diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index a8199a104..67f6e2a32 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -4,4 +4,4 @@ contact_links: about: Please ask and answer questions here. - name: AWS/Amazon Security url: https://aws.amazon.com/security/vulnerability-reporting/ - about: Please report security vulnerabilities here. \ No newline at end of file + about: Please report security vulnerabilities here. diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 2d3d7060f..e3f96a44f 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -26,4 +26,4 @@ jobs: uses: VachaShah/backport@v1.1.4 with: github_token: ${{ steps.github_app_token.outputs.token }} - branch_name: backport/backport-${{ github.event.number }} \ No newline at end of file + branch_name: backport/backport-${{ github.event.number }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c2ab4d407..7dfd0c361 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -84,4 +84,4 @@ jobs: uses: actions/upload-artifact@v1 with: name: security-analytics-plugin-${{ matrix.os }} - path: security-analytics-artifacts \ No newline at end of file + path: security-analytics-artifacts diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index d4c9ff2c4..0a30f2f76 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -15,4 +15,4 @@ jobs: - name: DCO Check uses: tim-actions/dco@v1.1.0 with: - commits: ${{ steps.get-pr-commits.outputs.commits }} \ No newline at end of file + commits: ${{ steps.get-pr-commits.outputs.commits }} diff --git a/.github/workflows/delete_backport_branch.yml b/.github/workflows/delete_backport_branch.yml index 39b5b3424..5dcb12e2d 100644 --- a/.github/workflows/delete_backport_branch.yml +++ b/.github/workflows/delete_backport_branch.yml @@ -17,4 +17,4 @@ jobs: - name: Delete merged branch uses: SvanBoxel/delete-merged-branch@main env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/multi-node-test-workflow.yml b/.github/workflows/multi-node-test-workflow.yml index d7c4a1a0c..4bd011bbb 100644 --- a/.github/workflows/multi-node-test-workflow.yml +++ b/.github/workflows/multi-node-test-workflow.yml @@ -33,4 +33,4 @@ jobs: if: failure() with: name: logs - path: build/testclusters/integTest-*/logs/* \ No newline at end of file + path: build/testclusters/integTest-*/logs/* diff --git a/.github/workflows/security-test-workflow.yml b/.github/workflows/security-test-workflow.yml index f600314e2..725dd9207 100644 --- a/.github/workflows/security-test-workflow.yml +++ b/.github/workflows/security-test-workflow.yml @@ -82,7 +82,7 @@ jobs: if [ $security -gt 0 ] then echo "Security plugin is available" - ./gradlew :integTest -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dhttps=true -Duser=admin -Dpassword=admin + ./gradlew :integTest -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername=docker-cluster -Dhttps=true -Duser=admin -Dpassword=admin else echo "Security plugin is NOT available skipping this run as tests without security have already been run" fi diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml index 550306f13..ce850295d 100644 --- a/.github/workflows/version.yml +++ b/.github/workflows/version.yml @@ -5,7 +5,7 @@ on: tags: - '*.*.*.*' -jobs: +jobs: build: runs-on: ubuntu-latest steps: @@ -50,4 +50,4 @@ jobs: delete-branch: true title: '[AUTO] Incremented version to ${{ env.NEXT_VERSION }}.' body: | - I've noticed that a new tag ${{ env.TAG }} was pushed, and incremented the version from ${{ env.CURRENT_VERSION }} to ${{ env.NEXT_VERSION }}. \ No newline at end of file + I've noticed that a new tag ${{ env.TAG }} was pushed, and incremented the version from ${{ env.CURRENT_VERSION }} to ${{ env.NEXT_VERSION }}. diff --git a/build.gradle b/build.gradle index 1fe0c1b7a..71fc610a1 100644 --- a/build.gradle +++ b/build.gradle @@ -2,11 +2,12 @@ * Copyright OpenSearch Contributors * SPDX-License-Identifier: Apache-2.0 */ +import com.diffplug.gradle.spotless.JavaExtension import org.opensearch.gradle.test.RestIntegTestTask buildscript { ext { - opensearch_version = System.getProperty("opensearch.version", "2.9.0-SNAPSHOT") + opensearch_version = System.getProperty("opensearch.version", "2.10.0-SNAPSHOT") isSnapshot = "true" == System.getProperty("build.snapshot", "true") buildVersionQualifier = System.getProperty("build.version_qualifier", "") version_tokens = opensearch_version.tokenize('-') @@ -35,6 +36,8 @@ buildscript { } plugins { + id 'java' + id 'com.diffplug.spotless' version '6.20.0' id "com.netflix.nebula.ospackage" version "11.3.0" id 'java-library' } @@ -44,6 +47,7 @@ apply plugin: 'opensearch.testclusters' apply plugin: 'opensearch.java-rest-test' apply plugin: 'opensearch.pluginzip' apply from: 'build-tools/opensearchplugin-coverage.gradle' +apply from: 'gradle/formatting.gradle' ext { projectSubstitutions = [:] @@ -88,7 +92,7 @@ allprojects { apply from: "$rootDir/build-tools/repositories.gradle" - plugins.withId('java') { + java { targetCompatibility = JavaVersion.VERSION_11 sourceCompatibility = JavaVersion.VERSION_11 } @@ -156,6 +160,11 @@ dependencies { zipArchive group: 'org.opensearch.plugin', name:'alerting', version: "${opensearch_build}" zipArchive group: 'org.opensearch.plugin', name:'opensearch-notifications-core', version: "${opensearch_build}" zipArchive group: 'org.opensearch.plugin', name:'notifications', version: "${opensearch_build}" + + //spotless + implementation('com.google.googlejavaformat:google-java-format:1.17.0') { + exclude group: 'com.google.guava' + } } // RPM & Debian build @@ -343,7 +352,7 @@ afterEvaluate { maintainer 'OpenSearch Team ' url 'https://opensearch.org/downloads.html' summary ''' - Security Analytics plugin for OpenSearch. + Security Analytics plugin for OpenSearch. Reference documentation can be found at https://docs-beta.opensearch.org/. '''.stripIndent().replace('\n', ' ').trim() } @@ -368,4 +377,4 @@ afterEvaluate { doLast { delete file("$buildDir/distributions/$archiveFileName") } } } -} \ No newline at end of file +} diff --git a/checkstyle/sun_checks.xml b/checkstyle/sun_checks.xml new file mode 100644 index 000000000..b11aede42 --- /dev/null +++ b/checkstyle/sun_checks.xml @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/formatter/formatterConfig.xml b/formatter/formatterConfig.xml new file mode 100644 index 000000000..b0e1ecccb --- /dev/null +++ b/formatter/formatterConfig.xml @@ -0,0 +1,362 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/gradle/formatting.gradle b/gradle/formatting.gradle new file mode 100644 index 000000000..4d0e223f2 --- /dev/null +++ b/gradle/formatting.gradle @@ -0,0 +1,36 @@ +allprojects { + project.apply plugin: "com.diffplug.spotless" + spotless { + java { + // Normally this isn't necessary, but we have Java sources in + // non-standard places + target '*/com/amazon/dlic/auth/**/*.java' + + removeUnusedImports() + eclipse().configFile rootProject.file('formatter/formatterConfig.xml') + trimTrailingWhitespace() + endWithNewline(); + + // note: you can use an empty string for all the imports you didn't specify explicitly, and '\\#` prefix for static imports + importOrder('java', 'javax', '', 'com.amazon', 'org.opensearch', '\\#') + + custom 'Refuse wildcard imports', { + // Wildcard imports can't be resolved; fail the build + if (it =~ /\s+import .*\*;/) { + throw new AssertionError("Do not use wildcard imports. 'spotlessApply' cannot resolve this issue.") + } + } + + // See DEVELOPER_GUIDE.md for details of when to enable this. + if (System.getProperty('spotless.paddedcell') != null) { + paddedCell() + } + } + format 'misc', { + target '*.md', '*.gradle', '**/*.json', '**/*.yaml', '**/*.yml', '**/*.svg' + + trimTrailingWhitespace() + endWithNewline() + } + } +} \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 37aef8d3f..daf8a3998 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.1.1-bin.zip -networkTimeout=10000 +distributionUrl=https\://services.gradle.org/distributions/gradle-8.2.1-bin.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists +distributionSha256Sum=03ec176d388f2aa99defcadc3ac6adf8dd2bce5145a129659537c0874dea5ad1 diff --git a/gradlew b/gradlew index aeb74cbb4..325571e39 100755 --- a/gradlew +++ b/gradlew @@ -130,10 +130,12 @@ location of your Java installation." fi else JAVACMD=java - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. - + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. diff --git a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java index 26b029cde..df6d0b6cc 100644 --- a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java +++ b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java @@ -12,9 +12,9 @@ import java.util.function.Supplier; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRequest; -import org.opensearch.action.ActionResponse; +import org.opensearch.core.action.ActionResponse; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; import org.opensearch.client.Client; @@ -22,14 +22,14 @@ import org.opensearch.cluster.node.DiscoveryNode; import org.opensearch.cluster.node.DiscoveryNodes; import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.component.LifecycleComponent; -import org.opensearch.common.io.stream.NamedWriteableRegistry; +import org.opensearch.common.lifecycle.LifecycleComponent; import org.opensearch.common.settings.ClusterSettings; import org.opensearch.common.settings.IndexScopedSettings; import org.opensearch.common.settings.Setting; import org.opensearch.common.settings.Settings; import org.opensearch.common.settings.SettingsFilter; import org.opensearch.commons.alerting.action.AlertingActions; +import org.opensearch.core.common.io.stream.NamedWriteableRegistry; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.env.Environment; import org.opensearch.env.NodeEnvironment; diff --git a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java index 09e0dfc61..455fd56ca 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsRequest.java @@ -7,8 +7,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.ValidateActions; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.core.xcontent.XContentBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java index d83bec12c..56262689b 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/AckAlertsResponse.java @@ -4,9 +4,9 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java b/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java index f2b46cdb7..97e55be6b 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java +++ b/src/main/java/org/opensearch/securityanalytics/action/AlertDto.java @@ -7,9 +7,9 @@ import java.io.IOException; import java.time.Instant; import java.util.List; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.common.lucene.uid.Versions; import org.opensearch.commons.alerting.alerts.AlertError; import org.opensearch.commons.alerting.model.ActionExecutionResult; diff --git a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java index 6eaf9a0ca..2f78aa718 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingRequest.java @@ -6,8 +6,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.securityanalytics.model.Detector; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java index 3e4dd7eb9..a5f31f13b 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/CorrelatedFindingResponse.java @@ -4,9 +4,9 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.securityanalytics.model.FindingWithScore; diff --git a/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java index 8e246072f..01666ed2a 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequest.java @@ -9,13 +9,14 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.core.common.Strings; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.MediaTypeRegistry; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.xcontent.XContentParserUtils; import java.io.IOException; import java.util.HashMap; @@ -135,7 +136,7 @@ public static CreateIndexMappingsRequest parse(XContentParser xcp) throws IOExce aliasMap.put(alias, Map.of("type", "alias", "path", path)); } } - aliasMappings = org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of("properties", aliasMap))); + aliasMappings = MediaTypeRegistry.JSON.contentBuilder().map(Map.of("properties", aliasMap)).toString(); break; case PARTIAL_FIELD: partial = xcp.booleanValue(); diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java index 3bae730c4..a50b61046 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteCorrelationRuleRequest.java @@ -13,8 +13,8 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.ValidateActions; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.rest.RestRequest; import org.opensearch.securityanalytics.model.CorrelationRule; diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java index 1bce40fe2..e1ae97099 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeRequest.java @@ -11,8 +11,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java index 6347a42a1..49a2e1672 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteCustomLogTypeResponse.java @@ -8,12 +8,12 @@ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java index 27bcfa2a6..3392da4c1 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorRequest.java @@ -7,8 +7,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java index 4981cbc47..313488449 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteDetectorResponse.java @@ -4,12 +4,12 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java index 18c2a740a..b1206f5ed 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleRequest.java @@ -7,8 +7,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java index ffeb6bf4f..63e843e1e 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/DeleteRuleResponse.java @@ -4,12 +4,12 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java b/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java index f94a08c81..92ca2a171 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java +++ b/src/main/java/org/opensearch/securityanalytics/action/FindingDto.java @@ -7,9 +7,9 @@ import java.io.IOException; import java.time.Instant; import java.util.List; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.commons.alerting.model.DocLevelQuery; import org.opensearch.commons.alerting.model.FindingDocument; import org.opensearch.commons.alerting.model.FindingWithDocs; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java index 5ed416deb..1e0cb6113 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsRequest.java @@ -8,8 +8,8 @@ import java.util.Locale; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.commons.alerting.model.Table; import org.opensearch.securityanalytics.model.Detector; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java index 7b0f6e01b..11f541512 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetAlertsResponse.java @@ -8,14 +8,14 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.commons.alerting.model.Alert; import org.opensearch.commons.alerting.model.FindingWithDocs; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.model.Detector; public class GetAlertsResponse extends ActionResponse implements ToXContentObject { diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java index 241d7a066..c0006d4d8 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesRequest.java @@ -7,8 +7,8 @@ import java.io.IOException; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; public class GetAllRuleCategoriesRequest extends ActionRequest { diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java index c182fac48..f2082f988 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetAllRuleCategoriesResponse.java @@ -6,9 +6,9 @@ import java.io.IOException; import java.util.List; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.securityanalytics.model.RuleCategory; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java index 15743690a..2e5dfe105 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorRequest.java @@ -6,9 +6,9 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.XContentParser; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java index 318429bb6..3e4fc68d1 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetDetectorResponse.java @@ -4,12 +4,12 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.model.Detector; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java index cc4c5d7eb..8e99720ee 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java @@ -8,8 +8,8 @@ import java.util.Locale; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.commons.alerting.model.Table; import org.opensearch.securityanalytics.model.Detector; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java index 3bc483b91..08146daa3 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetFindingsResponse.java @@ -8,13 +8,13 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.commons.alerting.model.FindingWithDocs; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.model.Detector; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java index 089920350..804b4f191 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequest.java @@ -6,9 +6,9 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.XContentParser; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java index b7d42b123..b52c03c5b 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponse.java @@ -4,17 +4,19 @@ */ package org.opensearch.securityanalytics.action; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; import java.util.Collections; import java.util.HashMap; import java.util.Map; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.opensearch.Version; -import org.opensearch.action.ActionResponse; +import org.opensearch.core.action.ActionResponse; import org.opensearch.cluster.metadata.MappingMetadata; +import org.opensearch.core.common.Strings; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.common.xcontent.XContentType; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; import org.opensearch.core.ParseField; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; @@ -104,7 +106,7 @@ public Map getMappings() { @Override public String toString() { - return org.opensearch.common.Strings.toString(XContentType.JSON, this); + return Strings.toString(XContentType.JSON, this); } @Override diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java index 3e4e6d7ec..787ebbb25 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewRequest.java @@ -8,9 +8,9 @@ import java.util.Locale; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java index 62e8e6c7e..b5a7d5ac0 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/GetMappingsViewResponse.java @@ -6,9 +6,9 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.securityanalytics.mapper.MapperUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; @@ -18,6 +18,10 @@ import java.util.List; import java.util.Map; import java.util.Objects; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.Strings; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.common.xcontent.XContentType; public class GetMappingsViewResponse extends ActionResponse implements ToXContentObject { @@ -129,7 +133,7 @@ public List getUnmappedIndexFields() { @Override public String toString() { - return org.opensearch.common.Strings.toString(XContentType.JSON, this); + return Strings.toString(XContentType.JSON, this); } @Override diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java index ca1ed2595..1b70fb6c2 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleRequest.java @@ -10,8 +10,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.rest.RestRequest; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java index c72d4512a..d2442943b 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCorrelationRuleResponse.java @@ -8,12 +8,12 @@ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import java.io.IOException; import org.opensearch.securityanalytics.model.CorrelationRule; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java index 2f4d2eb93..9c8ba2dae 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeRequest.java @@ -11,8 +11,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.rest.RestRequest; import org.opensearch.securityanalytics.model.CustomLogType; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java index 3a95d99b9..1f3410cd5 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexCustomLogTypeResponse.java @@ -8,12 +8,12 @@ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.model.CustomLogType; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java index f31207b5d..7299d945c 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorRequest.java @@ -7,8 +7,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.rest.RestRequest; import org.opensearch.securityanalytics.model.Detector; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java index 6e5a128c7..6a7c268c1 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexDetectorResponse.java @@ -4,12 +4,12 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.model.Detector; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java index 309789fc3..785438930 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleRequest.java @@ -10,8 +10,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.support.WriteRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.rest.RestRequest; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java index 02e612ac7..7571d9ba2 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/IndexRuleResponse.java @@ -4,12 +4,12 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.model.Detector; import org.opensearch.securityanalytics.model.Rule; diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java index ff3fd225c..51a6e0ca5 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsRequest.java @@ -6,8 +6,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java index 80eea0003..0b8df0cb0 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/ListCorrelationsResponse.java @@ -4,9 +4,9 @@ */ package org.opensearch.securityanalytics.action; -import org.opensearch.action.ActionResponse; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.securityanalytics.model.CorrelatedFinding; diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java index dcf4fb955..649067044 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/SearchCorrelationRuleRequest.java @@ -8,8 +8,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.search.SearchRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; public class SearchCorrelationRuleRequest extends ActionRequest { diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java index f315a09ff..a9a387d36 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/SearchCustomLogTypeRequest.java @@ -11,8 +11,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.search.SearchRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java index ed289eabd..e3b9ed9bd 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/SearchDetectorRequest.java @@ -7,8 +7,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.search.SearchRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java b/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java index 4b08c75bc..010ddb2fd 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/SearchRuleRequest.java @@ -7,8 +7,8 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.search.SearchRequest; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java b/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java index e9bef0c4d..def99049c 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequest.java @@ -6,9 +6,9 @@ import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java index 7af8bed56..b925891dd 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java +++ b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesRequest.java @@ -4,25 +4,21 @@ */ package org.opensearch.securityanalytics.action; -import java.io.IOException; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Locale; -import java.util.Map; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRequestValidationException; -import org.opensearch.core.common.Strings; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.xcontent.XContentFactory; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.Locale; import static org.opensearch.action.ValidateActions.addValidationError; diff --git a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java index 835bc65ec..776c0f303 100644 --- a/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java +++ b/src/main/java/org/opensearch/securityanalytics/action/ValidateRulesResponse.java @@ -4,12 +4,19 @@ */ package org.opensearch.securityanalytics.action; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Objects; + import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionResponse; +import org.opensearch.core.action.ActionResponse; +import org.opensearch.core.common.Strings; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.common.xcontent.XContentType; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; @@ -69,7 +76,7 @@ public List getNonapplicableFields() { @Override public String toString() { - return org.opensearch.common.Strings.toString(XContentType.JSON, this); + return Strings.toString(XContentType.JSON, this); } @Override diff --git a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java index 705f127a5..a61fe9d35 100644 --- a/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java +++ b/src/main/java/org/opensearch/securityanalytics/alerts/AlertsService.java @@ -7,7 +7,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.GroupedActionListener; import org.opensearch.action.support.WriteRequest; import org.opensearch.client.Client; @@ -18,7 +18,7 @@ import org.opensearch.commons.alerting.action.GetAlertsRequest; import org.opensearch.commons.alerting.model.Alert; import org.opensearch.commons.alerting.model.Table; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.AckAlertsResponse; import org.opensearch.securityanalytics.action.AlertDto; import org.opensearch.securityanalytics.action.GetAlertsResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java b/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java index 5e4bb6629..6921f096c 100644 --- a/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java +++ b/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java @@ -9,7 +9,7 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.MultiSearchRequest; import org.opensearch.action.search.MultiSearchResponse; import org.opensearch.action.search.SearchRequest; @@ -25,7 +25,7 @@ import org.opensearch.index.query.NestedQueryBuilder; import org.opensearch.index.query.QueryBuilders; import org.opensearch.index.query.RangeQueryBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java b/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java index f0f433d5e..82698325f 100644 --- a/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java +++ b/src/main/java/org/opensearch/securityanalytics/correlation/VectorEmbeddingsEngine.java @@ -7,7 +7,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.bulk.BulkRequest; import org.opensearch.action.bulk.BulkResponse; import org.opensearch.action.index.IndexRequest; @@ -25,7 +25,7 @@ import org.opensearch.index.query.BoolQueryBuilder; import org.opensearch.index.query.MatchQueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.correlation.index.query.CorrelationQueryBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java b/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java index 1dbfba528..66fd6c23a 100644 --- a/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java +++ b/src/main/java/org/opensearch/securityanalytics/correlation/index/CorrelationParamsContext.java @@ -5,9 +5,9 @@ package org.opensearch.securityanalytics.correlation.index; import org.apache.lucene.index.VectorSimilarityFunction; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.core.xcontent.ToXContentFragment; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.index.mapper.MapperParsingException; diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java b/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java index 84e99348c..2a51499c2 100644 --- a/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java +++ b/src/main/java/org/opensearch/securityanalytics/correlation/index/query/CorrelationQueryBuilder.java @@ -7,10 +7,10 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.apache.lucene.search.Query; -import org.opensearch.common.ParsingException; +import org.opensearch.core.common.ParsingException; import org.opensearch.core.common.Strings; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; import org.opensearch.core.ParseField; import org.opensearch.core.common.Strings; import org.opensearch.core.xcontent.XContentBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java index 5047c0268..83d8ffbb3 100644 --- a/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java +++ b/src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java @@ -13,14 +13,14 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.client.Client; import org.opensearch.client.node.NodeClient; import org.opensearch.commons.alerting.AlertingPluginInterface; import org.opensearch.commons.alerting.model.DocLevelQuery; import org.opensearch.commons.alerting.model.FindingWithDocs; import org.opensearch.commons.alerting.model.Table; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.FindingDto; import org.opensearch.securityanalytics.action.GetDetectorAction; import org.opensearch.securityanalytics.action.GetDetectorRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java b/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java index 444df5042..1fbe36b85 100644 --- a/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java +++ b/src/main/java/org/opensearch/securityanalytics/indexmanagment/DetectorIndexManagementService.java @@ -15,7 +15,7 @@ import java.util.stream.Collectors; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.cluster.state.ClusterStateRequest; import org.opensearch.action.admin.cluster.state.ClusterStateResponse; import org.opensearch.action.admin.indices.delete.DeleteIndexRequest; @@ -29,8 +29,8 @@ import org.opensearch.cluster.metadata.AliasMetadata; import org.opensearch.cluster.metadata.IndexMetadata; import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.component.AbstractLifecycleComponent; import org.opensearch.common.inject.Inject; +import org.opensearch.common.lifecycle.AbstractLifecycleComponent; import org.opensearch.common.settings.Settings; import org.opensearch.common.unit.TimeValue; import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; diff --git a/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java b/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java index 14dad9e4c..0d28bce4d 100644 --- a/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java +++ b/src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java @@ -19,7 +19,7 @@ import java.util.stream.Stream; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.component.AbstractLifecycleComponent; +import org.opensearch.common.lifecycle.AbstractLifecycleComponent; import org.opensearch.common.settings.SettingsException; import org.opensearch.common.xcontent.XContentHelper; import org.opensearch.common.xcontent.json.JsonXContent; diff --git a/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java b/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java index b54e4eb82..3d09bae52 100644 --- a/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java +++ b/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java @@ -25,7 +25,7 @@ import org.opensearch.ExceptionsHelper; import org.opensearch.OpenSearchStatusException; import org.opensearch.ResourceAlreadyExistsException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.DocWriteRequest; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; @@ -49,7 +49,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.index.query.BoolQueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.aggregations.bucket.terms.Terms; import org.opensearch.search.aggregations.bucket.terms.TermsAggregationBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java index ecc684005..4bc41e4ba 100644 --- a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java +++ b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateManager.java @@ -16,7 +16,7 @@ import java.util.Set; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.StepListener; import org.opensearch.action.admin.indices.template.delete.DeleteComponentTemplateAction; import org.opensearch.action.admin.indices.template.delete.DeleteComposableIndexTemplateAction; diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java index 26074dee3..73e366c77 100644 --- a/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java +++ b/src/main/java/org/opensearch/securityanalytics/mapper/IndexTemplateUtils.java @@ -13,7 +13,7 @@ import org.opensearch.cluster.ClusterState; import org.opensearch.cluster.metadata.ComposableIndexTemplate; import org.opensearch.cluster.metadata.Template; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.compress.CompressedXContent; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentHelper; diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java b/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java index 059150e6a..26f9c1602 100644 --- a/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java +++ b/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java @@ -19,7 +19,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.get.GetIndexRequest; import org.opensearch.action.admin.indices.get.GetIndexResponse; import org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest; @@ -32,10 +32,9 @@ import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.cluster.metadata.MappingMetadata; import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.Strings; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.GetIndexMappingsResponse; import org.opensearch.securityanalytics.action.GetMappingsViewResponse; import org.opensearch.securityanalytics.logtype.LogTypeService; @@ -233,7 +232,7 @@ public void onResponse(List mappings) { } } aliasMappingsObj.field("properties", aliasMappingFields); - String aliasMappings = Strings.toString(aliasMappingsObj.endObject()); + String aliasMappings = aliasMappingsObj.endObject().toString(); Pair, List> validationResult = MapperUtils.validateIndexMappings(indexName, mappingMetadata, aliasMappings); List missingPathsInIndex = validationResult.getLeft(); @@ -515,7 +514,7 @@ public void onResponse(GetMappingsResponse getMappingsResponse) { } } aliasMappingsObj.field("properties", aliasMappingFields); - String aliasMappingsJson = Strings.toString(aliasMappingsObj.endObject()); + String aliasMappingsJson = aliasMappingsObj.endObject().toString(); // Gather all applyable alias mappings Map aliasMappings = MapperUtils.getAliasMappingsWithFilter(aliasMappingsJson, applyableAliases); diff --git a/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java b/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java index d5f68339b..811aab401 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java +++ b/src/main/java/org/opensearch/securityanalytics/model/CorrelatedFinding.java @@ -4,10 +4,10 @@ */ package org.opensearch.securityanalytics.model; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java b/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java index d2940405c..480e8185d 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java +++ b/src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java @@ -7,10 +7,10 @@ import java.io.IOException; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java b/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java index f29213e14..685b66c9b 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java +++ b/src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java @@ -10,10 +10,10 @@ import java.util.Objects; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java b/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java index 37a4217cf..fb9a05055 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java +++ b/src/main/java/org/opensearch/securityanalytics/model/CustomLogType.java @@ -6,10 +6,10 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.ParseField; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContentObject; diff --git a/src/main/java/org/opensearch/securityanalytics/model/Detector.java b/src/main/java/org/opensearch/securityanalytics/model/Detector.java index 0769e74f8..9c7e48362 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/Detector.java +++ b/src/main/java/org/opensearch/securityanalytics/model/Detector.java @@ -8,13 +8,13 @@ import java.util.Map; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; import org.opensearch.commons.alerting.model.CronSchedule; import org.opensearch.commons.alerting.model.Schedule; import org.opensearch.commons.authuser.User; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.ParseField; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContent; diff --git a/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java b/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java index da7d65cb2..1956274ca 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java +++ b/src/main/java/org/opensearch/securityanalytics/model/DetectorInput.java @@ -4,10 +4,10 @@ */ package org.opensearch.securityanalytics.model; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.ParseField; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContentObject; diff --git a/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java b/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java index c002687d9..d6a031c51 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java +++ b/src/main/java/org/opensearch/securityanalytics/model/DetectorRule.java @@ -4,13 +4,13 @@ */ package org.opensearch.securityanalytics.model; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.xcontent.XContentParserUtils; import java.io.IOException; import java.util.ArrayList; diff --git a/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java b/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java index 3291c07ae..ed454412a 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java +++ b/src/main/java/org/opensearch/securityanalytics/model/DetectorTrigger.java @@ -8,10 +8,10 @@ import org.apache.logging.log4j.Logger; import org.opensearch.common.UUIDs; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.commons.alerting.model.action.Action; import org.opensearch.core.ParseField; import org.opensearch.core.xcontent.NamedXContentRegistry; diff --git a/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java b/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java index b2bd7763d..3a3edeedc 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java +++ b/src/main/java/org/opensearch/securityanalytics/model/FieldMappingDoc.java @@ -11,12 +11,12 @@ import java.util.Map; import java.util.Objects; import java.util.Set; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentHelper; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContent; diff --git a/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java b/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java index 2177d076e..35274727e 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java +++ b/src/main/java/org/opensearch/securityanalytics/model/FindingWithScore.java @@ -4,10 +4,10 @@ */ package org.opensearch.securityanalytics.model; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/model/LogType.java b/src/main/java/org/opensearch/securityanalytics/model/LogType.java index 0d221d1d7..7acc0d1f3 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/LogType.java +++ b/src/main/java/org/opensearch/securityanalytics/model/LogType.java @@ -9,9 +9,9 @@ import java.util.List; import java.util.Map; import java.util.stream.Collectors; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/model/Rule.java b/src/main/java/org/opensearch/securityanalytics/model/Rule.java index 810492229..fcbd95349 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/Rule.java +++ b/src/main/java/org/opensearch/securityanalytics/model/Rule.java @@ -7,10 +7,10 @@ import org.apache.commons.lang3.tuple.Pair; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.ParseField; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContent; diff --git a/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java b/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java index a2abfa3ba..99a9384c2 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java +++ b/src/main/java/org/opensearch/securityanalytics/model/RuleCategory.java @@ -14,9 +14,9 @@ import java.util.Map; import java.util.Objects; import org.opensearch.OpenSearchParseException; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.common.settings.SettingsException; import org.opensearch.common.xcontent.XContentHelper; import org.opensearch.common.xcontent.json.JsonXContent; diff --git a/src/main/java/org/opensearch/securityanalytics/model/Value.java b/src/main/java/org/opensearch/securityanalytics/model/Value.java index 89298ae71..ff817131a 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/Value.java +++ b/src/main/java/org/opensearch/securityanalytics/model/Value.java @@ -6,10 +6,10 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java index f02479c48..2a49e49cb 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestAcknowledgeAlertsAction.java @@ -20,7 +20,7 @@ import java.util.List; import java.util.Locale; -import static org.opensearch.common.xcontent.XContentParserUtils.ensureExpectedToken; +import static org.opensearch.core.xcontent.XContentParserUtils.ensureExpectedToken; /** * Acknowledge list of alerts generated by a detector. diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java index b0871c835..65297bed7 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestCreateIndexMappingsAction.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.resthandler; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.rest.BaseRestHandler; import org.opensearch.rest.RestRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java index 692bd6e2c..18dfd7ec7 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestDeleteCustomLogTypeAction.java @@ -15,7 +15,7 @@ import org.opensearch.client.node.NodeClient; import org.opensearch.rest.BaseRestHandler; import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.rest.action.RestToXContentListener; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.action.DeleteCustomLogTypeAction; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java index 42b5a80ad..d3d30ea73 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java @@ -18,7 +18,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestResponse; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.rest.action.RestResponseListener; import java.io.IOException; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java index d927fdf55..052e3978a 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexCustomLogTypeAction.java @@ -11,7 +11,7 @@ import org.apache.logging.log4j.Logger; import org.opensearch.action.support.WriteRequest; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.rest.BaseRestHandler; @@ -19,7 +19,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestResponse; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.rest.action.RestResponseListener; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.action.IndexCustomLogTypeAction; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java index 62a59980e..489ce5ffb 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexDetectorAction.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.Logger; import org.opensearch.action.support.WriteRequest; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.rest.BaseRestHandler; @@ -16,7 +16,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestResponse; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.rest.action.RestResponseListener; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.action.IndexDetectorAction; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java index 65484ec19..fcbdd64c8 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestIndexRuleAction.java @@ -14,7 +14,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestResponse; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.rest.action.RestResponseListener; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.action.IndexRuleAction; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java index ce34c7904..e8030c197 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestListCorrelationAction.java @@ -24,7 +24,7 @@ import java.util.Locale; import static org.opensearch.rest.RestRequest.Method.GET; -import static org.opensearch.rest.RestStatus.OK; +import static org.opensearch.core.rest.RestStatus.OK; public class RestListCorrelationAction extends BaseRestHandler { diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java index e66e3ba7b..587d64e36 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCorrelationAction.java @@ -25,7 +25,7 @@ import java.util.Locale; import static org.opensearch.rest.RestRequest.Method.GET; -import static org.opensearch.rest.RestStatus.OK; +import static org.opensearch.core.rest.RestStatus.OK; public class RestSearchCorrelationAction extends BaseRestHandler { diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java index 83f4ffa83..58dc4c510 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchCustomLogTypeAction.java @@ -13,7 +13,7 @@ import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentType; @@ -40,7 +40,7 @@ import java.util.Locale; import java.util.Map; -import static org.opensearch.rest.RestStatus.OK; +import static org.opensearch.core.rest.RestStatus.OK; public class RestSearchCustomLogTypeAction extends BaseRestHandler { diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java index 34f6af368..c1ccd7ea9 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchDetectorAction.java @@ -7,12 +7,10 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.ResourceNotFoundException; -import org.opensearch.action.ActionRequestValidationException; import org.opensearch.action.search.SearchResponse; import org.opensearch.action.search.SearchRequest; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentType; @@ -36,15 +34,12 @@ import java.util.List; import java.util.Locale; +import static org.opensearch.core.rest.RestStatus.OK; import static org.opensearch.rest.RestRequest.Method.POST; -import static org.opensearch.rest.RestStatus.OK; import org.opensearch.securityanalytics.model.Detector; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; -import static org.opensearch.securityanalytics.util.RestHandlerUtils._ID; -import static org.opensearch.securityanalytics.util.RestHandlerUtils._VERSION; - public class RestSearchDetectorAction extends BaseRestHandler { private static final Logger log = LogManager.getLogger(RestSearchDetectorAction.class); diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java index 03003ca3f..bd01eb2b7 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestSearchRuleAction.java @@ -9,7 +9,7 @@ import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentType; @@ -22,7 +22,7 @@ import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestResponse; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.rest.action.RestResponseListener; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java index 2f8371aa1..8a96bf9e6 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestUpdateIndexMappingsAction.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.resthandler; import org.opensearch.client.node.NodeClient; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.rest.BaseRestHandler; import org.opensearch.rest.RestRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java index 7abf5421f..1dcd99590 100644 --- a/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java +++ b/src/main/java/org/opensearch/securityanalytics/resthandler/RestValidateRulesAction.java @@ -4,33 +4,20 @@ */ package org.opensearch.securityanalytics.resthandler; -import java.io.IOException; -import java.util.List; -import java.util.Locale; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.support.WriteRequest; import org.opensearch.client.node.NodeClient; -import org.opensearch.core.xcontent.ToXContent; -import org.opensearch.common.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.rest.BaseRestHandler; -import org.opensearch.rest.BytesRestResponse; -import org.opensearch.rest.RestChannel; import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestResponse; -import org.opensearch.rest.RestStatus; -import org.opensearch.rest.action.RestResponseListener; import org.opensearch.rest.action.RestToXContentListener; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; -import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest; -import org.opensearch.securityanalytics.action.IndexRuleAction; -import org.opensearch.securityanalytics.action.IndexRuleRequest; -import org.opensearch.securityanalytics.action.IndexRuleResponse; import org.opensearch.securityanalytics.action.ValidateRulesAction; import org.opensearch.securityanalytics.action.ValidateRulesRequest; -import org.opensearch.securityanalytics.model.Detector; -import org.opensearch.securityanalytics.util.RestHandlerUtils; + +import java.io.IOException; +import java.util.List; public class RestValidateRulesAction extends BaseRestHandler { diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java index 8335c51f6..ea26804c5 100644 --- a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java +++ b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java @@ -6,13 +6,13 @@ import org.opensearch.OpenSearchParseException; import org.opensearch.common.UUIDs; -import org.opensearch.common.bytes.BytesReference; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.io.stream.StreamOutput; -import org.opensearch.common.io.stream.Writeable; -import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.common.xcontent.XContentParserUtils; import org.opensearch.commons.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder; +import org.opensearch.core.common.bytes.BytesReference; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamOutput; +import org.opensearch.core.common.io.stream.Writeable; +import org.opensearch.common.xcontent.XContentFactory; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java index 6535901a8..16679e9b2 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportAcknowledgeAlertsAction.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.StepListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; @@ -20,7 +20,7 @@ import org.opensearch.commons.alerting.model.Table; import org.opensearch.commons.authuser.User; import org.opensearch.core.xcontent.NamedXContentRegistry; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.AckAlertsRequest; import org.opensearch.securityanalytics.action.AckAlertsResponse; import org.opensearch.securityanalytics.action.AckAlertsAction; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java index a8d4d8003..ef4e19949 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRequest; import org.opensearch.action.ActionRunnable; import org.opensearch.action.admin.indices.create.CreateIndexResponse; @@ -24,8 +24,6 @@ import org.opensearch.client.Client; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; -import org.opensearch.common.io.stream.InputStreamStreamInput; -import org.opensearch.common.io.stream.OutputStreamStreamOutput; import org.opensearch.common.settings.Settings; import org.opensearch.common.unit.TimeValue; import org.opensearch.common.xcontent.LoggingDeprecationHandler; @@ -35,13 +33,15 @@ import org.opensearch.commons.alerting.action.PublishFindingsRequest; import org.opensearch.commons.alerting.action.SubscribeFindingsResponse; import org.opensearch.commons.alerting.action.AlertingActions; +import org.opensearch.core.common.io.stream.InputStreamStreamInput; +import org.opensearch.core.common.io.stream.OutputStreamStreamOutput; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.index.query.BoolQueryBuilder; import org.opensearch.index.query.NestedQueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.SearchHits; import org.opensearch.search.builder.SearchSourceBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java index 162c45c16..f7f6d8261 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportCreateIndexMappingsAction.java @@ -4,7 +4,7 @@ */ package org.opensearch.securityanalytics.transport; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.action.support.master.AcknowledgedResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java index 1dc220944..1af67bffd 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java @@ -12,7 +12,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.action.support.WriteRequest; @@ -23,7 +23,7 @@ import org.opensearch.index.reindex.BulkByScrollResponse; import org.opensearch.index.reindex.DeleteByQueryAction; import org.opensearch.index.reindex.DeleteByQueryRequestBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.DeleteCorrelationRuleAction; import org.opensearch.securityanalytics.action.DeleteCorrelationRuleRequest; import org.opensearch.securityanalytics.model.CorrelationRule; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java index fb190e880..eadf0adb7 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteCustomLogTypeAction.java @@ -10,7 +10,7 @@ import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.delete.DeleteRequest; import org.opensearch.action.delete.DeleteResponse; @@ -28,7 +28,7 @@ import org.opensearch.commons.authuser.User; import org.opensearch.index.query.QueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.action.DeleteCustomLogTypeAction; import org.opensearch.securityanalytics.action.DeleteCustomLogTypeRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java index decf798a9..f23a0d9c7 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteDetectorAction.java @@ -13,7 +13,7 @@ import org.apache.logging.log4j.Logger; import org.opensearch.common.SetOnce; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.delete.DeleteRequest; import org.opensearch.action.delete.DeleteResponse; @@ -34,7 +34,7 @@ import org.opensearch.commons.alerting.action.DeleteMonitorResponse; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.XContentParser; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.DeleteDetectorAction; import org.opensearch.securityanalytics.action.DeleteDetectorRequest; import org.opensearch.securityanalytics.action.DeleteDetectorResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java index 639f8c823..44cb7ae56 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportDeleteRuleAction.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.get.GetRequest; import org.opensearch.action.get.GetResponse; @@ -29,7 +29,7 @@ import org.opensearch.index.reindex.DeleteByQueryAction; import org.opensearch.index.reindex.DeleteByQueryRequestBuilder; import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.action.DeleteRuleAction; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java index 8af3d0fd8..e664e75ae 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAlertsAction.java @@ -11,7 +11,7 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; import org.opensearch.action.support.ActionFilters; @@ -24,7 +24,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.index.query.NestedQueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.action.GetAlertsAction; import org.opensearch.securityanalytics.action.GetAlertsRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java index c8eedaa33..019f598fe 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetAllRuleCategoriesAction.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.transport; import java.util.stream.Collectors; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.cluster.service.ClusterService; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java index 47c2e07e5..d23540d3b 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetDetectorAction.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.get.GetRequest; import org.opensearch.action.get.GetResponse; import org.opensearch.action.support.ActionFilters; @@ -17,19 +17,15 @@ import org.opensearch.cluster.service.ClusterService; import org.opensearch.commons.authuser.User; import org.opensearch.common.inject.Inject; -import org.opensearch.common.io.stream.StreamInput; import org.opensearch.common.settings.Settings; import org.opensearch.common.xcontent.XContentHelper; -import org.opensearch.rest.RestResponse; -import org.opensearch.rest.BytesRestResponse; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.XContentParser; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.GetDetectorAction; import org.opensearch.securityanalytics.model.Detector; -import org.opensearch.securityanalytics.model.DetectorInput; import org.opensearch.securityanalytics.action.GetDetectorRequest; import org.opensearch.securityanalytics.action.GetDetectorResponse; import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings; @@ -40,10 +36,9 @@ import org.opensearch.transport.TransportService; import java.io.IOException; -import java.util.List; -import static org.opensearch.rest.RestStatus.OK; +import static org.opensearch.core.rest.RestStatus.OK; public class TransportGetDetectorAction extends HandledTransportAction implements SecureTransportAction { diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java index 5af8eb608..e84f028fe 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetFindingsAction.java @@ -11,7 +11,7 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; import org.opensearch.action.support.ActionFilters; @@ -24,7 +24,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.index.query.NestedQueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.action.GetFindingsAction; import org.opensearch.securityanalytics.action.GetFindingsRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java index b8b9110d8..e2154f51a 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetIndexMappingsAction.java @@ -5,13 +5,13 @@ package org.opensearch.securityanalytics.transport; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.cluster.metadata.IndexMetadata; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.GetIndexMappingsAction; import org.opensearch.securityanalytics.mapper.MapperService; import org.opensearch.securityanalytics.action.GetIndexMappingsRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java index 319bc5bca..38c761261 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportGetMappingsViewAction.java @@ -5,13 +5,13 @@ package org.opensearch.securityanalytics.transport; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.cluster.metadata.IndexMetadata; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.GetIndexMappingsAction; import org.opensearch.securityanalytics.action.GetIndexMappingsRequest; import org.opensearch.securityanalytics.action.GetIndexMappingsResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java index defa51faa..1bb8f6f73 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCorrelationRuleAction.java @@ -11,7 +11,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.action.index.IndexRequest; import org.opensearch.action.index.IndexResponse; @@ -26,7 +26,7 @@ import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.IndexCorrelationRuleAction; import org.opensearch.securityanalytics.action.IndexCorrelationRuleRequest; import org.opensearch.securityanalytics.action.IndexCorrelationRuleResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java index 70e9b26f4..95f0ee93f 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexCustomLogTypeAction.java @@ -10,7 +10,7 @@ import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.action.index.IndexRequest; @@ -32,7 +32,7 @@ import org.opensearch.index.query.QueryBuilder; import org.opensearch.index.query.QueryBuilders; import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.aggregations.AggregationBuilders; import org.opensearch.search.aggregations.metrics.Max; import org.opensearch.search.aggregations.metrics.MaxAggregationBuilder; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java index d8d4c99bf..c7d17e572 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java @@ -10,7 +10,7 @@ import org.apache.lucene.search.join.ScoreMode; import org.opensearch.common.SetOnce; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.StepListener; import org.opensearch.action.admin.indices.create.CreateIndexResponse; @@ -32,16 +32,15 @@ import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.cluster.metadata.MappingMetadata; import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.CheckedConsumer; import org.opensearch.common.SetOnce; import org.opensearch.common.inject.Inject; -import org.opensearch.common.io.stream.NamedWriteableRegistry; import org.opensearch.common.settings.Settings; import org.opensearch.common.unit.TimeValue; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentHelper; -import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.common.io.stream.NamedWriteableRegistry; +import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.common.xcontent.XContentType; import org.opensearch.commons.alerting.AlertingPluginInterface; import org.opensearch.commons.alerting.action.DeleteMonitorRequest; @@ -60,6 +59,7 @@ import org.opensearch.commons.authuser.User; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContent; +import org.opensearch.core.xcontent.XContentParser; import org.opensearch.index.query.BoolQueryBuilder; import org.opensearch.index.IndexNotFoundException; import org.opensearch.index.query.QueryBuilder; @@ -69,7 +69,7 @@ import org.opensearch.index.seqno.SequenceNumbers; import org.opensearch.rest.RestRequest; import org.opensearch.rest.RestRequest.Method; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.script.Script; import org.opensearch.search.SearchHit; import org.opensearch.search.SearchHits; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java index da0afefc0..d13d499d8 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexRuleAction.java @@ -9,7 +9,6 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.join.ScoreMode; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.action.index.IndexRequest; @@ -27,13 +26,14 @@ import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentType; -import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.action.ActionListener; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.ToXContent; +import org.opensearch.core.xcontent.XContentParser; import org.opensearch.index.query.QueryBuilder; import org.opensearch.index.query.QueryBuilders; import org.opensearch.rest.RestRequest; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.action.IndexDetectorAction; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java index e42266103..6e8a84296 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportListCorrelationAction.java @@ -7,7 +7,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; @@ -20,7 +20,7 @@ import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.index.query.BoolQueryBuilder; import org.opensearch.index.query.QueryBuilders; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.action.ListCorrelationsAction; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java index 9152f0042..b23b61396 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationAction.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.search.MultiSearchRequest; import org.opensearch.action.search.MultiSearchResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java index 4affd451f..d027d26de 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCorrelationRuleAction.java @@ -11,7 +11,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.apache.lucene.search.TotalHits; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.SearchResponse; import org.opensearch.action.search.ShardSearchFailure; import org.opensearch.action.support.ActionFilters; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java index 340cfd9e0..373cbfa48 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchCustomLogTypeAction.java @@ -8,7 +8,7 @@ package org.opensearch.securityanalytics.transport; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.SearchResponse; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java index a46952cc6..53ef22a76 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchDetectorAction.java @@ -7,29 +7,17 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.apache.lucene.search.TotalHits; -import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.SearchResponse; -import org.opensearch.action.search.SearchResponseSections; -import org.opensearch.action.search.ShardSearchFailure; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.commons.authuser.User; import org.opensearch.client.Client; import org.opensearch.common.inject.Inject; -import org.opensearch.common.io.stream.StreamInput; import org.opensearch.common.settings.Settings; import org.opensearch.cluster.service.ClusterService; import org.opensearch.core.xcontent.NamedXContentRegistry; -import org.opensearch.rest.RestStatus; -import org.opensearch.search.SearchHit; -import org.opensearch.search.SearchHits; -import org.opensearch.search.aggregations.InternalAggregations; -import org.opensearch.search.internal.InternalSearchResponse; -import org.opensearch.search.profile.SearchProfileShardResults; -import org.opensearch.search.suggest.Suggest; import org.opensearch.securityanalytics.action.SearchDetectorAction; import org.opensearch.securityanalytics.action.SearchDetectorRequest; import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings; @@ -39,11 +27,6 @@ import org.opensearch.tasks.Task; import org.opensearch.transport.TransportService; - -import java.util.Collections; -import java.util.Locale; - -import static org.opensearch.rest.RestStatus.OK; import static org.opensearch.securityanalytics.util.DetectorUtils.getEmptySearchResponse; public class TransportSearchDetectorAction extends HandledTransportAction implements SecureTransportAction { diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java index 4f5f4c4d1..ec4b9bf93 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportSearchRuleAction.java @@ -7,7 +7,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.ActionRunnable; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.action.bulk.BulkResponse; @@ -24,7 +24,7 @@ import org.opensearch.common.settings.Settings; import org.opensearch.common.unit.TimeValue; import org.opensearch.index.reindex.BulkByScrollResponse; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.internal.InternalSearchResponse; import org.opensearch.securityanalytics.action.SearchRuleAction; import org.opensearch.securityanalytics.action.SearchRuleRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java index 3717e24b2..e1fc442d8 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportUpdateIndexMappingsAction.java @@ -5,14 +5,14 @@ package org.opensearch.securityanalytics.transport; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; import org.opensearch.action.support.master.AcknowledgedResponse; import org.opensearch.cluster.metadata.IndexMetadata; import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.UpdateIndexMappingsAction; import org.opensearch.securityanalytics.mapper.MapperService; import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java index 2023c25bc..f6151bd69 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportValidateRulesAction.java @@ -6,7 +6,7 @@ import java.util.List; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.StepListener; import org.opensearch.action.support.ActionFilters; import org.opensearch.action.support.HandledTransportAction; @@ -15,7 +15,7 @@ import org.opensearch.cluster.service.ClusterService; import org.opensearch.common.inject.Inject; import org.opensearch.core.xcontent.NamedXContentRegistry; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.ValidateRulesAction; import org.opensearch.securityanalytics.action.ValidateRulesRequest; import org.opensearch.securityanalytics.action.ValidateRulesResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java b/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java index a68064853..efb96a45f 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/CorrelationIndices.java @@ -7,7 +7,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.action.bulk.BulkRequest; @@ -24,7 +24,7 @@ import org.opensearch.common.unit.TimeValue; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import java.io.IOException; import java.nio.charset.Charset; diff --git a/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java b/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java index 69eb83bc7..d131e47b4 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/CorrelationRuleIndices.java @@ -10,7 +10,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.client.Client; diff --git a/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java b/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java index 7b9e6e066..c2aa0d977 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/CustomLogTypeIndices.java @@ -6,7 +6,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.client.AdminClient; diff --git a/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java b/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java index f98cdef11..d6a81e134 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/DetectorIndices.java @@ -6,7 +6,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.client.AdminClient; diff --git a/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java b/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java index 4a60a8fcb..d7f205c89 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java +++ b/src/main/java/org/opensearch/securityanalytics/util/DetectorUtils.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.util; import org.apache.lucene.search.TotalHits; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; import org.opensearch.action.search.ShardSearchFailure; diff --git a/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java b/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java index aaff505bc..1632b2188 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java +++ b/src/main/java/org/opensearch/securityanalytics/util/IndexUtils.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.util; import java.util.SortedMap; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.mapping.put.PutMappingRequest; import org.opensearch.action.support.IndicesOptions; import org.opensearch.action.support.master.AcknowledgedResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java index 5a0da3a2e..6916f7532 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java @@ -8,7 +8,7 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.OpenSearchStatusException; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; import org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest; @@ -39,7 +39,7 @@ import org.opensearch.index.reindex.BulkByScrollResponse; import org.opensearch.index.reindex.DeleteByQueryAction; import org.opensearch.index.reindex.DeleteByQueryRequestBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.search.builder.SearchSourceBuilder; import org.opensearch.securityanalytics.logtype.LogTypeService; diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java b/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java index 13c4478ac..8f0f1cab5 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/RuleTopicIndices.java @@ -12,7 +12,7 @@ import java.util.stream.Collectors; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.template.put.PutComposableIndexTemplateAction; import org.opensearch.action.support.master.AcknowledgedResponse; import org.opensearch.client.Client; diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java b/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java index 937265908..d5927088b 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java +++ b/src/main/java/org/opensearch/securityanalytics/util/RuleValidator.java @@ -8,7 +8,7 @@ import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.StepListener; import org.opensearch.action.search.SearchRequest; import org.opensearch.action.search.SearchResponse; diff --git a/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java b/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java index b54ed9072..5c0b45265 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java +++ b/src/main/java/org/opensearch/securityanalytics/util/SecurityAnalyticsException.java @@ -10,7 +10,7 @@ import org.opensearch.core.common.Strings; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.core.xcontent.XContentBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import java.io.IOException; import java.util.List; @@ -78,7 +78,7 @@ public static OpenSearchException wrap(List ex) { log.error("Security Analytics error:", e); } builder.endObject(); - String friendlyMsg = org.opensearch.common.Strings.toString(builder); + String friendlyMsg = builder.toString(); return new SecurityAnalyticsException(friendlyMsg, status, new Exception(String.format(Locale.getDefault(), "%s: %s", ex.getClass().getName(), friendlyMsg))); } catch (IOException e) { diff --git a/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java b/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java index 1b3c21e8b..5389758af 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java +++ b/src/main/java/org/opensearch/securityanalytics/util/XContentUtils.java @@ -7,16 +7,17 @@ import java.io.IOException; import java.util.Map; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentHelper; import org.opensearch.common.xcontent.XContentType; +import org.opensearch.core.xcontent.MediaTypeRegistry; import org.opensearch.core.xcontent.XContentBuilder; public class XContentUtils { public static String parseMapToJsonString(Map map) throws IOException { - XContentBuilder builder = XContentFactory.contentBuilder(XContentType.JSON); + XContentBuilder builder = MediaTypeRegistry.JSON.contentBuilder(); builder.map(map); return XContentHelper.convertToJson( BytesReference.bytes(builder), diff --git a/src/main/resources/OSMapping/ad_ldap_logtype.json b/src/main/resources/OSMapping/ad_ldap_logtype.json index 70bfc9a02..e3434bca5 100644 --- a/src/main/resources/OSMapping/ad_ldap_logtype.json +++ b/src/main/resources/OSMapping/ad_ldap_logtype.json @@ -96,4 +96,4 @@ "ecs":"azure.auditlogs.properties.activity_display_name" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/apache_access_logtype.json b/src/main/resources/OSMapping/apache_access_logtype.json index 0cd1ecab4..7753c8440 100644 --- a/src/main/resources/OSMapping/apache_access_logtype.json +++ b/src/main/resources/OSMapping/apache_access_logtype.json @@ -3,4 +3,4 @@ "description": "Apache Access Log type", "is_builtin": true, "mappings": [] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/azure_logtype.json b/src/main/resources/OSMapping/azure_logtype.json index 649539383..ec9ae0502 100644 --- a/src/main/resources/OSMapping/azure_logtype.json +++ b/src/main/resources/OSMapping/azure_logtype.json @@ -212,4 +212,4 @@ "ecs":"azure.signinlogs.properties.network_location_details" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/cloudtrail_logtype.json b/src/main/resources/OSMapping/cloudtrail_logtype.json index f326a7146..389652373 100644 --- a/src/main/resources/OSMapping/cloudtrail_logtype.json +++ b/src/main/resources/OSMapping/cloudtrail_logtype.json @@ -219,4 +219,4 @@ "ocsf": "time" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/dns_logtype.json b/src/main/resources/OSMapping/dns_logtype.json index b286eb342..ca2f5451a 100644 --- a/src/main/resources/OSMapping/dns_logtype.json +++ b/src/main/resources/OSMapping/dns_logtype.json @@ -114,4 +114,4 @@ "ocsf": "unmapped.creationTime" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/github_logtype.json b/src/main/resources/OSMapping/github_logtype.json index 415d442e9..6369e2949 100644 --- a/src/main/resources/OSMapping/github_logtype.json +++ b/src/main/resources/OSMapping/github_logtype.json @@ -8,4 +8,4 @@ "ecs":"github.action" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/gworkspace_logtype.json b/src/main/resources/OSMapping/gworkspace_logtype.json index 4c3507ca5..b0006b6a3 100644 --- a/src/main/resources/OSMapping/gworkspace_logtype.json +++ b/src/main/resources/OSMapping/gworkspace_logtype.json @@ -16,4 +16,4 @@ "ecs":"google_workspace.admin.new_value" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/linux_logtype.json b/src/main/resources/OSMapping/linux_logtype.json index 0f8a54c4d..f719913c0 100644 --- a/src/main/resources/OSMapping/linux_logtype.json +++ b/src/main/resources/OSMapping/linux_logtype.json @@ -60,4 +60,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/logtypes.json b/src/main/resources/OSMapping/logtypes.json index 4185696e5..13e90587e 100644 --- a/src/main/resources/OSMapping/logtypes.json +++ b/src/main/resources/OSMapping/logtypes.json @@ -175,4 +175,4 @@ "correlation_id": 23 } } -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/m365_logtype.json b/src/main/resources/OSMapping/m365_logtype.json index 6c9b3eb8b..6547d3d63 100644 --- a/src/main/resources/OSMapping/m365_logtype.json +++ b/src/main/resources/OSMapping/m365_logtype.json @@ -20,4 +20,4 @@ "ecs":"rsa.misc.payload_dst" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/netflow_logtype.json b/src/main/resources/OSMapping/netflow_logtype.json index 2b8259f4c..d8ec32632 100644 --- a/src/main/resources/OSMapping/netflow_logtype.json +++ b/src/main/resources/OSMapping/netflow_logtype.json @@ -32,4 +32,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/network_logtype.json b/src/main/resources/OSMapping/network_logtype.json index 0dddf260e..90f0b2ee6 100644 --- a/src/main/resources/OSMapping/network_logtype.json +++ b/src/main/resources/OSMapping/network_logtype.json @@ -132,4 +132,4 @@ "ecs":"service" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/okta_logtype.json b/src/main/resources/OSMapping/okta_logtype.json index 96bda55bb..8038b7f01 100644 --- a/src/main/resources/OSMapping/okta_logtype.json +++ b/src/main/resources/OSMapping/okta_logtype.json @@ -12,4 +12,4 @@ "ecs":"okta.display_message" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_application_logtype.json b/src/main/resources/OSMapping/others_application_logtype.json index 1c37fc5f6..d7faf8c94 100644 --- a/src/main/resources/OSMapping/others_application_logtype.json +++ b/src/main/resources/OSMapping/others_application_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_apt_logtype.json b/src/main/resources/OSMapping/others_apt_logtype.json index 82b6bb873..ace55cbc3 100644 --- a/src/main/resources/OSMapping/others_apt_logtype.json +++ b/src/main/resources/OSMapping/others_apt_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_cloud_logtype.json b/src/main/resources/OSMapping/others_cloud_logtype.json index 65fe1bc7d..b5da3e005 100644 --- a/src/main/resources/OSMapping/others_cloud_logtype.json +++ b/src/main/resources/OSMapping/others_cloud_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_compliance_logtype.json b/src/main/resources/OSMapping/others_compliance_logtype.json index 71a29c40c..6f362d589 100644 --- a/src/main/resources/OSMapping/others_compliance_logtype.json +++ b/src/main/resources/OSMapping/others_compliance_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_macos_logtype.json b/src/main/resources/OSMapping/others_macos_logtype.json index 4b29c6f77..50d1c2160 100644 --- a/src/main/resources/OSMapping/others_macos_logtype.json +++ b/src/main/resources/OSMapping/others_macos_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_proxy_logtype.json b/src/main/resources/OSMapping/others_proxy_logtype.json index e43a543a9..aca4529d1 100644 --- a/src/main/resources/OSMapping/others_proxy_logtype.json +++ b/src/main/resources/OSMapping/others_proxy_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/others_web_logtype.json b/src/main/resources/OSMapping/others_web_logtype.json index 62ce44168..ae8262d52 100644 --- a/src/main/resources/OSMapping/others_web_logtype.json +++ b/src/main/resources/OSMapping/others_web_logtype.json @@ -20,4 +20,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/s3_logtype.json b/src/main/resources/OSMapping/s3_logtype.json index d91101e47..58c546258 100644 --- a/src/main/resources/OSMapping/s3_logtype.json +++ b/src/main/resources/OSMapping/s3_logtype.json @@ -16,4 +16,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/test_windows_logtype.json b/src/main/resources/OSMapping/test_windows_logtype.json index 096c2b923..7491a954c 100644 --- a/src/main/resources/OSMapping/test_windows_logtype.json +++ b/src/main/resources/OSMapping/test_windows_logtype.json @@ -44,4 +44,4 @@ "ecs":"timestamp" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/vpcflow_logtype.json b/src/main/resources/OSMapping/vpcflow_logtype.json index 9c8fc38b0..c55305b6d 100644 --- a/src/main/resources/OSMapping/vpcflow_logtype.json +++ b/src/main/resources/OSMapping/vpcflow_logtype.json @@ -129,4 +129,4 @@ "ocsf": "time" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/OSMapping/windows_logtype.json b/src/main/resources/OSMapping/windows_logtype.json index 4806478c8..a5fef8ea7 100644 --- a/src/main/resources/OSMapping/windows_logtype.json +++ b/src/main/resources/OSMapping/windows_logtype.json @@ -832,4 +832,4 @@ "ecs":"winlog.event_data.Signature" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/mappings/alert_mapping.json b/src/main/resources/mappings/alert_mapping.json index fcb1d1c94..1d35d4744 100644 --- a/src/main/resources/mappings/alert_mapping.json +++ b/src/main/resources/mappings/alert_mapping.json @@ -154,4 +154,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/main/resources/mappings/correlation.json b/src/main/resources/mappings/correlation.json index 8fbe2ea71..9ba3292db 100644 --- a/src/main/resources/mappings/correlation.json +++ b/src/main/resources/mappings/correlation.json @@ -48,4 +48,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/main/resources/mappings/detector-settings.json b/src/main/resources/mappings/detector-settings.json index 53555ddb7..c1dea5b45 100644 --- a/src/main/resources/mappings/detector-settings.json +++ b/src/main/resources/mappings/detector-settings.json @@ -19,4 +19,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/main/resources/mappings/detectors.json b/src/main/resources/mappings/detectors.json index 0282ee77b..776ed1d39 100644 --- a/src/main/resources/mappings/detectors.json +++ b/src/main/resources/mappings/detectors.json @@ -171,4 +171,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/main/resources/mappings/finding_mapping.json b/src/main/resources/mappings/finding_mapping.json index 3ffc39478..18faa22f6 100644 --- a/src/main/resources/mappings/finding_mapping.json +++ b/src/main/resources/mappings/finding_mapping.json @@ -65,4 +65,4 @@ "type": "keyword" } } -} \ No newline at end of file +} diff --git a/src/main/resources/mappings/rules.json b/src/main/resources/mappings/rules.json index 397331805..0db570049 100644 --- a/src/main/resources/mappings/rules.json +++ b/src/main/resources/mappings/rules.json @@ -121,4 +121,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml index 9e8562774..96daf5118 100644 --- a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml +++ b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Legitimate AD FS servers added to an AAD Health AD FS service instance -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml index c325d3d38..f30d3ebd6 100644 --- a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml +++ b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Legitimate AAD Health AD FS service instances being deleted in a tenant -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml b/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml index 39896aa3e..8888c9475 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml @@ -9,8 +9,8 @@ references: logsource: product: azure service: activitylogs -detection: - selection: +detection: + selection: Operation: 'Add member to role.' Workload: 'AzureActiveDirectory' ModifiedProperties.NewValue|endswith: @@ -18,9 +18,9 @@ detection: - 'Administrator' condition: selection falsepositives: - - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. level: medium status: experimental -tags: +tags: - attack.persistence - attack.t1098.003 diff --git a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml index 8088ce3d7..7ea030282 100644 --- a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Legitimate AD FS servers added to an AAD Health AD FS service instance -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml index 6fc97a25f..9d1966ce1 100644 --- a/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Legitimate AAD Health AD FS service instances being deleted in a tenant -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/azure/azure_account_lockout.yml b/src/main/resources/rules/azure/azure_account_lockout.yml index 4a13747c1..102f1de5c 100644 --- a/src/main/resources/rules/azure/azure_account_lockout.yml +++ b/src/main/resources/rules/azure/azure_account_lockout.yml @@ -1,8 +1,8 @@ -title: Account Lockout +title: Account Lockout id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts diff --git a/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml b/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml index 1a765db8c..3b4020f58 100644 --- a/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml +++ b/src/main/resources/rules/azure/azure_app_appid_uri_changes.yml @@ -1,6 +1,6 @@ title: Application AppID Uri Configuration Changes id: 1b45b0d1-773f-4f23-aedc-814b759563b1 -description: Detects when a configuration change is made to an applications AppID URI. +description: Detects when a configuration change is made to an applications AppID URI. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 references: @@ -10,7 +10,7 @@ logsource: service: auditlogs detection: selection: - properties.message: + properties.message: - Update Application - Update Service principal condition: selection @@ -18,7 +18,7 @@ falsepositives: - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event. level: high status: experimental -tags: +tags: - attack.t1528 - attack.persistence - attack.credential_access diff --git a/src/main/resources/rules/azure/azure_app_credential_added.yml b/src/main/resources/rules/azure/azure_app_credential_added.yml index 0942ad419..21f08f9e1 100644 --- a/src/main/resources/rules/azure/azure_app_credential_added.yml +++ b/src/main/resources/rules/azure/azure_app_credential_added.yml @@ -1,6 +1,6 @@ title: Added Credentials to Existing Application id: cbb67ecc-fb70-4467-9350-c910bdf7c628 -description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/05/26 references: @@ -10,7 +10,7 @@ logsource: service: auditlogs detection: selection: - properties.message: + properties.message: - Update Application-Certificates and secrets management - Update Service principal/Update Application condition: selection @@ -18,6 +18,6 @@ falsepositives: - When credentials are added/removed as part of the normal working hours/workflows level: high status: experimental -tags: +tags: - attack.t1098 - attack.persistence diff --git a/src/main/resources/rules/azure/azure_app_credential_modification.yml b/src/main/resources/rules/azure/azure_app_credential_modification.yml index bca556a2e..5f226d2fc 100644 --- a/src/main/resources/rules/azure/azure_app_credential_modification.yml +++ b/src/main/resources/rules/azure/azure_app_credential_modification.yml @@ -17,6 +17,6 @@ level: medium tags: - attack.impact falsepositives: - - Application credential added may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_app_device_code_authentication.yml b/src/main/resources/rules/azure/azure_app_device_code_authentication.yml index 0854d4a5b..5301f8db6 100644 --- a/src/main/resources/rules/azure/azure_app_device_code_authentication.yml +++ b/src/main/resources/rules/azure/azure_app_device_code_authentication.yml @@ -19,7 +19,7 @@ detection: falsepositives: - Applications that are input constrained will need to use device code flow and are valid authentications. level: medium -tags: +tags: - attack.t1078 - attack.defense_evasion - attack.persistence diff --git a/src/main/resources/rules/azure/azure_app_owner_added.yml b/src/main/resources/rules/azure/azure_app_owner_added.yml index de29eb8ed..54b3b92f6 100644 --- a/src/main/resources/rules/azure/azure_app_owner_added.yml +++ b/src/main/resources/rules/azure/azure_app_owner_added.yml @@ -1,6 +1,6 @@ title: Added Owner To Application id: 74298991-9fc4-460e-a92e-511aa60baec1 -description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. +description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 references: @@ -13,10 +13,10 @@ detection: properties.message: Add owner to application condition: selection falsepositives: - - When a new application owner is added by an administrator + - When a new application owner is added by an administrator level: medium status: experimental -tags: +tags: - attack.t1528 - attack.persistence - attack.credential_access diff --git a/src/main/resources/rules/azure/azure_app_ropc_authentication.yml b/src/main/resources/rules/azure/azure_app_ropc_authentication.yml index f2cec560f..82222f0ca 100644 --- a/src/main/resources/rules/azure/azure_app_ropc_authentication.yml +++ b/src/main/resources/rules/azure/azure_app_ropc_authentication.yml @@ -1,6 +1,6 @@ title: Applications That Are Using ROPC Authentication Flow id: 55695bc0-c8cf-461f-a379-2535f563c854 -description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. +description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/01 references: @@ -16,7 +16,7 @@ falsepositives: - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow level: medium status: experimental -tags: +tags: - attack.t1078 - attack.defense_evasion - attack.persistence diff --git a/src/main/resources/rules/azure/azure_app_uri_modifications.yml b/src/main/resources/rules/azure/azure_app_uri_modifications.yml index d5724b91d..a2cda3522 100644 --- a/src/main/resources/rules/azure/azure_app_uri_modifications.yml +++ b/src/main/resources/rules/azure/azure_app_uri_modifications.yml @@ -1,8 +1,8 @@ title: Application URI Configuration Changes id: 0055ad1f-be85-4798-83cf-a6da17c993b3 -description: Detects when a configuration change is made to an applications URI. +description: Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, - or URIs that point to domains you do not control should be investigated. + or URIs that point to domains you do not control should be investigated. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 references: @@ -15,10 +15,10 @@ detection: properties.message: Update Application Sucess- Property Name AppAddress condition: selection falsepositives: - - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. + - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. level: high status: experimental -tags: +tags: - attack.t1528 - attack.persistence - attack.credential_access diff --git a/src/main/resources/rules/azure/azure_application_deleted.yml b/src/main/resources/rules/azure/azure_application_deleted.yml index 6d3ee5b0d..a2e52ca9d 100644 --- a/src/main/resources/rules/azure/azure_application_deleted.yml +++ b/src/main/resources/rules/azure/azure_application_deleted.yml @@ -19,6 +19,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Application being deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml index dab3bf97c..d242e0caa 100644 --- a/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_application_gateway_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.impact falsepositives: - - Application gateway being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml index a770842d0..abd3d183e 100644 --- a/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_application_security_group_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.impact falsepositives: - - Application security group being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_change_to_authentication_method.yml b/src/main/resources/rules/azure/azure_change_to_authentication_method.yml index 812357a27..b251b5c25 100644 --- a/src/main/resources/rules/azure/azure_change_to_authentication_method.yml +++ b/src/main/resources/rules/azure/azure_change_to_authentication_method.yml @@ -2,7 +2,7 @@ title: Change to Authentication Method id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts diff --git a/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml b/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml index b394ce894..e47111824 100644 --- a/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_container_registry_created_or_deleted.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE condition: selection diff --git a/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml b/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml index 0c33bda86..5fc10bc63 100644 --- a/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/src/main/resources/rules/azure/azure_device_no_longer_managed_or_compliant.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - Device no longer compliant - Device no longer managed condition: selection @@ -19,4 +19,4 @@ level: medium tags: - attack.impact falsepositives: - - Administrator may have forgotten to review the device. + - Administrator may have forgotten to review the device. diff --git a/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml index cc5aa33d2..9f18c1e9f 100644 --- a/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - Delete device - Delete device configuration - Update device @@ -21,6 +21,6 @@ level: medium tags: - attack.impact falsepositives: - - Device or device configuration being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml index 80d55642b..faa86c01e 100644 --- a/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_dns_zone_modified_or_deleted.yml @@ -20,5 +20,5 @@ level: medium tags: - attack.impact falsepositives: - - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_federation_modified.yml b/src/main/resources/rules/azure/azure_federation_modified.yml index e8c1458f5..4512ee967 100644 --- a/src/main/resources/rules/azure/azure_federation_modified.yml +++ b/src/main/resources/rules/azure/azure_federation_modified.yml @@ -20,7 +20,6 @@ tags: - attack.initial_access - attack.t1078 falsepositives: - - Federation Settings being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml index 2d09758ae..28c659a05 100644 --- a/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_firewall_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE condition: selection @@ -19,5 +19,5 @@ level: medium tags: - attack.impact falsepositives: - - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 30281498e..de1fc0c5d 100644 --- a/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE @@ -23,5 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml index fe2af9ae7..ab657e79c 100644 --- a/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_keyvault_key_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION @@ -29,6 +29,6 @@ tags: - attack.t1552 - attack.t1552.001 falsepositives: - - Key being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml index cc596dcbf..d63cfe24d 100644 --- a/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_keyvault_modified_or_deleted.yml @@ -24,6 +24,6 @@ tags: - attack.t1552 - attack.t1552.001 falsepositives: - - Key Vault being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml index 53f85064a..b31895d4a 100644 --- a/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION @@ -28,6 +28,6 @@ tags: - attack.t1552 - attack.t1552.001 falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml b/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml index 3e2dbbbae..d8f36f7b2 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_admission_controller.yml @@ -30,5 +30,5 @@ tags: - attack.t1552 - attack.t1552.007 falsepositives: -- Azure Kubernetes Admissions Controller may be done by a system administrator. +- Azure Kubernetes Admissions Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml index 6af9fe8ac..d9be4f586 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE condition: selection @@ -25,4 +25,3 @@ tags: falsepositives: - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml index 7c4aefd91..9252c26fb 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_events_deleted.yml @@ -21,4 +21,3 @@ tags: - attack.t1562.001 falsepositives: - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml b/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml index e731c0d87..71b65a4f2 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_network_policy_change.yml @@ -15,9 +15,9 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE condition: selection diff --git a/src/main/resources/rules/azure/azure_kubernetes_role_access.yml b/src/main/resources/rules/azure/azure_kubernetes_role_access.yml index b13335b6b..a3c9bf010 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_role_access.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_role_access.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION diff --git a/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 923169ffe..efea094a1 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -15,8 +15,8 @@ logsource: service: activitylogs detection: selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE @@ -26,6 +26,5 @@ tags: - attack.impact - attack.credential_access falsepositives: - - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml b/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml index 3f24ab0ba..f809df396 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -15,8 +15,8 @@ logsource: service: activitylogs detection: selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE diff --git a/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml index 6a56ea6c6..355e7bd31 100644 --- a/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION diff --git a/src/main/resources/rules/azure/azure_login_to_disabled_account.yml b/src/main/resources/rules/azure/azure_login_to_disabled_account.yml index 8f8392ca8..41c45d939 100644 --- a/src/main/resources/rules/azure/azure_login_to_disabled_account.yml +++ b/src/main/resources/rules/azure/azure_login_to_disabled_account.yml @@ -2,7 +2,7 @@ title: Login to Disabled Account id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Detect failed attempts to sign in to disabled accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts @@ -13,7 +13,7 @@ detection: selection: ResultType: 50057 ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' - condition: selection + condition: selection level: medium falsepositives: - Unknown diff --git a/src/main/resources/rules/azure/azure_mfa_denies.yml b/src/main/resources/rules/azure/azure_mfa_denies.yml index 97400b634..f0f63b75e 100644 --- a/src/main/resources/rules/azure/azure_mfa_denies.yml +++ b/src/main/resources/rules/azure/azure_mfa_denies.yml @@ -3,7 +3,7 @@ id: e40f4962-b02b-4192-9bfe-245f7ece1f99 status: experimental author: AlertIQ date: 2022/03/24 -description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. +description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. references: - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ logsource: diff --git a/src/main/resources/rules/azure/azure_mfa_interrupted.yml b/src/main/resources/rules/azure/azure_mfa_interrupted.yml index 8d997688e..5919ea0fe 100644 --- a/src/main/resources/rules/azure/azure_mfa_interrupted.yml +++ b/src/main/resources/rules/azure/azure_mfa_interrupted.yml @@ -2,7 +2,7 @@ title: Multifactor Authentication Interupted id: 5496ff55-42ec-4369-81cb-00f417029e25 status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts diff --git a/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml index 2a36bbdab..a679d1892 100644 --- a/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION @@ -21,5 +21,5 @@ level: medium tags: - attack.impact falsepositives: - - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml index a2ab1da57..42ef6878a 100644 --- a/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -21,5 +21,5 @@ level: medium tags: - attack.impact falsepositives: - - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml index c54bd0d56..16373fbd0 100644 --- a/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -23,5 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml index cd2f06382..395880e92 100644 --- a/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_security_modified_or_deleted.yml @@ -23,5 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml index 5eefd7274..7e8ed5b4a 100644 --- a/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -28,5 +28,5 @@ level: medium tags: - attack.impact falsepositives: - - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_new_cloudshell_created.yml b/src/main/resources/rules/azure/azure_new_cloudshell_created.yml index faa1a2c7b..e06b47f2f 100644 --- a/src/main/resources/rules/azure/azure_new_cloudshell_created.yml +++ b/src/main/resources/rules/azure/azure_new_cloudshell_created.yml @@ -18,5 +18,4 @@ tags: - attack.execution - attack.t1059 falsepositives: - - A new cloudshell may be created by a system administrator. - + - A new cloudshell may be created by a system administrator. diff --git a/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml b/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml index 57b3f464f..d32b447cf 100644 --- a/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/src/main/resources/rules/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - Remove owner from service principal - Remove owner from application condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Owner being removed may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_service_principal_created.yml b/src/main/resources/rules/azure/azure_service_principal_created.yml index 28d351a04..46a14b711 100644 --- a/src/main/resources/rules/azure/azure_service_principal_created.yml +++ b/src/main/resources/rules/azure/azure_service_principal_created.yml @@ -17,6 +17,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Service principal being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_service_principal_removed.yml b/src/main/resources/rules/azure/azure_service_principal_removed.yml index fbda2c690..43328012b 100644 --- a/src/main/resources/rules/azure/azure_service_principal_removed.yml +++ b/src/main/resources/rules/azure/azure_service_principal_removed.yml @@ -17,6 +17,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Service principal being removed may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml b/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml index f71db67b8..18691dfd3 100644 --- a/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml +++ b/src/main/resources/rules/azure/azure_unusual_authentication_interruption.yml @@ -2,7 +2,7 @@ title: Azure Unusual Authentication Interruption id: 8366030e-7216-476b-9927-271d79f13cf3 status: experimental author: Austin Songer @austinsonger -date: 2021/11/26 +date: 2021/11/26 description: Detects when there is a interruption in the authentication process. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts @@ -19,7 +19,7 @@ detection: selection3: ResultType: 50158 ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' - condition: selection1 or selection2 or selection3 + condition: selection1 or selection2 or selection3 level: medium falsepositives: - Unknown diff --git a/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml b/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml index 4b2b0bec9..5c087a6ee 100644 --- a/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/src/main/resources/rules/azure/azure_user_login_blocked_by_conditional_access.yml @@ -2,7 +2,7 @@ title: User Access Blocked by Azure Conditional Access id: 9a60e676-26ac-44c3-814b-0c2a8b977adf status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts @@ -12,7 +12,7 @@ logsource: detection: selection: ResultType: 53003 - condition: selection + condition: selection level: medium falsepositives: - Unknown diff --git a/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml index 40a1604f6..6b25808c8 100644 --- a/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_virtual_network_modified_or_deleted.yml @@ -22,5 +22,5 @@ level: medium tags: - attack.impact falsepositives: - - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml b/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml index e7cc2e36b..58d96b14e 100644 --- a/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/src/main/resources/rules/azure/azure_vpn_connection_modified_or_deleted.yml @@ -19,5 +19,5 @@ level: medium tags: - attack.impact falsepositives: - - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml b/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml index 83a17e8da..298585fae 100644 --- a/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml +++ b/src/main/resources/rules/cloudtrail/aws_attached_malicious_lambda_layer.yml @@ -18,5 +18,5 @@ level: medium tags: - attack.privilege_escalation falsepositives: - - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml b/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml index 5689743c9..037c1d866 100644 --- a/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml +++ b/src/main/resources/rules/cloudtrail/aws_create_load_balancer_layer.yml @@ -19,4 +19,4 @@ tags: - attack.privilege_escalation falsepositives: - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. \ No newline at end of file + - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml b/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml index 22711310e..af4e5f631 100644 --- a/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml +++ b/src/main/resources/rules/cloudtrail/aws_ec2_download_userdata.yml @@ -21,5 +21,5 @@ falsepositives: - Assets management software like device42 level: medium tags: - - attack.exfiltration + - attack.exfiltration - attack.t1020 diff --git a/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml b/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml index 57c2fa5c2..973cf9dc5 100644 --- a/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml +++ b/src/main/resources/rules/cloudtrail/aws_ec2_vm_export_failure.yml @@ -1,17 +1,17 @@ title: AWS EC2 VM Export Failure id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b status: experimental -description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. +description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. author: Diogo Braz date: 2020/04/16 modified: 2021/08/20 -references: +references: - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance logsource: product: aws service: cloudtrail detection: - selection: + selection: eventName: 'CreateInstanceExportTask' eventSource: 'ec2.amazonaws.com' filter1: @@ -23,8 +23,7 @@ detection: condition: selection and (filter1 or filter2 or filter3) level: low tags: -- attack.collection -- attack.t1005 +- attack.collection +- attack.t1005 - attack.exfiltration - attack.t1537 - diff --git a/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml index 65d3a3bac..49b53b0a6 100644 --- a/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml +++ b/src/main/resources/rules/cloudtrail/aws_eks_cluster_created_or_deleted.yml @@ -12,7 +12,7 @@ logsource: detection: selection: eventSource: eks.amazonaws.com - eventName: + eventName: - CreateCluster - DeleteCluster condition: selection @@ -21,6 +21,6 @@ tags: - attack.impact - attack.t1485 falsepositives: - - EKS Cluster being created or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - EKS Cluster being created or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml index ed485043d..51ec4468c 100644 --- a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml +++ b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_created.yml @@ -1,6 +1,6 @@ title: AWS ElastiCache Security Group Created -id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 -description: Detects when an ElastiCache security group has been created. +id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 +description: Detects when an ElastiCache security group has been created. author: Austin Songer @austinsonger status: experimental date: 2021/07/24 @@ -22,5 +22,3 @@ tags: - attack.t1136.003 falsepositives: - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - diff --git a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml index fc7daf4a1..0ee02e0f6 100644 --- a/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml +++ b/src/main/resources/rules/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventSource: elasticache.amazonaws.com - eventName: + eventName: - 'DeleteCacheSecurityGroup' - 'AuthorizeCacheSecurityGroupIngress' - 'RevokeCacheSecurityGroupIngress' @@ -26,5 +26,3 @@ tags: - attack.t1531 falsepositives: - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - diff --git a/src/main/resources/rules/cloudtrail/aws_enum_listing.yml b/src/main/resources/rules/cloudtrail/aws_enum_listing.yml index 846144376..19143dc65 100644 --- a/src/main/resources/rules/cloudtrail/aws_enum_listing.yml +++ b/src/main/resources/rules/cloudtrail/aws_enum_listing.yml @@ -1,7 +1,7 @@ title: Account Enumeration on AWS -id: e9c14b23-47e2-4a8b-8a63-d36618e33d70 +id: e9c14b23-47e2-4a8b-8a63-d36618e33d70 status: experimental -description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. +description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. author: toffeebr33k date: 2020/11/21 modified: 2021/08/09 diff --git a/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml b/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml index c313afe95..1e680658a 100644 --- a/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml +++ b/src/main/resources/rules/cloudtrail/aws_lambda_function_created_or_invoked.yml @@ -23,5 +23,5 @@ tags: - attack.privilege_escalation - attack.t1078 falsepositives: - - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml index 953d3066e..c8d356615 100644 --- a/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml +++ b/src/main/resources/rules/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml @@ -26,5 +26,5 @@ level: low tags: - attack.privilege_escalation falsepositives: - - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml index fa9b5171c..9e6219023 100644 --- a/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml +++ b/src/main/resources/rules/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml @@ -1,6 +1,6 @@ title: AWS Route 53 Domain Transfer Lock Disabled id: 3940b5f1-3f46-44aa-b746-ebe615b879e0 -description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. +description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. author: Elastic, Austin Songer @austinsonger status: experimental date: 2021/07/22 @@ -23,4 +23,3 @@ tags: - attack.t1098 falsepositives: - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml b/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml index d6caa4835..08eabe4ce 100644 --- a/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml +++ b/src/main/resources/rules/cloudtrail/aws_susp_saml_activity.yml @@ -1,4 +1,4 @@ -title: AWS Suspicious SAML Activity +title: AWS Suspicious SAML Activity id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. author: Austin Songer @@ -29,5 +29,5 @@ tags: - attack.t1550.001 falsepositives: - Automated processes that uses Terraform may lead to false positives. - - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml b/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml index 093dbd905..acaebd91d 100644 --- a/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml +++ b/src/main/resources/rules/cloudtrail/aws_update_login_profile.yml @@ -1,7 +1,7 @@ title: AWS User Login Profile Was Modified -id: 055fb148-60f8-462d-ad16-26926ce050f1 +id: 055fb148-60f8-462d-ad16-26926ce050f1 status: experimental -description: | +description: | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. author: toffeebr33k @@ -24,7 +24,7 @@ fields: - errorCode - errorMessage falsepositives: - - Legit User Account Administration + - Legit User Account Administration level: high tags: - attack.persistence diff --git a/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml b/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml index 492fe39de..6a19e392e 100644 --- a/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml +++ b/src/main/resources/rules/dns/net_dns_external_service_interaction_domains.yml @@ -32,4 +32,3 @@ tags: - attack.reconnaissance - attack.t1595.002 level: high - diff --git a/src/main/resources/rules/dns/net_dns_high_bytes_out.yml b/src/main/resources/rules/dns/net_dns_high_bytes_out.yml index 8ac851b89..4b0a9d2a2 100644 --- a/src/main/resources/rules/dns/net_dns_high_bytes_out.yml +++ b/src/main/resources/rules/dns/net_dns_high_bytes_out.yml @@ -17,4 +17,4 @@ detection: condition: selection falsepositives: - Legitimate high DNS bytes out rate to domain name which should be added to whitelist -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/dns/net_dns_high_requests_rate.yml b/src/main/resources/rules/dns/net_dns_high_requests_rate.yml index 87b45eb1d..1c6a2fe86 100644 --- a/src/main/resources/rules/dns/net_dns_high_requests_rate.yml +++ b/src/main/resources/rules/dns/net_dns_high_requests_rate.yml @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Legitimate high DNS requests rate to domain name which should be added to whitelist -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml b/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml index a7c46dd46..64fb1ff74 100644 --- a/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml +++ b/src/main/resources/rules/dns/net_dns_mal_cobaltstrike.yml @@ -13,7 +13,7 @@ logsource: detection: selection1: query|startswith: - - 'aaa.stage.' + - 'aaa.stage.' - 'post.1' selection2: query|contains: '.stage.123456.' diff --git a/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml b/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml index b37de31a3..5066a1b2e 100644 --- a/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml +++ b/src/main/resources/rules/dns/net_dns_susp_telegram_api.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1102.002 \ No newline at end of file + - attack.t1102.002 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml index cfb085506..0692945f6 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -1,7 +1,7 @@ title: Audio Capture id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5 description: Detects attempts to record audio with arecord utility - #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay + #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay author: 'Pawel Mazur' status: experimental date: 2021/09/04 diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml index e1305b103..2ee302365 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -26,4 +26,4 @@ tags: - attack.t1548 falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml index ca7009ca1..b973b0bb2 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_collection.yml @@ -15,10 +15,10 @@ detection: selection: type: EXECVE a0: xclip - a1: + a1: - '-selection' - '-sel' - a2: + a2: - clipboard - clip a3: '-o' diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml index 9e3b3dce2..fb68c7a65 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml @@ -4,10 +4,10 @@ description: Detects attempts to collect image data stored in the clipboard from author: 'Pawel Mazur' status: experimental date: 2021/10/01 -references: +references: - https://attack.mitre.org/techniques/T1115/ - https://linux.die.net/man/1/xclip -logsource: +logsource: product: linux service: auditd detection: @@ -17,7 +17,7 @@ detection: a1: - '-selection' - '-sel' - a2: + a2: - clipboard - clip a3: '-t' @@ -29,4 +29,4 @@ tags: - attack.t1115 falsepositives: - Legitimate usage of xclip tools -level: low +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml index 21c65eff0..5a7ec1d7a 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -30,4 +30,4 @@ detection: condition: 1 of cmd* falsepositives: - Other tools that use a --cpu-priority flag -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 026b64af7..d8a6328fa 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -39,4 +39,4 @@ detection: condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml index eebe66655..64268f9b0 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index 1c3b6cbab..df50b8d15 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -17,7 +17,7 @@ detection: proctitle: '(null)' syscall: type: SYSCALL - comm: pkexec + comm: pkexec exe: '/usr/bin/pkexec' condition: proctitle and syscall tags: diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 70a8dec73..77190c768 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -22,4 +22,4 @@ tags: - attack.t1048.003 falsepositives: - Legitimate usage of wget utility to post a file -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml index 2ef02aebc..ef36926e6 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_dd_delete_file.yml @@ -12,10 +12,10 @@ logsource: detection: selection: type: 'EXECVE' - a0|contains: 'dd' + a0|contains: 'dd' a1|contains: - - 'if=/dev/null' - - 'if=/dev/zero' + - 'if=/dev/null' + - 'if=/dev/zero' condition: selection falsepositives: - Appending null bytes to files. diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml index 11bdc3477..30428aa01 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml @@ -14,7 +14,7 @@ logsource: detection: selection: type: 'SERVICE_STOP' - unit: + unit: - 'firewalld' - 'iptables' - 'ufw' @@ -24,4 +24,4 @@ falsepositives: level: high tags: - attack.t1562.004 - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index 0af760ef4..4cd280f36 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -1,7 +1,7 @@ title: Linux Keylogging with Pam.d id: 49aae26c-450e-448b-911d-b3c13d178dfc description: Detect attempt to enable auditing of TTY input - # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files- https://github.com/Neo23x0/auditd/blob/master/audit.rules + # -w /etc/pam.d/ -p wa -k pam - this rule will help you detect changes to the pam.d files- https://github.com/Neo23x0/auditd/blob/master/audit.rules # - the TTY events detection asumes that you do not expect them in your environment or add filtering on those users that you configured it for author: 'Pawel Mazur' status: experimental @@ -18,7 +18,7 @@ logsource: detection: path_events: type: PATH - name: + name: - '/etc/pam.d/system-auth' - '/etc/pam.d/password-auth' tty_events: diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index 4d3c28203..e017b7d48 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -22,16 +22,16 @@ detection: - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - '/etc/login.defs' - chage: + chage: type: 'EXECVE' a0: 'chage' - a1: + a1: - '--list' - '-l' passwd: type: 'EXECVE' a0: 'passwd' - a1: + a1: - '-S' - '--status' condition: files or chage or passwd diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml index e411de683..4b9b6c736 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_screencapture_import.yml @@ -34,4 +34,4 @@ tags: - attack.t1113 falsepositives: - Legitimate use of screenshot utility -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml index cd596493c..9dcd4df23 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml @@ -17,7 +17,7 @@ logsource: product: linux service: auditd detection: - selection: + selection: type: EXECVE a0: steghide a1: extract diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 23c6037bd..b1cf17ce9 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -16,7 +16,7 @@ detection: exe|startswith: # Temporary folder - '/tmp/' - # Web server + # Web server - '/var/www/' # Standard - '/home/*/public_html/' # Per-user - '/usr/local/apache2/' # Classical Apache diff --git a/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml b/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml index 69a36bdc0..f9402ce14 100644 --- a/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/src/main/resources/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -22,4 +22,4 @@ falsepositives: level: critical tags: - attack.persistence - - attack.t1505.003 \ No newline at end of file + - attack.t1505.003 diff --git a/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml b/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml index 747191af7..1449076e1 100644 --- a/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml +++ b/src/main/resources/rules/linux/builtin/lnx_buffer_overflows.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.t1068 - - attack.privilege_escalation \ No newline at end of file + - attack.privilege_escalation diff --git a/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml b/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml index df1dd7e53..dc5bde7ba 100644 --- a/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml +++ b/src/main/resources/rules/linux/builtin/lnx_crontab_file_modification.yml @@ -11,7 +11,7 @@ logsource: product: linux service: cron detection: - keywords: + keywords: - 'REPLACE' condition: keywords falsepositives: diff --git a/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml b/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml index 2ddcb6d07..d4f3ef753 100644 --- a/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml +++ b/src/main/resources/rules/linux/builtin/lnx_ldso_preload_injection.yml @@ -18,4 +18,4 @@ level: high tags: - attack.persistence - attack.privilege_escalation - - attack.t1574.006 \ No newline at end of file + - attack.t1574.006 diff --git a/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 40b276bff..2a921b04a 100644 --- a/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/src/main/resources/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.privilege_escalation - - attack.t1068 \ No newline at end of file + - attack.t1068 diff --git a/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml index defe1cce7..d6f1d9351 100644 --- a/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml +++ b/src/main/resources/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml @@ -4,20 +4,20 @@ status: experimental description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs author: Sreeman date: 2022/01/26 -references: +references: - https://twitter.com/wdormann/status/1486161836961579020 -logsource: +logsource: product: linux service: auth -detection: - keyword: +detection: + keyword: - 'pkexec' - 'The value for environment variable XAUTHORITY contains suscipious content' - '[USER=root] [TTY=/dev/pts/0]' condition: all of keyword -falsepositives: +falsepositives: - Unknown level: high -tags: +tags: - attack.privilege_escalation - - attack.t1548.001 \ No newline at end of file + - attack.t1548.001 diff --git a/src/main/resources/rules/linux/builtin/lnx_shellshock.yml b/src/main/resources/rules/linux/builtin/lnx_shellshock.yml index dd7cbc8c6..13ed22033 100644 --- a/src/main/resources/rules/linux/builtin/lnx_shellshock.yml +++ b/src/main/resources/rules/linux/builtin/lnx_shellshock.yml @@ -10,7 +10,7 @@ references: logsource: product: linux detection: - keywords: + keywords: - '(){:;};' - '() {:;};' - '() { :;};' @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1505.003 \ No newline at end of file + - attack.t1505.003 diff --git a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml index b059c59d0..bc4c3da22 100644 --- a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml +++ b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287.yml @@ -22,4 +22,4 @@ detection: condition: selection_keywords falsepositives: - Unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml index 160c8094b..d95240e1b 100644 --- a/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml +++ b/src/main/resources/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml @@ -28,4 +28,4 @@ detection: condition: selection_user falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml b/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml index 4f0a15f8c..03ac93263 100644 --- a/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml +++ b/src/main/resources/rules/linux/file_create/file_create_lnx_cron_files.yml @@ -21,7 +21,7 @@ detection: - '/etc/cron.monthly/' - '/etc/cron.weekly/' - '/var/spool/cron/crontabs/' - selection2: + selection2: TargetFilename|contains: - '/etc/cron.allow' - '/etc/cron.deny' @@ -30,4 +30,3 @@ detection: falsepositives: - Any legitimate cron file. level: medium - \ No newline at end of file diff --git a/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml index 0280e9ba9..b086a3a68 100644 --- a/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml +++ b/src/main/resources/rules/linux/modsecurity/modsec_mulitple_blocks.yml @@ -20,4 +20,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1499 \ No newline at end of file + - attack.t1499 diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index 63a2ffd49..cda154205 100644 --- a/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -13,11 +13,10 @@ detection: selection: Image|endswith: '/bin/bash' filter: - DestinationIp: + DestinationIp: - '127.0.0.1' - '0.0.0.0' condition: selection and not filter falsepositives: - Unknown level: critical - diff --git a/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml b/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml index 3ae3b1a7a..33aff0f73 100644 --- a/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml +++ b/src/main/resources/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml @@ -11,7 +11,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname: + DestinationHostname: - 'pool.minexmr.com' - 'fr.minexmr.com' - 'de.minexmr.com' diff --git a/src/main/resources/rules/linux/other/lnx_clamav.yml b/src/main/resources/rules/linux/other/lnx_clamav.yml index 852d2deeb..a4f6cec6e 100644 --- a/src/main/resources/rules/linux/other/lnx_clamav.yml +++ b/src/main/resources/rules/linux/other/lnx_clamav.yml @@ -22,4 +22,4 @@ falsepositives: level: high tags: - attack.resource_development - - attack.t1588.001 \ No newline at end of file + - attack.t1588.001 diff --git a/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml index 096cbe2e9..096ab0368 100644 --- a/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml +++ b/src/main/resources/rules/linux/other/lnx_security_tools_disabling_syslog.yml @@ -16,7 +16,7 @@ tags: logsource: product: linux service: syslog -detection: +detection: keywords: - '*stopping iptables*' - '*stopping ip6tables*' @@ -26,4 +26,4 @@ detection: condition: keywords falsepositives: - Legitimate administration activities -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index e9c822de9..83e0dda21 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - Image|endswith: + Image|endswith: - '/cat' - 'grep' CommandLine|contains: ' /etc/sudoers' diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index 44c782049..d826716e2 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - Log rotation. -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index f46c302f5..d585fc36c 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -28,4 +28,4 @@ detection: condition: selection1 and selection2 and selection3 and selection4 falsepositives: - Legitimate usage of xclip tools. -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index cc4e2eb28..6662c9e40 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -25,7 +25,7 @@ detection: - 'LS1kb25hdGUtbGV2ZWw9' - '0tZG9uYXRlLWxldmVsP' - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// + # base64 encoded: stratum+tcp:// and stratum+udp:// - 'c3RyYXR1bSt0Y3A6Ly' - 'N0cmF0dW0rdGNwOi8v' - 'zdHJhdHVtK3RjcDovL' diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml index ee132e94c..f6eb7104a 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml @@ -17,7 +17,7 @@ detection: Image: - '/bin/dd' - '/usr/bin/dd' - selection2: + selection2: CommandLine|contains: 'of=' selection3: CommandLine|contains: @@ -26,4 +26,4 @@ detection: condition: selection1 and selection2 and selection3 falsepositives: - Any user deleting files that way. -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml index 435b641c6..dff9dc956 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml @@ -28,4 +28,4 @@ detection: condition: (netcat and not netcat_listen_flag) or network_scanning_tools falsepositives: - Legitimate administration activities -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml index 5288f13df..90ed0cf16 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Legitimate use of SCX RunAsProvider ExecuteScript. -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml index 5e9c8b81b..50d18a1dd 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index 7b7fbcd02..b56b56825 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -26,4 +26,4 @@ detection: condition: selection_image and 1 of selection_cli* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index 0455235a2..b82d1f331 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -80,4 +80,4 @@ detection: condition: 1 of selection* falsepositives: - Legitimate administration activities -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 3727dee7e..a9dc1f6ff 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '/rm' selection_history: - - CommandLine|contains: + - CommandLine|contains: - '/.bash_history' - '/.zsh_history' - CommandLine|endswith: '_history' diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index 93b722ac9..a91de0a28 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '/cat' selection_history: - - CommandLine|contains: + - CommandLine|contains: - '/.bash_history' - '/.zsh_history' - CommandLine|endswith: '_history' diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index 5401c761c..6009d43ce 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -18,7 +18,7 @@ detection: - 'base64' - 'pty.spawn' anomaly2: - Image|endswith: + Image|endswith: - 'whoami' - 'iptables' - '/ncat' @@ -28,4 +28,3 @@ detection: falsepositives: - Legitimate software that uses these patterns level: medium - diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 1ae661068..e89e239d6 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -26,4 +26,3 @@ detection: falsepositives: - Legitimate software that uses these patterns level: medium - diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml index b5c14e47b..190477e5a 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - CommandLine|contains: + CommandLine|contains: - ' -name .htpasswd' - ' -perm -4000 ' condition: selection diff --git a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 7a1fac49c..2d6feee4a 100644 --- a/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/src/main/resources/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -40,4 +40,3 @@ detection: falsepositives: - Web applications that invoke Linux command line tools level: high - diff --git a/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml b/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml index 4bb365c61..aa45e6691 100644 --- a/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml +++ b/src/main/resources/rules/network/firewall/net_firewall_high_dns_bytes_out.yml @@ -17,4 +17,4 @@ detection: condition: selection falsepositives: - Legitimate high DNS bytes out rate to domain name which should be added to whitelist -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml b/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml index 17177fb63..da2188e8c 100644 --- a/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml +++ b/src/main/resources/rules/network/firewall/net_firewall_high_dns_requests_rate.yml @@ -13,10 +13,10 @@ tags: logsource: category: firewall detection: - selection: + selection: dst_port: 53 timeframe: 1m condition: selection falsepositives: - Legitimate high DNS requests rate to domain name which should be added to whitelist -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml b/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml index 4b290d67c..bd4e97784 100644 --- a/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml +++ b/src/main/resources/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml @@ -22,4 +22,4 @@ level: medium fields: - src_ip - dst_ip - - dst_port \ No newline at end of file + - dst_port diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index a70acd1c1..9972480a8 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -19,7 +19,7 @@ detection: operation: #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call - - LsarLookupNames3 #method translates a batch of security principal names to their SID form + - LsarLookupNames3 #method translates a batch of security principal names to their SID form - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of - SamrLookupIdsInDomain #method translates a set of RIDs into account names @@ -32,4 +32,4 @@ falsepositives: - Devices that may do authentication like a VPN or a firewall that looksup IPs to username - False positives depend on scripts and administrative tools used in the monitored environment level: medium -status: experimental \ No newline at end of file +status: experimental diff --git a/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index fe577fcd9..489e3932c 100644 --- a/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/src/main/resources/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -1,4 +1,4 @@ -title: Potential PetitPotam Attack Via EFS RPC Calls +title: Potential PetitPotam Attack Via EFS RPC Calls id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a description: | Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. diff --git a/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml index 2178cd31e..abcb28927 100644 --- a/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml +++ b/src/main/resources/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml @@ -5,7 +5,7 @@ status: experimental author: Bhabesh Raj date: 2021/06/23 modified: 2021/08/24 -references: +references: - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 tags: - attack.command_and_control diff --git a/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml b/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml index 38a787730..a227bb586 100644 --- a/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml +++ b/src/main/resources/rules/network/zeek/zeek_dns_torproxy.yml @@ -7,9 +7,9 @@ references: date: 2021/08/15 author: Saw Winn Naung , Azure-Sentinel level: medium -logsource: - service: dns - product: zeek +logsource: + service: dns + product: zeek tags: - attack.t1048 detection: diff --git a/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index df467848c..f8f5fc693 100644 --- a/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/src/main/resources/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -20,7 +20,7 @@ tags: logsource: product: zeek service: http - definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek + definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek detection: selection: status_code: 200 @@ -38,7 +38,7 @@ detection: condition: selection and not auth_header and not too_small_http_client_body #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule falsepositives: - - Exploits that were attempted but unsuccessful. + - Exploits that were attempted but unsuccessful. - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. level: high fields: diff --git a/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml b/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml index 0017e0124..fc2377166 100644 --- a/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml +++ b/src/main/resources/rules/others_application/antivirus/av_relevant_files.yml @@ -75,4 +75,4 @@ falsepositives: level: high tags: - attack.resource_development - - attack.t1588 \ No newline at end of file + - attack.t1588 diff --git a/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml b/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml index 233cc72d6..a2646738a 100644 --- a/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml +++ b/src/main/resources/rules/others_application/django/appframework_django_exceptions.yml @@ -33,4 +33,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 diff --git a/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml b/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml index a070253a0..fcc646a69 100644 --- a/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml +++ b/src/main/resources/rules/others_application/python/app_python_sql_exceptions.yml @@ -22,4 +22,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 diff --git a/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml b/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml index 2a058bb7c..0c2e54770 100644 --- a/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml +++ b/src/main/resources/rules/others_application/ruby/appframework_ruby_on_rails_exceptions.yml @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 diff --git a/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml b/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml index fe97e056c..c3fe5e068 100644 --- a/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml +++ b/src/main/resources/rules/others_application/spring/appframework_spring_exceptions.yml @@ -25,4 +25,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 diff --git a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml index 8088ce3d7..7ea030282 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Legitimate AD FS servers added to an AAD Health AD FS service instance -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml index 6fc97a25f..9d1966ce1 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - Legitimate AAD Health AD FS service instances being deleted in a tenant -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml b/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml index 4a13747c1..102f1de5c 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_account_lockout.yml @@ -1,8 +1,8 @@ -title: Account Lockout +title: Account Lockout id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts diff --git a/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml b/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml index c85eeffd0..a6019c0af 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_ad_user_added_to_admin_role.yml @@ -9,8 +9,8 @@ references: logsource: product: azure service: activitylogs -detection: - selection: +detection: + selection: Operation: 'Add member to role.' Workload: 'AzureActiveDirectory' ModifiedProperties.NewValue|endswith: @@ -18,9 +18,9 @@ detection: - 'Administrator' condition: selection falsepositives: - - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. + - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. level: medium status: experimental -tags: +tags: - attack.persistence - attack.t1098.003 diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml b/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml index 1a765db8c..3b4020f58 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_appid_uri_changes.yml @@ -1,6 +1,6 @@ title: Application AppID Uri Configuration Changes id: 1b45b0d1-773f-4f23-aedc-814b759563b1 -description: Detects when a configuration change is made to an applications AppID URI. +description: Detects when a configuration change is made to an applications AppID URI. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 references: @@ -10,7 +10,7 @@ logsource: service: auditlogs detection: selection: - properties.message: + properties.message: - Update Application - Update Service principal condition: selection @@ -18,7 +18,7 @@ falsepositives: - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event. level: high status: experimental -tags: +tags: - attack.t1528 - attack.persistence - attack.credential_access diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml b/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml index 0942ad419..21f08f9e1 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_credential_added.yml @@ -1,6 +1,6 @@ title: Added Credentials to Existing Application id: cbb67ecc-fb70-4467-9350-c910bdf7c628 -description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. +description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/05/26 references: @@ -10,7 +10,7 @@ logsource: service: auditlogs detection: selection: - properties.message: + properties.message: - Update Application-Certificates and secrets management - Update Service principal/Update Application condition: selection @@ -18,6 +18,6 @@ falsepositives: - When credentials are added/removed as part of the normal working hours/workflows level: high status: experimental -tags: +tags: - attack.t1098 - attack.persistence diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml b/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml index bca556a2e..5f226d2fc 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_credential_modification.yml @@ -17,6 +17,6 @@ level: medium tags: - attack.impact falsepositives: - - Application credential added may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application credential added may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml b/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml index 0854d4a5b..5301f8db6 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_device_code_authentication.yml @@ -19,7 +19,7 @@ detection: falsepositives: - Applications that are input constrained will need to use device code flow and are valid authentications. level: medium -tags: +tags: - attack.t1078 - attack.defense_evasion - attack.persistence diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml b/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml index de29eb8ed..54b3b92f6 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_owner_added.yml @@ -1,6 +1,6 @@ title: Added Owner To Application id: 74298991-9fc4-460e-a92e-511aa60baec1 -description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. +description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 references: @@ -13,10 +13,10 @@ detection: properties.message: Add owner to application condition: selection falsepositives: - - When a new application owner is added by an administrator + - When a new application owner is added by an administrator level: medium status: experimental -tags: +tags: - attack.t1528 - attack.persistence - attack.credential_access diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml b/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml index f2cec560f..82222f0ca 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_ropc_authentication.yml @@ -1,6 +1,6 @@ title: Applications That Are Using ROPC Authentication Flow id: 55695bc0-c8cf-461f-a379-2535f563c854 -description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. +description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/01 references: @@ -16,7 +16,7 @@ falsepositives: - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow level: medium status: experimental -tags: +tags: - attack.t1078 - attack.defense_evasion - attack.persistence diff --git a/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml b/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml index d5724b91d..a2cda3522 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_app_uri_modifications.yml @@ -1,8 +1,8 @@ title: Application URI Configuration Changes id: 0055ad1f-be85-4798-83cf-a6da17c993b3 -description: Detects when a configuration change is made to an applications URI. +description: Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, - or URIs that point to domains you do not control should be investigated. + or URIs that point to domains you do not control should be investigated. author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' date: 2022/06/02 references: @@ -15,10 +15,10 @@ detection: properties.message: Update Application Sucess- Property Name AppAddress condition: selection falsepositives: - - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. + - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. level: high status: experimental -tags: +tags: - attack.t1528 - attack.persistence - attack.credential_access diff --git a/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml index 6d3ee5b0d..a2e52ca9d 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_application_deleted.yml @@ -19,6 +19,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Application being deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml index dab3bf97c..d242e0caa 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.impact falsepositives: - - Application gateway being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml index a770842d0..abd3d183e 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.impact falsepositives: - - Application security group being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml b/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml index 812357a27..b251b5c25 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_change_to_authentication_method.yml @@ -2,7 +2,7 @@ title: Change to Authentication Method id: 4d78a000-ab52-4564-88a5-7ab5242b20c7 status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts diff --git a/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml index b394ce894..e47111824 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_container_registry_created_or_deleted.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE condition: selection diff --git a/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml index 0c33bda86..5fc10bc63 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - Device no longer compliant - Device no longer managed condition: selection @@ -19,4 +19,4 @@ level: medium tags: - attack.impact falsepositives: - - Administrator may have forgotten to review the device. + - Administrator may have forgotten to review the device. diff --git a/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index cc5aa33d2..9f18c1e9f 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - Delete device - Delete device configuration - Update device @@ -21,6 +21,6 @@ level: medium tags: - attack.impact falsepositives: - - Device or device configuration being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml index 80d55642b..faa86c01e 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -20,5 +20,5 @@ level: medium tags: - attack.impact falsepositives: - - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml b/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml index e8c1458f5..4512ee967 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_federation_modified.yml @@ -20,7 +20,6 @@ tags: - attack.initial_access - attack.t1078 falsepositives: - - Federation Settings being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Federation Settings being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml index 2d09758ae..28c659a05 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_firewall_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE condition: selection @@ -19,5 +19,5 @@ level: medium tags: - attack.impact falsepositives: - - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 30281498e..de1fc0c5d 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE @@ -23,5 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml index fe2af9ae7..ab657e79c 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION @@ -29,6 +29,6 @@ tags: - attack.t1552 - attack.t1552.001 falsepositives: - - Key being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml index cc596dcbf..d63cfe24d 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -24,6 +24,6 @@ tags: - attack.t1552 - attack.t1552.001 falsepositives: - - Key Vault being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 53f85064a..b31895d4a 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION @@ -28,6 +28,6 @@ tags: - attack.t1552 - attack.t1552.001 falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml index 3e2dbbbae..d8f36f7b2 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_admission_controller.yml @@ -30,5 +30,5 @@ tags: - attack.t1552 - attack.t1552.007 falsepositives: -- Azure Kubernetes Admissions Controller may be done by a system administrator. +- Azure Kubernetes Admissions Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index 6af9fe8ac..d9be4f586 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE condition: selection @@ -25,4 +25,3 @@ tags: falsepositives: - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml index 7c4aefd91..9252c26fb 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_events_deleted.yml @@ -21,4 +21,3 @@ tags: - attack.t1562.001 falsepositives: - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml index e731c0d87..71b65a4f2 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_network_policy_change.yml @@ -15,9 +15,9 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE condition: selection diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml index b13335b6b..a3c9bf010 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_role_access.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 923169ffe..efea094a1 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -15,8 +15,8 @@ logsource: service: activitylogs detection: selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE @@ -26,6 +26,5 @@ tags: - attack.impact - attack.credential_access falsepositives: - - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 3f24ab0ba..f809df396 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -15,8 +15,8 @@ logsource: service: activitylogs detection: selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + properties.message: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE diff --git a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index 6a56ea6c6..355e7bd31 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -15,7 +15,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION diff --git a/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml b/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml index 8f8392ca8..41c45d939 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_login_to_disabled_account.yml @@ -2,7 +2,7 @@ title: Login to Disabled Account id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8 status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Detect failed attempts to sign in to disabled accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts @@ -13,7 +13,7 @@ detection: selection: ResultType: 50057 ResultDescription: 'User account is disabled. The account has been disabled by an administrator.' - condition: selection + condition: selection level: medium falsepositives: - Unknown diff --git a/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml b/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml index 97400b634..f0f63b75e 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_mfa_denies.yml @@ -3,7 +3,7 @@ id: e40f4962-b02b-4192-9bfe-245f7ece1f99 status: experimental author: AlertIQ date: 2022/03/24 -description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. +description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. references: - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ logsource: diff --git a/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml b/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml index 8d997688e..5919ea0fe 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_mfa_interrupted.yml @@ -2,7 +2,7 @@ title: Multifactor Authentication Interupted id: 5496ff55-42ec-4369-81cb-00f417029e25 status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index 2a36bbdab..a679d1892 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION @@ -21,5 +21,5 @@ level: medium tags: - attack.impact falsepositives: - - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index a2ab1da57..42ef6878a 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -21,5 +21,5 @@ level: medium tags: - attack.impact falsepositives: - - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index c54bd0d56..16373fbd0 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -23,5 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml index cd2f06382..395880e92 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_network_security_modified_or_deleted.yml @@ -23,5 +23,5 @@ level: medium tags: - attack.impact falsepositives: - - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 5eefd7274..7e8ed5b4a 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -28,5 +28,5 @@ level: medium tags: - attack.impact falsepositives: - - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml b/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml index faa1a2c7b..e06b47f2f 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_new_cloudshell_created.yml @@ -18,5 +18,4 @@ tags: - attack.execution - attack.t1059 falsepositives: - - A new cloudshell may be created by a system administrator. - + - A new cloudshell may be created by a system administrator. diff --git a/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index 57b3f464f..d32b447cf 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -11,7 +11,7 @@ logsource: service: activitylogs detection: selection: - properties.message: + properties.message: - Remove owner from service principal - Remove owner from application condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Owner being removed may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml b/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml index 28d351a04..46a14b711 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_service_principal_created.yml @@ -17,6 +17,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Service principal being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml b/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml index fbda2c690..43328012b 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_service_principal_removed.yml @@ -17,6 +17,6 @@ level: medium tags: - attack.defense_evasion falsepositives: - - Service principal being removed may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml b/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml index f71db67b8..18691dfd3 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_unusual_authentication_interruption.yml @@ -2,7 +2,7 @@ title: Azure Unusual Authentication Interruption id: 8366030e-7216-476b-9927-271d79f13cf3 status: experimental author: Austin Songer @austinsonger -date: 2021/11/26 +date: 2021/11/26 description: Detects when there is a interruption in the authentication process. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts @@ -19,7 +19,7 @@ detection: selection3: ResultType: 50158 ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' - condition: selection1 or selection2 or selection3 + condition: selection1 or selection2 or selection3 level: medium falsepositives: - Unknown diff --git a/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml index 4b2b0bec9..5c087a6ee 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -2,7 +2,7 @@ title: User Access Blocked by Azure Conditional Access id: 9a60e676-26ac-44c3-814b-0c2a8b977adf status: experimental author: AlertIQ -date: 2021/10/10 +date: 2021/10/10 description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts @@ -12,7 +12,7 @@ logsource: detection: selection: ResultType: 53003 - condition: selection + condition: selection level: medium falsepositives: - Unknown diff --git a/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml index 40a1604f6..6b25808c8 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -22,5 +22,5 @@ level: medium tags: - attack.impact falsepositives: - - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml index e7cc2e36b..58d96b14e 100644 --- a/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -19,5 +19,5 @@ level: medium tags: - attack.impact falsepositives: - - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml index e7f8fc61f..a94ef6b8a 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_enumeration.yml @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - storage.buckets.list - storage.buckets.listChannels condition: selection @@ -19,5 +19,5 @@ level: low tags: - attack.discovery falsepositives: - - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml index ac5017c9f..514277727 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_bucket_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - storage.buckets.delete - storage.buckets.insert - storage.buckets.update @@ -21,5 +21,5 @@ level: medium tags: - attack.impact falsepositives: - - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml index 9455782d4..4dfeac4be 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_dns_zone_modified_or_deleted.yml @@ -1,6 +1,6 @@ title: Google Cloud DNS Zone Modified or Deleted id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3 -description: Identifies when a DNS Zone is modified or deleted in Google Cloud. +description: Identifies when a DNS Zone is modified or deleted in Google Cloud. author: Austin Songer @austinsonger status: experimental date: 2021/08/15 @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - Dns.ManagedZones.Delete - Dns.ManagedZones.Update - Dns.ManagedZones.Patch diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml index 4cb33dd81..73ed0ef20 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml @@ -12,7 +12,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - v*.Compute.Firewalls.Delete - v*.Compute.Firewalls.Patch - v*.Compute.Firewalls.Update @@ -23,5 +23,5 @@ tags: - attack.defense_evasion - attack.t1562 falsepositives: - - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. + - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. - Exceptions can be added to this rule to filter expected behavior. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml b/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml index cd29c4055..4cd3bf090 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_full_network_traffic_packet_capture.yml @@ -12,7 +12,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - v*.Compute.PacketMirrorings.Get - v*.Compute.PacketMirrorings.Delete - v*.Compute.PacketMirrorings.Insert @@ -25,5 +25,5 @@ tags: - attack.collection - attack.t1074 falsepositives: - - Full Network Packet Capture may be done by a system or network administrator. + - Full Network Packet Capture may be done by a system or network administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml index 9bdabb295..f152d8fa0 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -32,5 +32,5 @@ tags: - attack.t1552 - attack.t1552.007 falsepositives: -- Google Cloud Kubernetes Admission Controller may be done by a system administrator. +- Google Cloud Kubernetes Admission Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml index 4ab7a9613..bb3852358 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_cronjob.yml @@ -13,7 +13,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - io.k8s.api.batch.v*.Job - io.k8s.api.batch.v*.CronJob condition: selection @@ -23,5 +23,5 @@ tags: - attack.privilege_escalation - attack.execution falsepositives: -- Google Cloud Kubernetes CronJob/Job may be done by a system administrator. +- Google Cloud Kubernetes CronJob/Job may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml index 472ff97b5..008193831 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_rolebinding.yml @@ -15,7 +15,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - io.k8s.authorization.rbac.v*.clusterrolebindings.create - io.k8s.authorization.rbac.v*.rolebindings.create - io.k8s.authorization.rbac.v*.clusterrolebindings.patch @@ -29,5 +29,5 @@ level: medium tags: - attack.credential_access falsepositives: - - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml index 35f1ebda3..e609e9e64 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml @@ -11,15 +11,15 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - io.k8s.core.v*.secrets.create - io.k8s.core.v*.secrets.update - io.k8s.core.v*.secrets.patch - - io.k8s.core.v*.secrets.delete + - io.k8s.core.v*.secrets.delete condition: selection level: medium tags: - attack.credential_access falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml index c265f7c9d..3976deaf5 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_disabled_or_deleted.yml @@ -1,6 +1,6 @@ title: Google Cloud Service Account Disabled or Deleted id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f -description: Identifies when a service account is disabled or deleted in Google Cloud. +description: Identifies when a service account is disabled or deleted in Google Cloud. author: Austin Songer @austinsonger status: experimental date: 2021/08/14 @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name|endswith: + gcp.audit.method_name|endswith: - .serviceAccounts.disable - .serviceAccounts.delete condition: selection @@ -20,5 +20,5 @@ tags: - attack.impact - attack.t1531 falsepositives: - - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml index b990d00a4..d43c7e012 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_service_account_modified.yml @@ -1,6 +1,6 @@ title: Google Cloud Service Account Modified id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc -description: Identifies when a service account is modified in Google Cloud. +description: Identifies when a service account is modified in Google Cloud. author: Austin Songer @austinsonger status: experimental date: 2021/08/14 @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name|endswith: + gcp.audit.method_name|endswith: - .serviceAccounts.patch - .serviceAccounts.create - .serviceAccounts.update @@ -22,5 +22,5 @@ level: medium tags: - attack.impact falsepositives: - - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml index c2693f286..d3b4232fe 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_sql_database_modified_or_deleted.yml @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - cloudsql.instances.create - cloudsql.instances.delete - cloudsql.users.update @@ -21,6 +21,6 @@ level: medium tags: - attack.impact falsepositives: - - SQL Database being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - SQL Database being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml index 8171bb42a..781bef103 100644 --- a/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml @@ -1,6 +1,6 @@ title: Google Cloud VPN Tunnel Modified or Deleted id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1 -description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. +description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. author: Austin Songer @austinsonger status: experimental date: 2021/08/16 @@ -11,7 +11,7 @@ logsource: service: gcp.audit detection: selection: - gcp.audit.method_name: + gcp.audit.method_name: - compute.vpnTunnels.insert - compute.vpnTunnels.delete condition: selection @@ -19,6 +19,6 @@ level: medium tags: - attack.impact falsepositives: - - VPN Tunnel being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Tunnel being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml index 176b7f9f3..e0ea857f7 100644 --- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml +++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_application_removed.yml @@ -14,7 +14,7 @@ logsource: detection: selection: eventService: admin.googleapis.com - eventName: + eventName: - REMOVE_APPLICATION - REMOVE_APPLICATION_FROM_WHITELIST condition: selection diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml index e177ee7d1..dab6f04db 100644 --- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml +++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_granted_domain_api_access.yml @@ -21,4 +21,3 @@ tags: - attack.t1098 falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml index 26b636d99..ce2c1b0e9 100644 --- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml +++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -15,7 +15,7 @@ logsource: detection: selection_base: eventService: admin.googleapis.com - eventName: + eventName: - ENFORCE_STRONG_AUTHENTICATION - ALLOW_STRONG_AUTHENTICATION selection_eventValue: @@ -26,4 +26,3 @@ tags: - attack.impact falsepositives: - MFA may be disabled and performed by a system administrator. - \ No newline at end of file diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml index 18c23bc28..4d37bb058 100644 --- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_modified_or_deleted.yml @@ -13,7 +13,7 @@ logsource: detection: selection: eventService: admin.googleapis.com - eventName: + eventName: - DELETE_ROLE - RENAME_ROLE - UPDATE_ROLE @@ -23,4 +23,3 @@ tags: - attack.impact falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml index bbe666a6e..0a81d079f 100644 --- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml +++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_role_privilege_deleted.yml @@ -20,4 +20,3 @@ tags: - attack.impact falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml index 802f60526..73c8fe835 100644 --- a/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml +++ b/src/main/resources/rules/others_cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml @@ -1,6 +1,6 @@ title: Google Workspace User Granted Admin Privileges id: 2d1b83e4-17c6-4896-a37b-29140b40a788 -description: Detects when an Google Workspace user is granted admin privileges. +description: Detects when an Google Workspace user is granted admin privileges. author: Austin Songer status: experimental date: 2021/08/23 @@ -13,7 +13,7 @@ logsource: detection: selection: eventService: admin.googleapis.com - eventName: + eventName: - GRANT_DELEGATED_ADMIN_PRIVILEGES - GRANT_ADMIN_PRIVILEGE condition: selection @@ -22,4 +22,4 @@ tags: - attack.persistence - attack.t1098 falsepositives: - - Google Workspace admin role privileges, may be modified by system administrators. \ No newline at end of file + - Google Workspace admin role privileges, may be modified by system administrators. diff --git a/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml b/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml index 3694bf34c..a23c08c4b 100644 --- a/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml +++ b/src/main/resources/rules/others_cloud/m365/microsoft365_from_susp_ip_addresses.yml @@ -1,7 +1,7 @@ title: Activity from Suspicious IP Addresses id: a3501e8e-af9e-43c6-8cd6-9360bdaae498 status: experimental -description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. +description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. author: Austin Songer @austinsonger date: 2021/08/23 references: diff --git a/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml b/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml index 7136534ab..efa9b6799 100644 --- a/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/src/main/resources/rules/others_cloud/m365/microsoft365_impossible_travel_activity.yml @@ -23,5 +23,3 @@ level: medium tags: - attack.initial_access - attack.t1078 - - diff --git a/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml b/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml index 32b496a79..2574abf14 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_admin_role_assigned_to_user_or_group.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - group.privilege.grant - user.account.privilege.grant condition: selection @@ -21,5 +21,4 @@ level: medium tags: - attack.impact falsepositives: - - Administrator roles could be assigned to users or group by other admin users. - + - Administrator roles could be assigned to users or group by other admin users. diff --git a/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml b/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml index a39c3ae70..8f816d033 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_api_token_created.yml @@ -20,4 +20,3 @@ tags: - attack.persistence falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml b/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml index 644f1aea5..9919a5085 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_api_token_revoked.yml @@ -20,4 +20,3 @@ tags: - attack.impact falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml index 35cbd1b95..849da89b0 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_application_modified_or_deleted.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - application.lifecycle.update - application.lifecycle.delete condition: selection @@ -22,4 +22,3 @@ tags: - attack.impact falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml index 0520ddd6b..bff4ff5ef 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - application.policy.sign_on.update - application.policy.sign_on.rule.delete condition: selection @@ -21,4 +21,4 @@ level: medium tags: - attack.impact falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml b/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml index 69185811f..48d0ac8fc 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_mfa_reset_or_deactivated.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - user.mfa.factor.deactivate - user.mfa.factor.reset_all condition: selection @@ -21,4 +21,4 @@ level: medium tags: - attack.persistence falsepositives: - - If a MFA reset or deactivated was performed by a system administrator. + - If a MFA reset or deactivated was performed by a system administrator. diff --git a/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml index b4f6adf83..f0d5aa802 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_network_zone_deactivated_or_deleted.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - zone.deactivate - zone.delete condition: selection @@ -22,4 +22,3 @@ tags: - attack.impact falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml index 247901b96..bfca326f5 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_policy_modified_or_deleted.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - policy.lifecycle.update - policy.lifecycle.delete condition: selection @@ -21,6 +21,6 @@ level: low tags: - attack.impact falsepositives: - - Okta Policies being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Okta Policies being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml b/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml index 9a1ab4bf7..7a1d4fe6d 100644 --- a/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml +++ b/src/main/resources/rules/others_cloud/okta/okta_policy_rule_modified_or_deleted.yml @@ -13,7 +13,7 @@ logsource: service: okta detection: selection: - eventtype: + eventtype: - policy.rule.update - policy.rule.delete condition: selection @@ -22,4 +22,3 @@ tags: - attack.impact falsepositives: - Unknown - diff --git a/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml b/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml index 1a1f3d7e9..dcaf8405e 100644 --- a/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml +++ b/src/main/resources/rules/others_compliance/firewall_cleartext_protocols.yml @@ -82,4 +82,4 @@ level: low # - PCI DSS 3.2 4.3 # - PCI DSS 3.2 7.1 # - PCI DSS 3.2 7.2 - # - PCI DSS 3.2 7.3 \ No newline at end of file + # - PCI DSS 3.2 7.3 diff --git a/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml b/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml index 4592b6975..6bb172cd8 100644 --- a/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml +++ b/src/main/resources/rules/others_compliance/netflow_cleartext_protocols.yml @@ -76,4 +76,4 @@ detection: condition: selection falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml b/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml index 963c9efe7..4e697a836 100644 --- a/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml +++ b/src/main/resources/rules/others_proxy/proxy_apt_domestic_kitten.yml @@ -12,7 +12,7 @@ logsource: category: proxy detection: selection: - c-uri|contains: + c-uri|contains: - 'Get~~~AllBrowser' - 'Get~~~HardwareInfo' - 'Take~~RecordCall' diff --git a/src/main/resources/rules/others_proxy/proxy_baby_shark.yml b/src/main/resources/rules/others_proxy/proxy_baby_shark.yml index 5b6f980b6..07342d1de 100644 --- a/src/main/resources/rules/others_proxy/proxy_baby_shark.yml +++ b/src/main/resources/rules/others_proxy/proxy_baby_shark.yml @@ -17,4 +17,4 @@ falsepositives: level: critical tags: - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml b/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml index 7301303a0..d7b410e72 100644 --- a/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml +++ b/src/main/resources/rules/others_proxy/proxy_cobalt_amazon.yml @@ -30,4 +30,3 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - \ No newline at end of file diff --git a/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml b/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml index 43553af44..a7fec2988 100644 --- a/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml +++ b/src/main/resources/rules/others_proxy/proxy_cobalt_malformed_uas.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection1: - c-useragent: + c-useragent: - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)' - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )' - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08' diff --git a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml index af0556668..3d7648457 100644 --- a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml +++ b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_ip.yml @@ -9,7 +9,7 @@ logsource: detection: selection: c-useragent|startswith: 'Microsoft BITS/' - cs-host|startswith: + cs-host|startswith: - '1' - '2' - '3' diff --git a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml index 6516f0304..2264b0d86 100644 --- a/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/src/main/resources/rules/others_proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -12,9 +12,9 @@ detection: c-useragent|startswith: 'Microsoft BITS/' falsepositives: r-dns|endswith: - - '.com' - - '.net' - - '.org' + - '.com' + - '.net' + - '.org' - '.scdn.co' # spotify streaming condition: selection and not falsepositives fields: diff --git a/src/main/resources/rules/others_proxy/proxy_ua_susp.yml b/src/main/resources/rules/others_proxy/proxy_ua_susp.yml index 19bad81c9..8ec2f44f2 100644 --- a/src/main/resources/rules/others_proxy/proxy_ua_susp.yml +++ b/src/main/resources/rules/others_proxy/proxy_ua_susp.yml @@ -44,4 +44,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml b/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml index a320ba350..c5c95890e 100644 --- a/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml +++ b/src/main/resources/rules/others_proxy/proxy_ursnif_malware_download_url.yml @@ -9,7 +9,7 @@ logsource: category: proxy detection: selection: - c-uri|contains|all: + c-uri|contains|all: - '/' - '.php?l=' c-uri|endswith: '.cab' @@ -22,4 +22,4 @@ fields: - c-ua falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml b/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml index 1412d23d8..2f2468e9e 100644 --- a/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml +++ b/src/main/resources/rules/others_web/web_cve_2020_28188_terramaster_rce_exploit.yml @@ -33,4 +33,4 @@ level: high tags: - attack.t1190 - attack.initial_access - - cve.2020.28188 \ No newline at end of file + - cve.2020.28188 diff --git a/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml b/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml index 98eb7aa2e..8a63e9291 100644 --- a/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml +++ b/src/main/resources/rules/others_web/web_cve_2020_3452_cisco_asa_ftd.yml @@ -32,4 +32,4 @@ level: high tags: - attack.t1190 - attack.initial_access - - cve.2020.3452 \ No newline at end of file + - cve.2020.3452 diff --git a/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml index 4cf8badf1..32a1aea47 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml @@ -37,4 +37,4 @@ detection: - '/loginerror.html' - '/loginexclude.html' - '/loginlock.html' - condition: (path_traversal or config_file_inj) and noauth_list \ No newline at end of file + condition: (path_traversal or config_file_inj) and noauth_list diff --git a/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml index 410ad1e43..777706ad2 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_2109_weblogic_rce_exploit.yml @@ -1,7 +1,7 @@ title: Oracle WebLogic Exploit CVE-2021-2109 id: 687f6504-7f44-4549-91fc-f07bab065821 status: experimental -description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 +description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 author: Bhabesh Raj date: 2021/01/20 references: @@ -26,4 +26,4 @@ level: critical tags: - attack.t1190 - attack.initial_access - - cve.2021.2109 \ No newline at end of file + - cve.2021.2109 diff --git a/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml index 30d7e2378..c3227b744 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml @@ -1,4 +1,4 @@ -title: CVE-2021-21972 VSphere Exploitation +title: CVE-2021-21972 VSphere Exploitation id: 179ed852-0f9b-4009-93a7-68475910fd86 status: experimental description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 diff --git a/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml b/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml index c40bd1505..c399a6bb9 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_26814_wzuh_rce.yml @@ -22,4 +22,4 @@ tags: - attack.initial_access - attack.t1190 - cve.2021.21978 - - cve.2021.26814 \ No newline at end of file + - cve.2021.26814 diff --git a/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml b/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml index b3b3f21bf..ba169ee6e 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_28480_exchange_exploit.yml @@ -20,4 +20,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml b/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml index ad016091d..85dc9cf97 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_33766_msexchange_proxytoken.yml @@ -1,7 +1,7 @@ title: CVE-2021-33766 Exchange ProxyToken Exploitation id: 56973b50-3382-4b56-bdf5-f51a3183797a status: experimental -description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 +description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 author: Florian Roth, Max Altgelt, Christian Burkard date: 2021/08/30 references: @@ -19,7 +19,7 @@ detection: - '/RulesEditor/InboxRules.svc/NewObject' sc-status: 500 selection2: - c-uri|contains|all: + c-uri|contains|all: - 'SecurityToken=' - '/ecp/' sc-status: 500 diff --git a/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml b/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml index 29b8d5fa2..3cf4909da 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_41773_apache_path_traversal.yml @@ -16,7 +16,7 @@ logsource: category: webserver detection: selection: - c-uri|contains: + c-uri|contains: - '/cgi-bin/.%2e/' - '/icons/.%2e/' - '/cgi-bin/.%%32%65/' @@ -24,9 +24,9 @@ detection: - '/cgi-bin/.%%%25%33' - '/icons/.%%%25%33' selection_success: - sc-status: + sc-status: - 200 - - 301 + - 301 condition: selection and selection_success falsepositives: - Unknown diff --git a/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml b/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml index fc4fc7478..e4622ae43 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_43798_grafana.yml @@ -1,7 +1,7 @@ title: Grafana Path Traversal Exploitation CVE-2021-43798 id: 7b72b328-5708-414f-9a2a-6a6867c26e16 status: experimental -description: Detects a successful Grafana path traversal exploitation +description: Detects a successful Grafana path traversal exploitation author: Florian Roth references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ diff --git a/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml b/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml index 3304fa06e..d9db60b6b 100644 --- a/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml +++ b/src/main/resources/rules/others_web/web_cve_2021_44228_log4j_fields.yml @@ -43,7 +43,7 @@ detection: - '${${lower:j}ndi:' - '${${upper:j}ndi:' - '${${::-j}${::-n}${::-d}${::-i}:' - selection2: + selection2: user-agent|contains: - '${jndi:ldap:/' - '${jndi:rmi:/' diff --git a/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml b/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml index d9bdd9bd7..28b35918f 100644 --- a/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml +++ b/src/main/resources/rules/others_web/web_exchange_exploitation_hafnium.yml @@ -1,7 +1,7 @@ title: Exchange Exploitation Used by HAFNIUM id: 67bce556-312f-4c81-9162-c3c9ff2599b2 status: experimental -description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity +description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -37,16 +37,16 @@ detection: - 'python-requests/2.19.1' - 'python-requests/2.25.1' selection4: - c-uri|contains: + c-uri|contains: - '/aspnet_client/' - '/owa/' - cs-method: 'POST' + cs-method: 'POST' c-useragent: - 'antSword/v2.1' - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)' - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' selection5: - c-uri|contains: + c-uri|contains: - '/owa/auth/Current/' - '/ecp/default.flt' - '/ecp/main.css' @@ -55,8 +55,8 @@ detection: cs-method: 'POST' c-uri|contains|all: - '/ecp/' - - '.js' + - '.js' condition: 1 of selection* falsepositives: - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/others_web/web_exchange_proxyshell.yml b/src/main/resources/rules/others_web/web_exchange_proxyshell.yml index 97c00b76a..751759022 100644 --- a/src/main/resources/rules/others_web/web_exchange_proxyshell.yml +++ b/src/main/resources/rules/others_web/web_exchange_proxyshell.yml @@ -25,14 +25,14 @@ detection: selection: sc-status: 401 selection_poc: - c-uri|contains: + c-uri|contains: # since we don't know how it will appear in the log files, we'll just use all versions - 'autodiscover.json?@' - 'autodiscover.json%3f@' - '%3f@foo.com' - 'Email=autodiscover/autodiscover.json' - 'json?@foo.com' - condition: selection_auto and selection_uri or selection_poc + condition: selection_auto and selection_uri or selection_poc falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml b/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml index a4dd76a07..eb0acb362 100644 --- a/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml +++ b/src/main/resources/rules/others_web/web_exchange_proxyshell_successful.yml @@ -22,10 +22,10 @@ detection: - '/EWS' - 'X-Rps-CAT' selection_success: - sc-status: + sc-status: - 200 - 301 condition: selection_auto and selection_uri and selection_success falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml b/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml index eebef6273..7f2358b40 100644 --- a/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml +++ b/src/main/resources/rules/others_web/web_iis_tilt_shortname_scan.yml @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml b/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml index ec43bcd23..4e3434d56 100644 --- a/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml +++ b/src/main/resources/rules/others_web/web_solarwinds_supernova_webshell.yml @@ -27,4 +27,4 @@ fields: - response falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml b/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml index b96b9bd73..0b003911c 100644 --- a/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml +++ b/src/main/resources/rules/others_web/web_sonicwall_jarrewrite_exploit.yml @@ -14,7 +14,7 @@ logsource: detection: selection: c-uri|contains: '/cgi-bin/jarrewrite.sh' - c-useragent|contains: + c-useragent|contains: - ':;' - '() {' - '/bin/bash -c' diff --git a/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml b/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml index e21fa6fce..122a29d5a 100644 --- a/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml +++ b/src/main/resources/rules/others_web/web_susp_windows_path_uri.yml @@ -25,4 +25,3 @@ tags: - attack.persistence - attack.exfiltration - attack.t1505.003 - diff --git a/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml b/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml index 3904369b9..47992070c 100644 --- a/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml +++ b/src/main/resources/rules/others_web/web_unc2546_dewmode_php_webshell.yml @@ -28,4 +28,4 @@ fields: - response falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/rule_categories.json b/src/main/resources/rules/rule_categories.json index 25ddee7d8..9b7b9c36b 100644 --- a/src/main/resources/rules/rule_categories.json +++ b/src/main/resources/rules/rule_categories.json @@ -57,4 +57,4 @@ "display_name": "VpcFlow logs" } ] -} \ No newline at end of file +} diff --git a/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml b/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml index c812ab379..49ae2ab56 100644 --- a/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml +++ b/src/main/resources/rules/test_windows/dns_query_win_regsvr32_network_activity.yml @@ -32,4 +32,4 @@ fields: - DestinationPort falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml b/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml index 908fda8a4..cbef59a86 100644 --- a/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml +++ b/src/main/resources/rules/test_windows/net_connection_win_regsvr32_network_activity.yml @@ -29,4 +29,4 @@ tags: - attack.execution - attack.t1559.001 - attack.defense_evasion - - attack.t1218.010 \ No newline at end of file + - attack.t1218.010 diff --git a/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml b/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml index 6207cc6ec..e29832568 100644 --- a/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml +++ b/src/main/resources/rules/test_windows/proc_creation_win_susp_regsvr32_no_dll.yml @@ -18,7 +18,7 @@ detection: selection: Image|endswith: '\regsvr32.exe' filter: - CommandLine|contains: + CommandLine|contains: - '.dll' - '.ocx' - '.cpl' diff --git a/src/main/resources/rules/test_windows/win_sample_rule.yml b/src/main/resources/rules/test_windows/win_sample_rule.yml index 141c58b32..b55e9c9b7 100644 --- a/src/main/resources/rules/test_windows/win_sample_rule.yml +++ b/src/main/resources/rules/test_windows/win_sample_rule.yml @@ -21,4 +21,4 @@ detection: HostName|startswith: 'EC2AMAZ' condition: selection falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml b/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml index acb6c0672..611690797 100644 --- a/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml +++ b/src/main/resources/rules/windows/builtin/application/win_audit_cve.yml @@ -34,4 +34,3 @@ detection: falsepositives: - Unknown level: critical - diff --git a/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml b/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml index 3209074b4..6f99ba7ac 100644 --- a/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/src/main/resources/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -19,4 +19,4 @@ falsepositives: level: low tags: - attack.impact - - attack.t1489 + - attack.t1489 diff --git a/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml b/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml index 5c38131a1..546a1025e 100644 --- a/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml +++ b/src/main/resources/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml @@ -2,15 +2,15 @@ title: Atera Agent Installation id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 status: experimental description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators -references: +references: - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent date: 2021/09/01 modified: 2021/10/13 author: Bhabesh Raj level: high -logsource: - service: application - product: windows +logsource: + service: application + product: windows tags: - attack.t1219 detection: diff --git a/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml b/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml index 679f144f8..4cb0310d2 100644 --- a/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml +++ b/src/main/resources/rules/windows/builtin/application/win_vul_cve_2020_0688.yml @@ -1,7 +1,7 @@ title: CVE-2020-0688 Exploitation via Eventlog id: d6266bf5-935e-4661-b477-78772735a7cb status: experimental -description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 +description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index 4379c3a40..a9e423769 100644 --- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventID: 16403 - RemoteName|contains: + RemoteName|contains: - 'raw.githubusercontent.com' - 'gist.githubusercontent.com' - 'pastebin.com' diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml index bab6511bd..8e699ef1c 100644 --- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml +++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml @@ -26,9 +26,9 @@ detection: RemoteName|contains: '.com' condition: selection and not filter falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: medium tags: - attack.defense_evasion - attack.persistence - - attack.t1197 \ No newline at end of file + - attack.t1197 diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml index 662ef1a86..443a3a906 100644 --- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml +++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml @@ -20,9 +20,9 @@ detection: - '\Desktop\' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: high tags: - attack.defense_evasion - attack.persistence - - attack.t1197 \ No newline at end of file + - attack.t1197 diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml index 6a9c27b1b..b9155cce9 100644 --- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml +++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml @@ -17,9 +17,9 @@ detection: processPath|endswith: '\powershell.exe' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: low tags: - attack.defense_evasion - attack.persistence - - attack.t1197 \ No newline at end of file + - attack.t1197 diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml index 1ccb2af71..bb6cd9ce7 100644 --- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml +++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml @@ -17,9 +17,9 @@ detection: processPath|endswith: '\bitsadmin.exe' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: low tags: - attack.defense_evasion - attack.persistence - - attack.t1197 \ No newline at end of file + - attack.t1197 diff --git a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml index b8da1a08b..5b158ed1e 100644 --- a/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml +++ b/src/main/resources/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml @@ -15,7 +15,7 @@ detection: selection: EventID: 16403 filter: - RemoteName|contains: + RemoteName|contains: - '.com' - '.azureedge.net' - '.sfx.ms' diff --git a/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml b/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml index 69d0d3b0f..e45571159 100644 --- a/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml +++ b/src/main/resources/rules/windows/builtin/code_integrity/win_codeintegrity_failed_driver_load.yml @@ -17,4 +17,4 @@ detection: condition: keywords falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml b/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml index cc1c0ca84..b17cd3797 100644 --- a/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml +++ b/src/main/resources/rules/windows/builtin/dns_server/win_apt_gallium.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 257 - QNAME: + QNAME: - 'asyspy256.ddns.net' - 'hotkillmail9sddcc.ddns.net' - 'rosaf112.ddns.net' @@ -32,4 +32,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml index c7d8834e1..a85be1a4d 100644 --- a/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/src/main/resources/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -13,7 +13,7 @@ logsource: # EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: + EventID: - 2002 # A Windows Firewall setting has changed. - 2003 # A Windows Firewall setting in the %1 profile has changed. - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml index baaab06e8..d5014c88f 100644 --- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml +++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml @@ -11,7 +11,7 @@ logsource: service: msexchange-management detection: selection: - EventID: + EventID: - 6 - 8 keywords: @@ -23,4 +23,4 @@ falsepositives: level: high tags: - attack.lateral_movement - - attack.t1210 \ No newline at end of file + - attack.t1210 diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml index 138d45dcd..14cbf6759 100644 --- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml +++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -24,4 +24,4 @@ falsepositives: level: critical tags: - attack.t1587.001 - - attack.resource_development \ No newline at end of file + - attack.resource_development diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 4155f0add..d3d5c4b72 100644 --- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -7,11 +7,11 @@ references: author: Florian Roth, Rich Warren, Christian Burkard date: 2021/08/09 modified: 2022/02/01 -logsource: +logsource: service: msexchange-management product: windows detection: - export_command: + export_command: - 'New-MailboxExportRequest' - ' -Mailbox ' export_params: @@ -27,5 +27,5 @@ falsepositives: - Unlikely level: critical tags: - - attack.persistence - - attack.t1505.003 + - attack.persistence + - attack.t1505.003 diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index 663155d08..870647eeb 100644 --- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -6,11 +6,11 @@ references: - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 author: Christian Burkard date: 2021/08/27 -logsource: +logsource: service: msexchange-management product: windows detection: - command: + command: - 'Remove-MailboxExportRequest' - ' -Identity ' - ' -Confirm "False"' diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml index 6eca37cc7..ab0112399 100644 --- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml +++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent.yml @@ -8,9 +8,9 @@ description: Detects the Installation of a Exchange Transport Agent references: - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 tags: - - attack.persistence - - attack.t1505.002 -author: Tobias Michalski + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski date: 2021/06/08 modified: 2021/09/19 logsource: @@ -24,4 +24,4 @@ fields: - AssemblyPath falsepositives: - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml index faad6e0f5..8024b0ca3 100644 --- a/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml +++ b/src/main/resources/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml @@ -5,16 +5,16 @@ description: Detects a failed installation of a Exchange Transport Agent references: - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 tags: - - attack.persistence - - attack.t1505.002 -author: Tobias Michalski -date: 2021/06/08 -logsource: + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski +date: 2021/06/08 +logsource: service: msexchange-management product: windows detection: selection: - EventID: 6 + EventID: 6 keywords: - 'Install-TransportAgent' condition: selection and keywords diff --git a/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml b/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml index 93459eaac..f770f9afd 100644 --- a/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml +++ b/src/main/resources/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml @@ -28,5 +28,5 @@ detection: - 'Windows2019' condition: selection and devicename falsepositives: - - Systems with names equal to the spoofed ones used by the brute force tools + - Systems with names equal to the spoofed ones used by the brute force tools level: medium diff --git a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml index 53898222e..60f4c658a 100644 --- a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml +++ b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml @@ -12,7 +12,7 @@ date: 2021/06/30 modified: 2022/06/22 tags: - attack.execution - - attack.t1569 + - attack.t1569 - cve.2021.1675 logsource: product: windows diff --git a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml index 5564f0358..3a0286b03 100644 --- a/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/src/main/resources/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: '316' - keywords: + keywords: - 'UNIDRV.DLL, kernelbase.dll, ' - ' 123 ' - ' 1234 ' diff --git a/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml index 9218d3288..822abaa5d 100644 --- a/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml +++ b/src/main/resources/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml @@ -19,7 +19,7 @@ detection: selection: EventID: 5136 AttributeLDAPDisplayName: 'ntSecurityDescriptor' - AttributeValue|contains: + AttributeValue|contains: - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - '89e95b76-444d-4c62-991a-0facbeda640c' diff --git a/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml b/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml index 37a865e95..4715c923e 100644 --- a/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml +++ b/src/main/resources/rules/windows/builtin/security/win_ad_user_enumeration.yml @@ -19,7 +19,7 @@ logsource: detection: selection: EventID: 4662 - ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2' + ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2' # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}" # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user) filter: diff --git a/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml b/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml index e0ebcca25..4af69d83e 100644 --- a/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml +++ b/src/main/resources/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml @@ -20,7 +20,7 @@ detection: selection2: EventID: 4899 NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT' - condition: selection1 or selection2 + condition: selection1 or selection2 falsepositives: - Administrator activity - Proxy SSL certificate with subject modification diff --git a/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml b/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml index cf19a17c0..16663c185 100644 --- a/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml +++ b/src/main/resources/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml @@ -18,7 +18,7 @@ detection: EventID: 4738 filter_null: - AllowedToDelegateTo: '-' - - AllowedToDelegateTo: + - AllowedToDelegateTo: selection_5136_1: EventID: 5136 AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo' diff --git a/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml b/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml index 5843d6bf9..2701b413f 100644 --- a/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml @@ -32,4 +32,4 @@ detection: condition: selection_service falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml b/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml index 4345b4aa2..9bfa8a128 100644 --- a/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml +++ b/src/main/resources/rules/windows/builtin/security/win_apt_slingshot.yml @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml b/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml index 8dcb9b26c..875dbf2dc 100644 --- a/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml +++ b/src/main/resources/rules/windows/builtin/security/win_apt_wocao.yml @@ -7,7 +7,7 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 tags: - - attack.discovery + - attack.discovery - attack.t1012 - attack.defense_evasion - attack.t1036.004 @@ -28,4 +28,4 @@ detection: condition: selection falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_dcsync.yml b/src/main/resources/rules/windows/builtin/security/win_dcsync.yml index 4bc9b53db..ebc1a76a5 100644 --- a/src/main/resources/rules/windows/builtin/security/win_dcsync.yml +++ b/src/main/resources/rules/windows/builtin/security/win_dcsync.yml @@ -40,4 +40,3 @@ falsepositives: - Valid DC Sync that is not covered by the filters; please report - Local Domain Admin account used for Azure AD Connect level: high - diff --git a/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml b/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml index 1975bc806..1ad62692c 100644 --- a/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml +++ b/src/main/resources/rules/windows/builtin/security/win_disable_event_logging.yml @@ -16,7 +16,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml b/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml index 3bb242439..cabe56531 100644 --- a/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml +++ b/src/main/resources/rules/windows/builtin/security/win_event_log_cleared.yml @@ -2,15 +2,15 @@ title: Security Event Log Cleared id: a122ac13-daf8-4175-83a2-72c387be339d status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. -references: +references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 modified: 2021/10/13 author: Saw Winn Naung level: medium -logsource: - service: security - product: windows +logsource: + service: security + product: windows tags: - attack.t1070.001 detection: diff --git a/src/main/resources/rules/windows/builtin/security/win_external_device.yml b/src/main/resources/rules/windows/builtin/security/win_external_device.yml index 9a64bb7af..46ca97b77 100644 --- a/src/main/resources/rules/windows/builtin/security/win_external_device.yml +++ b/src/main/resources/rules/windows/builtin/security/win_external_device.yml @@ -16,10 +16,10 @@ logsource: detection: selection: EventID: 6416 - ClassName: 'DiskDrive' + ClassName: 'DiskDrive' selection2: DeviceDescription: 'USB Mass Storage Device' condition: selection or selection2 -falsepositives: +falsepositives: - Legitimate administrative activity level: low diff --git a/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 5c968fb9d..c642fd20c 100644 --- a/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/src/main/resources/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -1,4 +1,4 @@ -title: Enumeration via the Global Catalog +title: Enumeration via the Global Catalog description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. status: experimental author: Chakib Gzenayi (@Chak092), Hosni Mribah diff --git a/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml b/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml index 7b2b0166d..4920ba035 100644 --- a/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml +++ b/src/main/resources/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml @@ -7,7 +7,7 @@ modified: 2021/08/09 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence - - attack.t1554 + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: @@ -17,7 +17,7 @@ detection: selection: EventID: 4697 ServiceName: HybridConnectionManager - ServiceFileName|contains: HybridConnectionManager + ServiceFileName|contains: HybridConnectionManager condition: selection falsepositives: - Legitimate use of Hybrid Connection Manager via Azure function apps. diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml index 332f8a4c0..86a21a0c1 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml @@ -23,11 +23,11 @@ detection: selection: Provider_Name: 'Microsoft-Windows-Security-Auditing' EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'cmd' - '&&' - 'clipboard]::' - condition: selection + condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 14b5f86e4..28ae08952 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -4,7 +4,7 @@ related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived description: 'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references' -references: +references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -30,4 +30,4 @@ detection: condition: selection and selection_1 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml index 028da309b..d3d88f0ba 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'cmd' - 'powershell' selection2: diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml index 08bb35cb3..ece0cd7e4 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml @@ -26,4 +26,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml index cb53ad051..97c7eb609 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml @@ -2,7 +2,7 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community @@ -20,8 +20,8 @@ logsource: service: security detection: selection: - EventID: 4697 - ServiceFileName|contains|all: + EventID: 4697 + ServiceFileName|contains|all: - 'new-object' - 'text.encoding]::ascii' - 'readtoend' diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml index b4d6ee2fd..37d24774a 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml @@ -20,7 +20,7 @@ logsource: service: security detection: selection: - EventID: 4697 + EventID: 4697 ServiceFileName|contains|all: - 'rundll32.exe' - 'shell32.dll' diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml index e539fc6af..bbe1c468b 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'set' - '&&' ServiceFileName|contains: diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml index 302f7f1eb..b99780d7a 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -26,5 +26,3 @@ detection: falsepositives: - Unknown level: high - - diff --git a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml index 4e451e116..22ec368bb 100644 --- a/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/src/main/resources/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'mshta' - 'vbscript:createobject' - '.run' diff --git a/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml b/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml index 1e9b3836f..e548fe058 100644 --- a/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml +++ b/src/main/resources/rules/windows/builtin/security/win_iso_mount.yml @@ -5,7 +5,7 @@ status: experimental date: 2021/05/29 modified: 2021/11/20 author: Syed Hasan (@syedhasan009) -references: +references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages - https://twitter.com/MsftSecIntel/status/1257324139515269121 @@ -17,7 +17,7 @@ logsource: service: security definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure' detection: - selection: + selection: EventID: 4663 ObjectServer: 'Security' ObjectType: 'File' diff --git a/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml b/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml index 4db2ccc9e..54bf1cb41 100644 --- a/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml +++ b/src/main/resources/rules/windows/builtin/security/win_lsass_access_non_system_account.yml @@ -50,7 +50,7 @@ detection: filter1: SubjectUserName|endswith: '$' filter2: - ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions condition: selection and not 1 of filter* fields: - ComputerName diff --git a/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml b/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml index 2addf4d35..431cea87c 100644 --- a/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml +++ b/src/main/resources/rules/windows/builtin/security/win_metasploit_authentication.yml @@ -5,7 +5,7 @@ id: 72124974-a68b-4366-b990-d30e0b2a190d author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 modified: 2021/07/07 -references: +references: - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb tags: - attack.lateral_movement diff --git a/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml b/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml index 59519734f..74873dccf 100644 --- a/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml +++ b/src/main/resources/rules/windows/builtin/security/win_net_ntlm_downgrade.yml @@ -22,11 +22,11 @@ logsource: detection: selection: EventID: 4657 - ObjectName|contains|all: + ObjectName|contains|all: - '\REGISTRY\MACHINE\SYSTEM' - 'ControlSet' - '\Control\Lsa' - ObjectValueName: + ObjectValueName: - 'LmCompatibilityLevel' - 'NtlmMinClientSec' - 'RestrictSendingNTLMTraffic' diff --git a/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml b/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml index f423f4a6e..7359fb944 100644 --- a/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml +++ b/src/main/resources/rules/windows/builtin/security/win_scheduled_task_deletion.yml @@ -1,5 +1,5 @@ title: Scheduled Task Deletion -id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 +id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME status: experimental author: David Strassegger, Tim Shelton diff --git a/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml b/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml index 8c4b4c652..6bb3dd362 100644 --- a/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml +++ b/src/main/resources/rules/windows/builtin/security/win_scm_database_handle_failure.yml @@ -14,7 +14,7 @@ logsource: product: windows service: security detection: - selection: + selection: EventID: 4656 ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'ServicesActive' diff --git a/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index fde145255..12fd99c0d 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -15,7 +15,7 @@ modified: 2021/09/21 tags: - attack.execution - attack.privilege_escalation - - attack.lateral_movement + - attack.lateral_movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 @@ -26,11 +26,11 @@ detection: event_id: EventID: 4697 selection1: - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'ADMIN$' - '.exe' selection2: - ServiceFileName|contains|all: + ServiceFileName|contains|all: - '%COMSPEC%' - 'start' - 'powershell' @@ -41,4 +41,4 @@ detection: condition: event_id and 1 of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml b/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml index ca29a8a52..95f66cdf8 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -37,4 +37,4 @@ detection: condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml b/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml index e1025f86f..0ba86a667 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -30,4 +30,4 @@ detection: condition: selection and 1 of malsvc_* falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index dc3f59989..dfcd1fd8e 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -37,4 +37,4 @@ fields: - ServiceFileName falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index aa946c489..513322d52 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -53,4 +53,4 @@ fields: - ServiceFileName falsepositives: - Highly unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index 9d561344f..7e6a20112 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -19,10 +19,10 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|contains: + ServiceFileName|contains: - 'powershell' - 'pwsh' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml index 93f211542..32f87fdbe 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Legitimate OpenVPN TAP insntallation -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml b/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml index 8df4d41a1..75140c58b 100644 --- a/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/src/main/resources/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown (data set is too small; further testing needed) -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml index 798435a98..ab1b0f3cb 100644 --- a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml +++ b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logon_source.yml @@ -36,7 +36,7 @@ detection: - '127.' #127.0.0.0/8 - '169.254.' #169.254.0.0/16 ip_privatev6: - - IpAddress: '::1' #loopback + - IpAddress: '::1' #loopback - IpAddress|startswith: - 'fe80::' #link-local - 'fc00::' #unique local diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml index 29578f6bb..a2b8fa74f 100644 --- a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml +++ b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml @@ -25,4 +25,4 @@ falsepositives: - Jump servers - Other multiuser systems like Citrix server farms - Workstations with frequently changing users -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml index 22c6a9b92..710840fc0 100644 --- a/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml +++ b/src/main/resources/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml @@ -27,4 +27,4 @@ falsepositives: - Jump servers - Other multiuser systems like Citrix server farms - Workstations with frequently changing users -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml b/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml index d44cab80b..52b30afca 100644 --- a/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml +++ b/src/main/resources/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 4720 - SamAccountName|contains|all: + SamAccountName|contains|all: - 'ANONYMOUS' - 'LOGON' condition: selection diff --git a/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml b/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml index fe7574613..d4b6dcfab 100644 --- a/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml +++ b/src/main/resources/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml @@ -17,10 +17,10 @@ detection: selection: Provider_Name: Microsoft-Windows-Security-Auditing AuditSourceName: VSSAudit - EventID: + EventID: - 4904 - 4905 condition: selection falsepositives: - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. -level: informational \ No newline at end of file +level: informational diff --git a/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml b/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml index 12ed9a6da..2115aca14 100644 --- a/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml +++ b/src/main/resources/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml @@ -6,7 +6,7 @@ date: 2021/04/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence - - attack.t1554 + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml b/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml index 7a6fae07e..37c88c60a 100644 --- a/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml +++ b/src/main/resources/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml @@ -27,4 +27,4 @@ falsepositives: - Account fallback reasons (after failed login with specific account) tags: - attack.credential_access - - attack.t1110.001 \ No newline at end of file + - attack.t1110.001 diff --git a/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml b/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml index d196830fe..b3a58abc0 100644 --- a/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml +++ b/src/main/resources/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml @@ -30,4 +30,4 @@ detection: condition: selection_service falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml b/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml index 7e7a6f2a7..c977f6bc6 100644 --- a/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml +++ b/src/main/resources/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml @@ -12,7 +12,7 @@ modified: 2021/09/30 tags: - attack.execution - attack.privilege_escalation - - attack.lateral_movement + - attack.lateral_movement - attack.t1021.002 - attack.t1543.003 - attack.t1569.002 @@ -24,11 +24,11 @@ detection: Provider_Name: 'Service Control Manager' EventID: 7045 selection1: - ImagePath|contains|all: + ImagePath|contains|all: - 'ADMIN$' - '.exe' selection2: - ImagePath|contains|all: + ImagePath|contains|all: - '%COMSPEC%' - 'start' - 'powershell' @@ -39,4 +39,4 @@ detection: condition: selection_id and (selection1 or selection2 or selection3 or selection4) falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml index c1651e417..366f76087 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml index 54c521f46..37fa23d87 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -27,4 +27,4 @@ detection: condition: selection and selection_1 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml index 2d94cee7b..6a3304222 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml @@ -20,7 +20,7 @@ detection: Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection + condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml index b1a682084..1a7134b55 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml index 3c43072d9..d352618cf 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml @@ -21,7 +21,7 @@ detection: - 'new-object' - 'text.encoding]::ascii' - 'readtoend' - ImagePath|contains: + ImagePath|contains: - ':system.io.compression.deflatestream' - 'system.io.streamreader' condition: selection diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml index 1120cebf7..a9f2ec4db 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml @@ -14,7 +14,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|contains|all: + ImagePath|contains|all: - 'rundll32.exe' - 'shell32.dll' - 'shellexec_rundll' diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml index 8d61dc7af..95d3e028a 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml index ac4e8e0c7..a2188690e 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml index 22ba3b190..d9654f0c4 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -19,7 +19,7 @@ detection: - 'rundll32' - 'shell32.dll' - 'shellexec_rundll' - ImagePath|contains: + ImagePath|contains: - 'value' - 'invoke' - 'comspec' diff --git a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml index 63960a89c..32bd20a15 100644 --- a/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml +++ b/src/main/resources/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml b/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml index fcd6b5124..4da49c9d3 100644 --- a/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml +++ b/src/main/resources/rules/windows/builtin/system/win_mal_creddumper.yml @@ -35,4 +35,4 @@ detection: condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index ed7240a58..d6f450247 100644 --- a/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/src/main/resources/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -52,4 +52,4 @@ fields: - ImagePath falsepositives: - Highly unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml b/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml index d0ac46774..2e76873d4 100644 --- a/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml +++ b/src/main/resources/rules/windows/builtin/system/win_moriya_rootkit.yml @@ -22,4 +22,4 @@ detection: condition: selection level: critical falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml b/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml index 98d0f2b8d..4fed8d12f 100644 --- a/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml +++ b/src/main/resources/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml @@ -17,7 +17,7 @@ detection: Provider_Name: Ntfs EventID: 55 Origin: 'File System Driver' - Description|contains|all: + Description|contains|all: - 'contains a corrupted file record' - 'The name of the file is "\"' condition: selection @@ -25,5 +25,5 @@ falsepositives: - Unlikely level: high tags: - - attack.impact - - attack.t1499.001 \ No newline at end of file + - attack.impact + - attack.t1499.001 diff --git a/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml b/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml index 518019105..f9fabebe0 100644 --- a/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml +++ b/src/main/resources/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml @@ -17,7 +17,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|contains: + ImagePath|contains: - 'powershell' - 'pwsh' condition: selection diff --git a/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml b/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml index e0bb61e09..96d8dc2c2 100644 --- a/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml +++ b/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml @@ -21,4 +21,4 @@ detection: hostname|startswith: 'EC2AMAZ' condition: selection falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml b/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml index a5ac5e52c..2c8c43cd6 100644 --- a/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml +++ b/src/main/resources/rules/windows/builtin/system/win_susp_system_update_error.yml @@ -11,7 +11,7 @@ logsource: detection: selection: Provider_Name: Microsoft-Windows-WindowsUpdateClient - EventID: + EventID: - 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule - 20 # Installation Failure: Windows failed to install the following update with error - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error diff --git a/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml b/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml index 8ca595d0a..0e90cb0b9 100644 --- a/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/src/main/resources/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -29,4 +29,4 @@ detection: falsepositives: - Administrator actions - Auto updates of Windows Defender causes restarts -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml b/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml index 5dafe8ebd..22d07bc85 100644 --- a/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml +++ b/src/main/resources/rules/windows/builtin/system/win_tap_driver_installation.yml @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Legitimate OpenVPN TAP insntallation -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml b/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml index ab96a2619..b4dba36c5 100644 --- a/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml +++ b/src/main/resources/rules/windows/builtin/system/win_tool_psexec.yml @@ -35,4 +35,4 @@ detection: condition: service_installation or service_execution falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml b/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml index de018ad86..eda4c6ff8 100644 --- a/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml +++ b/src/main/resources/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml @@ -14,7 +14,7 @@ logsource: product: windows service: system detection: - selection: + selection: Provider_Name: Microsoft-Windows-Ntfs EventID: 98 DeviceName|contains: HarddiskVolumeShadowCopy diff --git a/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml index 9c6a9048d..055af6722 100644 --- a/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml +++ b/src/main/resources/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml @@ -29,8 +29,8 @@ detection: fields: - samAccountName falsepositives: - - Unknown + - Unknown level: medium tags: - attack.credential_access - - attack.t1558.003 + - attack.t1558.003 diff --git a/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 3bb8f4418..ccd60dc7b 100644 --- a/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/src/main/resources/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059 + - attack.t1059 diff --git a/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 39a621373..8073ece28 100644 --- a/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/src/main/resources/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -21,4 +21,4 @@ detection: Value|endswith: - '\Windows Defender\DisableAntiSpyware = 0x1()' - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' - condition: selection \ No newline at end of file + condition: selection diff --git a/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml b/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml index 00e059bd7..345122da2 100644 --- a/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/src/main/resources/rules/windows/builtin/windefend/win_defender_threat.yml @@ -22,4 +22,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059 \ No newline at end of file + - attack.t1059 diff --git a/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml b/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml index 25fba3e66..f6ae6b4e6 100644 --- a/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml +++ b/src/main/resources/rules/windows/builtin/wmi/win_wmi_persistence.yml @@ -34,4 +34,4 @@ detection: condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent falsepositives: - Unknown (data set is too small; further testing needed) -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 0340c45b7..bf2d24713 100644 --- a/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/src/main/resources/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -11,7 +11,7 @@ logsource: category: create_remote_thread detection: selection: - TargetImage|endswith: + TargetImage|endswith: - '\mspaint.exe' - '\calc.exe' - '\notepad.exe' diff --git a/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml b/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index daf111a32..789a75e2f 100644 --- a/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml +++ b/src/main/resources/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -16,7 +16,7 @@ logsource: category: create_remote_thread detection: selection: - StartAddress|endswith: + StartAddress|endswith: - '0B80' - '0C7C' - '0C88' @@ -24,4 +24,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml index 893f21290..c2c2cf4b5 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_ammyy.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution author: frack113 @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1219 \ No newline at end of file + - attack.t1219 diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml index 75fc35c4d..a9c071e4f 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_gotoopener.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 @@ -18,4 +18,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml index fd8ae4cfe..34975571f 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml @@ -7,7 +7,7 @@ modified: 2021/06/10 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.persistence - - attack.t1554 + - attack.t1554 references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml index a39bb70fe..33995812f 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml index 0a1879aee..f4e6eb493 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_logmein.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows author: frack113 @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.command_and_control - - attack.t1219 \ No newline at end of file + - attack.t1219 diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index 7c80fd93b..66e18dd60 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -16,7 +16,7 @@ logsource: detection: selection1: QueryName|startswith: - - 'aaa.stage.' + - 'aaa.stage.' - 'post.1' selection2: QueryName|contains: '.stage.123456.' diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml index 31d9cafc3..13e935a91 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_mega_nz.yml @@ -18,4 +18,4 @@ logsource: detection: selection: QueryName|contains: userstorage.mega.co.nz - condition: selection \ No newline at end of file + condition: selection diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml index 0a9ffb60d..0a7623d98 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml @@ -32,4 +32,4 @@ fields: - DestinationPort falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml index cf893946b..aa4a5832c 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_ipify.yml @@ -19,7 +19,7 @@ logsource: category: dns_query detection: dns_request: - QueryName: + QueryName: - canireachthe.net - ipv4.icanhazip.com - ip.anysrc.net diff --git a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml index ddfe7f510..8887b00cb 100644 --- a/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml +++ b/src/main/resources/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml @@ -15,7 +15,7 @@ logsource: category: dns_query detection: dns_request: - QueryName: + QueryName: - 'taf.teamviewer.com' - 'udp.ping.teamviewer.com' filter: @@ -24,4 +24,4 @@ detection: falsepositives: - Unknown binary names of TeamViewer - Other programs that also lookup the observed domain -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 172b3e23f..ebb133409 100644 --- a/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/src/main/resources/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -51,4 +51,4 @@ fields: - ImagePath falsepositives: - Highly unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml index 1bb1c9653..019ba4c96 100644 --- a/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml +++ b/src/main/resources/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml @@ -18,10 +18,10 @@ logsource: category: driver_load detection: selection: - ImageLoaded|contains: + ImageLoaded|contains: - 'powershell' - 'pwsh' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 15439f86e..9189ac959 100644 --- a/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/src/main/resources/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -12,7 +12,7 @@ logsource: tags: - attack.privilege_escalation - cve.2021.21551 - - attack.t1543 + - attack.t1543 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml b/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml index 3f3de4609..07aba491d 100644 --- a/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml +++ b/src/main/resources/rules/windows/driver_load/driver_load_windivert.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: + ImageLoaded|contains: - '\WinDivert.sys' - '\WinDivert64.sys' condition: selection diff --git a/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml b/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml index 5266a1518..9784d7b64 100644 --- a/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml +++ b/src/main/resources/rules/windows/file_delete/file_delete_win_delete_appli_log.yml @@ -13,7 +13,7 @@ detection: selection_teamviewer: TargetFilename|endswith: '.log' TargetFilename|contains: '\TeamViewer_' - filter: + filter: Image: C:\Windows\system32\svchost.exe condition: selection_teamviewer and not filter falsepositives: diff --git a/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml b/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml index 4fdf3650c..4d9c576cb 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_advanced_ip_scanner.yml @@ -1,4 +1,4 @@ -title: Advanced IP Scanner +title: Advanced IP Scanner id: fed85bf9-e075-4280-9159-fbe8a023d6fa related: - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Legitimate administrative use -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml b/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml index 0d2800f5c..ef64bbc3c 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_anydesk_artefact.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml b/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml index 687865be6..00b912d4d 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_apt_unidentified_nov_18.yml @@ -19,6 +19,6 @@ logsource: category: file_event detection: selection: - TargetFilename|contains: 'ds7002.lnk' + TargetFilename|contains: 'ds7002.lnk' condition: selection -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml b/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml index d4b6e6cce..7669e2412 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_crackmapexec_patterns.yml @@ -55,4 +55,4 @@ detection: condition: 1 of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml index c00f31c4e..cbf136c33 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_new_shim_database.yml @@ -1,7 +1,7 @@ title: New Shim Database Created in the Default Directory id: ee63c85c-6d51-4d12-ad09-04e25877a947 status: experimental -description: | +description: | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. author: frack113 @@ -15,7 +15,7 @@ detection: selection: TargetFilename|endswith: '.sdb' TargetFilename|contains: '\Windows\apppatch\Custom\' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml index 5d16e8fb9..6f0272819 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml @@ -1,7 +1,7 @@ title: Suspicious Screensaver Binary File Creation id: 97aa2e88-555c-450d-85a6-229bcd87efb8 status: experimental -description: | +description: | Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension author: frack113 diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml index e3bcec0fd..bccee29ce 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_system_file.yml @@ -47,7 +47,7 @@ detection: - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - '\SystemRoot\System32\' - Image|endswith: + Image|endswith: - '\Windows\System32\dism.exe' - '\TiWorker.exe' filter2: diff --git a/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml b/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml index 5b2dfdcb1..d5b2c30b7 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml @@ -1,9 +1,9 @@ title: Creation Exe for Service with Unquoted Path id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 status: experimental -description: | +description: | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. - Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. + Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md @@ -14,11 +14,11 @@ logsource: detection: selection: # Feel free to add more - TargetFilename: 'C:\program.exe' - condition: selection + TargetFilename: 'C:\program.exe' + condition: selection falsepositives: - Unknown level: high tags: - attack.persistence - - attack.t1547.009 \ No newline at end of file + - attack.t1547.009 diff --git a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml index 07cbb1170..570cf2de7 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_26858_msexchange.yml @@ -19,7 +19,7 @@ detection: selection: Image|endswith: 'UMWorkerProcess.exe' filter: - TargetFilename|endswith: + TargetFilename|endswith: - 'CacheCleanup.bin' - '.txt' - '.LOG' @@ -31,4 +31,4 @@ fields: - TargetFilename falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml index 1c07a1d31..2cbe51874 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml @@ -34,4 +34,4 @@ detection: condition: selection falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml b/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml index 1a32e0300..fed59b85d 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_cve_2022_24527_lpe.yml @@ -24,4 +24,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml b/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml index c4fb4645b..aaef76f84 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_detect_powerup_dllhijacking.yml @@ -3,7 +3,7 @@ id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: experimental description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. - In it's default mode, it builds a self deleting .bat file which executes malicious command. + In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). references: - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ diff --git a/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml b/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml index 427980d1b..d633bf4f1 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_gotoopener_artefact.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml b/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml index 74a805179..464dfebf2 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_hack_dumpert.yml @@ -18,9 +18,9 @@ logsource: category: file_event product: windows detection: - selection: + selection: TargetFilename: C:\Windows\Temp\dumpert.dmp condition: selection falsepositives: - Very unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml b/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml index f21f487db..397d44e03 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_hivenightmare_file_exports.yml @@ -18,19 +18,19 @@ tags: - cve.2021.36934 detection: selection: - - TargetFilename|contains: + - TargetFilename|contains: - '\hive_sam_' # Go version - '\SAM-2021-' # C++ version - '\SAM-2022-' # C++ version - '\SAM-2023-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - - TargetFilename: + - TargetFilename: - 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - - Files that accidentally contain these strings + - Files that accidentally contain these strings level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml b/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml index ed4a60dac..5066f50e2 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_hktl_nppspy.yml @@ -14,10 +14,10 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: + TargetFilename|endswith: - '\NPPSpy.txt' - '\NPPSpy.dll' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml b/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml index 151147665..2028e4111 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml @@ -1,7 +1,7 @@ title: Installation of TeamViewer Desktop id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d status: experimental -description: TeamViewer_Desktop.exe is create during install +description: TeamViewer_Desktop.exe is create during install author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows @@ -12,7 +12,7 @@ logsource: detection: selection: TargetFilename|endswith: \TeamViewer_Desktop.exe - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml b/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml index d6b6e0b67..a31fa1f33 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_lsass_dump.yml @@ -22,7 +22,7 @@ logsource: category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '\lsass.dmp' - '\lsass.zip' - '\lsass.rar' @@ -47,4 +47,4 @@ detection: condition: 1 of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml index 55e102b80..ed1123d89 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_macro_file.yml @@ -11,15 +11,15 @@ logsource: category: file_event product: windows detection: - selection_ext: + selection_ext: TargetFilename|endswith: - .docm - .dotm - .xlsm - .xltm - - .potm + - .potm - .pptm - - .pptx + - .pptx selection_cmd: - Image|endswith: - \cmd.exe @@ -33,4 +33,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1566.001 \ No newline at end of file + - attack.t1566.001 diff --git a/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml b/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml index 1e79f6b12..9c5a88686 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_mal_adwind.yml @@ -27,4 +27,4 @@ detection: - '\Retrive' - '.vbs' condition: selection -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml b/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml index 47213161f..c20249a0b 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_moriya_rootkit.yml @@ -23,4 +23,4 @@ detection: condition: selection level: critical falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml b/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml index d95195744..8f1e16af1 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_ntds_dit.yml @@ -4,7 +4,7 @@ description: Detects suspicious creations of a file named ntds.dit, e.g. by a Po status: experimental author: Florian Roth references: - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://pentestlab.blog/tag/ntds-dit/ - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1 @@ -19,7 +19,7 @@ detection: selection_file: TargetFilename|endswith: '\ntds.dit' selection_process: - - ParentImage|endswith: + - ParentImage|endswith: - '\powershell.exe' - '\wscript.exe' - '\cscript.exe' @@ -42,4 +42,4 @@ detection: condition: selection_file and 1 of selection_process* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml b/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml index 055ca56b7..818dbd79b 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_ntds_exfil_tools.yml @@ -16,10 +16,10 @@ logsource: category: file_event detection: selection_file: - TargetFilename|endswith: + TargetFilename|endswith: - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 condition: selection_file falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml b/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml index a7b44dbb1..a1ff5fb0e 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_outlook_c2_macro_creation.yml @@ -1,7 +1,7 @@ title: Outlook C2 Macro Creation id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 status: experimental -description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. +description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' @@ -16,7 +16,7 @@ logsource: category: file_event product: windows detection: - selection: + selection: TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM' condition: selection falsepositives: diff --git a/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml index f4668f6cc..ce3b34d87 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_pcre_net_temp_file.yml @@ -15,7 +15,7 @@ logsource: category: file_event product: windows detection: - selection: + selection: TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: diff --git a/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml b/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml index 5b9417ab3..c5681493d 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_pingback_backdoor.yml @@ -15,10 +15,10 @@ logsource: product: windows category: file_event detection: - selection: + selection: Image|endswith: updata.exe TargetFilename: 'C:\Windows\oci.dll' condition: selection falsepositives: - Very unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml b/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml index a7ed3cfae..07352b86e 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -2,7 +2,7 @@ title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" status: experimental -references: +references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder tags: diff --git a/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml b/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml index 126403a34..d022d2a48 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_rclone_exec_file.yml @@ -12,7 +12,7 @@ tags: - attack.t1567.002 falsepositives: - Legitimate Rclone usage (rare) -level: high +level: high logsource: product: windows category: file_event @@ -21,4 +21,4 @@ detection: TargetFilename|contains|all: - ':\Users\' - '\.config\rclone\' - condition: selection \ No newline at end of file + condition: selection diff --git a/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml b/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml index 32302222c..1415a867e 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_sam_dump.yml @@ -18,7 +18,7 @@ logsource: category: file_event detection: selection: - - TargetFilename|endswith: + - TargetFilename|endswith: - '\Temp\sam' - '\sam.sav' - '\Intel\sam' diff --git a/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml b/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml index 60416b5f9..5a3e18eb5 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_screenconnect_artefact.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml b/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml index 373c4c6dd..e0cddd951 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_script_creation_by_office_using_file_ext.yml @@ -1,6 +1,6 @@ title: Created Files by Office Applications id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 -description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. +description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml index 2f2608892..d889bf947 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_desktop_txt.yml @@ -11,7 +11,7 @@ logsource: category: file_event detection: selection: - Image|endswith: \cmd.exe + Image|endswith: \cmd.exe TargetFilename|contains|all: - \Users\ - \Desktop\ diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml index da940be20..773ec8ee5 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_diagcab.yml @@ -12,9 +12,9 @@ logsource: detection: selection: TargetFilename|endswith: '.diagcab' - condition: selection + condition: selection falsepositives: - - Legitimate microsoft diagcab + - Legitimate microsoft diagcab level: medium tags: - attack.resource_development diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml index 978eb6ae1..6fe4fcf55 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_dropper.yml @@ -15,7 +15,7 @@ detection: Image|endswith: '.exe' TargetFilename|endswith: '.exe' filter_whitelist: - Image: + Image: - 'C:\Windows\System32\msiexec.exe' - 'C:\Windows\system32\cleanmgr.exe' - 'C:\Windows\explorer.exe' diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml index 82ed285c9..644d6dba8 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_exchange_aspx_write.yml @@ -17,7 +17,7 @@ logsource: detection: selection: Image|endswith: '\MSExchangeMailboxReplication.exe' - TargetFilename|endswith: + TargetFilename|endswith: - '.aspx' - '.asp' condition: selection diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml index d5060e84e..60044d5a4 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_get_variable.yml @@ -1,4 +1,4 @@ -title: Suspicious Get-Variable.exe Creation +title: Suspicious Get-Variable.exe Creation id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b status: experimental description: | @@ -16,7 +16,7 @@ logsource: detection: selection: TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe' - condition: selection + condition: selection falsepositives: - Unknown level: high @@ -25,4 +25,3 @@ tags: - attack.t1546 - attack.defense_evasion - attack.t1027 - diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml index 06d957aa8..b8e54a0e4 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -11,7 +11,7 @@ logsource: category: file_event detection: selection: - TargetFilename: + TargetFilename: - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt' - 'C:\Windows\System32\config\systemprofile\AppData\\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive' condition: selection diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml index c2cee9c49..cf1572edd 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_task_write.yml @@ -10,14 +10,14 @@ modified: 2022/01/12 tags: - attack.persistence - attack.execution - - attack.t1053 + - attack.t1053 logsource: product: windows category: file_event detection: selection: TargetFilename|contains: '\Windows\System32\Tasks' - Image|contains: + Image|contains: - '\AppData\' - 'C:\PerfLogs' - '\Windows\System32\config\systemprofile' diff --git a/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml b/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml index 8d6fd06ce..bc6e34bd4 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -14,11 +14,11 @@ logsource: category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '\TeamViewer\RemotePrinting\tvprint.db' - '\TeamViewer\TVNetwork.log' selection2: - TargetFilename|contains|all: + TargetFilename|contains|all: - '\TeamViewer' - '_Logfile.log' condition: 1 of selection* diff --git a/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml b/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml index b51057aa6..5abde5b85 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_tool_psexec.yml @@ -32,4 +32,4 @@ detection: condition: selection falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml b/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml index b28196367..65f80bfd4 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_win_cscript_wscript_dropper.yml @@ -2,7 +2,7 @@ title: WScript or CScript Dropper id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 status: experimental description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe -related: +related: - id: cea72823-df4d-4567-950c-0b579eaf0846 type: derived references: @@ -18,10 +18,10 @@ detection: Image|endswith: - '\wscript.exe' - '\cscript.exe' - TargetFilename|startswith: + TargetFilename|startswith: - 'C:\Users\' - 'C:\ProgramData' - TargetFilename|endswith: + TargetFilename|endswith: - '.jse' - '.vbe' - '.js' diff --git a/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml b/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml index 9de9a86c8..da3ed3385 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml @@ -21,7 +21,7 @@ detection: - '\bash.exe' - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - '\certutil.exe' - TargetFilename|contains: + TargetFilename|contains: - 'C:\Users\Public' - 'C:\PerfLogs' selection_program: @@ -33,7 +33,7 @@ detection: - '\forfiles.exe' - '\scriptrunner.exe' - '\certutil.exe' - TargetFilename|contains: + TargetFilename|contains: - 'C:\Users\Public' - 'C:\PerfLogs' - '\AppData\' diff --git a/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml b/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml index 572c319f9..5768143dc 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_winrm_awl_bypass.yml @@ -18,7 +18,7 @@ logsource: category: file_event detection: system_files: - TargetFilename|endswith: + TargetFilename|endswith: - 'WsmPty.xsl' - 'WsmTxt.xsl' in_system_folder: @@ -28,4 +28,4 @@ detection: condition: system_files and not in_system_folder level: medium falsepositives: - - Unlikely \ No newline at end of file + - Unlikely diff --git a/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index 07e01fa6a..c7d94671c 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 5df4b850e..6c7ca5e58 100644 --- a/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/src/main/resources/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -1,7 +1,7 @@ title: Writing Local Admin Share id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f status: experimental -description: | +description: | Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks. author: frack113 @@ -16,10 +16,10 @@ detection: TargetFilename|contains|all: - '\\127.0.0' - '\ADMIN$\' - condition: selection + condition: selection falsepositives: - Unknown level: medium tags: - attack.lateral_movement - - attack.t1546.002 \ No newline at end of file + - attack.t1546.002 diff --git a/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml index ddd6e5490..a38f37e52 100644 --- a/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml +++ b/src/main/resources/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml @@ -29,4 +29,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml b/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml index 1db0d173d..a57e21014 100644 --- a/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml +++ b/src/main/resources/rules/windows/image_load/image_load_msdt_sdiageng.yml @@ -1,7 +1,7 @@ title: MSDT.exe Loading Diagnostic Library id: ec8c4047-fad9-416a-8c81-0f479353d7f6 status: experimental -description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary +description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary author: Greg (rule) references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ diff --git a/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml b/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml index 3debcfa6f..00899b15c 100644 --- a/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_pcre_net_load.yml @@ -15,7 +15,7 @@ logsource: category: image_load product: windows detection: - selection: + selection: ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ condition: selection falsepositives: diff --git a/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml b/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml index fd9ed05c8..b148df4a1 100644 --- a/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/src/main/resources/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Very unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index f935150fd..65e325d77 100644 --- a/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/src/main/resources/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml index 9d3a83290..65488a97d 100644 --- a/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_spoolsv_dll_load.yml @@ -28,4 +28,4 @@ tags: - attack.privilege_escalation - attack.t1574 - cve.2021.1675 - - cve.2021.34527 \ No newline at end of file + - cve.2021.34527 diff --git a/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml b/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml index 79b4ceff8..40bc1f50d 100644 --- a/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -18,7 +18,7 @@ detection: selection: Description: 'Python Core' filter: - - Image|contains: + - Image|contains: - 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' @@ -28,4 +28,4 @@ fields: - Description falsepositives: - Legit Py2Exe Binaries -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml index 866440fb5..870eb65ff 100644 --- a/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_susp_system_drawing_load.yml @@ -18,7 +18,7 @@ detection: selection: ImageLoaded|endswith: '\System.Drawing.ni.dll' filter: - # The number of false positives was too high - we had to do this broader filter + # The number of false positives was too high - we had to do this broader filter # based on the following paths that shouldn't be writable to an unprivileged user Image|startswith: - 'C:\Program Files\' @@ -34,4 +34,4 @@ detection: condition: selection and not 1 of filter* falsepositives: - Unknown -level: low # too many false positives \ No newline at end of file +level: low # too many false positives diff --git a/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml b/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml index c40117488..564dad973 100644 --- a/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_tttracer_mod_load.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 -author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 modified: 2021/09/21 tags: @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Legitimate usage by software developers/testers -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml b/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml index ae9008a44..d516ccc03 100644 --- a/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml +++ b/src/main/resources/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml @@ -20,4 +20,4 @@ level: high tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1055 \ No newline at end of file + - attack.t1055 diff --git a/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml b/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml index 971fdb340..d4794d086 100644 --- a/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_wmi_module_load.yml @@ -14,7 +14,7 @@ logsource: category: image_load product: windows detection: - selection: + selection: ImageLoaded|endswith: - '\wmiclnt.dll' - '\WmiApRpl.dll' @@ -63,4 +63,3 @@ fields: falsepositives: - Unknown level: informational # too many false positives - diff --git a/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 46a28be56..35b8901b4 100644 --- a/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/src/main/resources/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -15,7 +15,7 @@ references: logsource: product: windows category: image_load -detection: +detection: selection: Image|endswith: '\wmiprvse.exe' ImageLoaded|endswith: '\wbem\wbemcomn.dll' diff --git a/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 0866768d5..001e3ec92 100644 --- a/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/src/main/resources/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -32,23 +32,23 @@ detection: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' filter_general: - Image|endswith: + Image|endswith: - '\powershell.exe' - 'C:\Windows\System32\sdiagnhost.exe' - 'C:\Windows\System32\services.exe' filter_svchost: # not available in Sysmon data, but Aurora logs - CommandLine|contains: + CommandLine|contains: - 'svchost.exe -k netsvcs -p -s BITS' - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' - 'svchost.exe -k NetworkService -p -s Wecsvc' - 'svchost.exe -k netsvcs' filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - Image|startswith: + Image|startswith: - C:\Windows\Microsoft.NET\Framework64\v - C:\Windows\Microsoft.NET\Framework\v Image|endswith: \mscorsvw.exe filter_svr_2019: - Image: + Image: - 'C:\Windows\System32\Configure-SMRemoting.exe' - 'C:\Windows\System32\ServerManager.exe' filter_nextron: diff --git a/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml b/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml index 3070ecd6c..32b74d4f4 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_susp_win_binary_no_cmdline.yml @@ -12,7 +12,7 @@ logsource: detection: selection: Initiated: 'true' - Image|endswith: + Image|endswith: - '\regsvr32.exe' - '\rundll32.exe' - '\dllhost.exe' diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml index 10fbd6fe1..01b69c254 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_crypto_mining.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - DestinationHostname: + DestinationHostname: - 'pool.minexmr.com' - 'fr.minexmr.com' - 'de.minexmr.com' @@ -40,4 +40,4 @@ falsepositives: level: high tags: - attack.impact - - attack.t1496 \ No newline at end of file + - attack.t1496 diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml index bbd5d676c..e996d5152 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1105 \ No newline at end of file + - attack.t1105 diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml index 4233f744c..e4c475456 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_msiexec.yml @@ -15,11 +15,11 @@ logsource: detection: selection: Initiated: 'true' - Image|endswith: '\msiexec.exe' + Image|endswith: '\msiexec.exe' condition: selection falsepositives: - Legitimate msiexec over networks level: medium tags: - attack.defense_evasion - - attack.t1218.007 \ No newline at end of file + - attack.t1218.007 diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml index 5f1b656af..f74eda369 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_python.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.discovery - - attack.t1046 \ No newline at end of file + - attack.t1046 diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 79d24648f..5102e5bf7 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -29,4 +29,4 @@ tags: - attack.execution - attack.t1559.001 - attack.defense_evasion - - attack.t1218.010 \ No newline at end of file + - attack.t1218.010 diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml index 4442ccbe7..ea7ccaada 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml @@ -13,7 +13,7 @@ logsource: detection: selection: Initiated: 'true' - DestinationHostname|endswith: + DestinationHostname|endswith: - 'api.dropboxapi.com' - 'content.dropboxapi.com' filter: diff --git a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index e6f09eb98..8ad5d65cd 100644 --- a/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/src/main/resources/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -3,7 +3,7 @@ id: 9976fa64-2804-423c-8a5b-646ade840773 status: experimental description: | Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command and control server. + The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://www.ietf.org/rfc/rfc2821.txt @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - DestinationPort: + DestinationPort: - 25 - 587 - 465 @@ -33,4 +33,4 @@ falsepositives: level: medium tags: - attack.exfiltration - - attack.t1048.003 \ No newline at end of file + - attack.t1048.003 diff --git a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml index d55792423..548eec632 100644 --- a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml +++ b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml @@ -19,7 +19,7 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection_MSSE: - PipeName|contains|all: + PipeName|contains|all: - '\MSSE-' - '-server' selection_postex: diff --git a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml index 0ed419a21..3f0b76b69 100644 --- a/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml +++ b/src/main/resources/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml @@ -24,34 +24,34 @@ logsource: definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: - PipeName: + PipeName: - '\isapi_http' # Uroburos Malware - - '\isapi_dg' # Uroburos Malware + - '\isapi_dg' # Uroburos Malware - '\isapi_dg2' # Uroburos Malware - '\sdlrpc' # Cobra Trojan - '\ahexec' # Sofacy group malware - - '\winsession' # Wild Neutron APT malware - - '\lsassw' # Wild Neutron APT malware - - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron + - '\winsession' # Wild Neutron APT malware + - '\lsassw' # Wild Neutron APT malware + - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron - '\9f81f59bc58452127884ce513865ed20' # Project Sauron - - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron - - '\rpchlp_3' # Project Sauron - - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves + - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron + - '\rpchlp_3' # Project Sauron + - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves - '\pcheap_reuse' # Pipe used by Equation Group malware - - '\gruntsvc' # Covenant default + - '\gruntsvc' # Covenant default # - '\status_*' # CS default https://github.com/Neo23x0/sigma/issues/253 - - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware - - '\bizkaz' # Snatch Ransomware - - '\svcctl' #Crackmapexec smbexec default - - '\Posh*' #PoshC2 default - - '\jaccdpqnvbrrxlaf' #PoshC2 default + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware + - '\bizkaz' # Snatch Ransomware + - '\svcctl' #Crackmapexec smbexec default + - '\Posh*' #PoshC2 default + - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\csexecsvc' #CSEXEC default - - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake - - '\adschemerpc' # Turla HyperStack + - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake + - '\adschemerpc' # Turla HyperStack - '\AnonymousPipe' # Hidden Cobra Hoplight - - '\bc367' # Pacifier - - '\bc31a7' # Pacifier - - '\testPipe' # Emissary Panda Hyperbro + - '\bc367' # Pacifier + - '\bc31a7' # Pacifier + - '\testPipe' # Emissary Panda Hyperbro - '\dce_3d' #Qbot condition: selection tags: diff --git a/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml b/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml index 20ee7ade7..f794b01e6 100644 --- a/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml +++ b/src/main/resources/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml @@ -18,5 +18,5 @@ falsepositives: - Unknown level: high tags: - - attack.t1047 - - attack.execution \ No newline at end of file + - attack.t1047 + - attack.execution diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index af42eb123..285b24179 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -28,4 +28,4 @@ falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher - Citrix ConfigSync.ps1 -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml index b9e8c6e79..42a52cfe2 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml @@ -24,7 +24,7 @@ detection: HostApplication|contains: - 'powercat ' - 'powercat.ps1' - condition: selection + condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index 4ce2aad71..d1916221e 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Legitimate use remote PowerShell sessions -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml index 21bd9de4b..fd28305e9 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml @@ -35,4 +35,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml index 183154501..5d5b9af66 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml @@ -27,4 +27,4 @@ detection: condition: downloadfile or downloadstring falsepositives: - PowerShell scripts that download content from the Internet -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index 9f8b0ad7e..5011d11e9 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -1,4 +1,4 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection id: b366adb4-d63d-422d-8a2c-186463b5ded0 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. @@ -13,10 +13,10 @@ logsource: detection: selection: HostApplication|contains: Get-NetTCPConnection - condition: selection + condition: selection falsepositives: - Unknown level: low tags: - attack.discovery - - attack.t1049 \ No newline at end of file + - attack.t1049 diff --git a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index 70fa976b4..f648428d8 100644 --- a/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/src/main/resources/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -24,7 +24,7 @@ detection: - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - condition: selection + condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 3fc16fea8..5a935ec9d 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -30,4 +30,4 @@ falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher - Citrix ConfigSync.ps1 -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index af98c89a7..02efbcd55 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -24,4 +24,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: informational \ No newline at end of file +level: informational diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index baf228bd5..3bdbe17a9 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -21,4 +21,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 73f8b09f4..50e52f205 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -25,4 +25,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 483b4c343..2f211d1a8 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -2,7 +2,7 @@ title: Invoke-Obfuscation STDIN+ Launcher id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 related: - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 - type: derived + type: derived description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -25,4 +25,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 91aec4b61..b6b9c30aa 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -25,4 +25,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index a8ad4066e..099fd1085 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -16,7 +16,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|contains|all: + Payload|contains|all: - 'rundll32.exe' - 'shell32.dll' - 'shellexec_rundll' @@ -29,4 +29,4 @@ tags: - attack.defense_evasion - attack.t1027 - attack.execution - - attack.t1059.001 + - attack.t1059.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index a7861292b..84c716916 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -21,7 +21,7 @@ detection: - 'rundll32' - 'shell32.dll' - 'shellexec_rundll' - Payload|contains: + Payload|contains: - 'value' - 'invoke' - 'comspec' diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index ef9261cae..cc1304699 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -21,7 +21,7 @@ detection: ContextInfo|contains: - 'powercat ' - 'powercat.ps1' - condition: selection + condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index 606af813f..987b92358 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -19,8 +19,8 @@ logsource: detection: selection: ContextInfo|contains|all: - - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = - - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = + - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = + - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = false_positive_1: ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' condition: selection and not 1 of false_positive* diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index b5f3c115a..99fd7801d 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -1,9 +1,9 @@ -title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User +title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4 description: | Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. - Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md status: experimental @@ -33,4 +33,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index cd9751e11..e265f181f 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -32,4 +32,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 598a3549e..613488c01 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -24,4 +24,4 @@ detection: condition: webclient and download falsepositives: - PowerShell scripts that download content from the Internet -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 39394b907..32b72a2f5 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -1,4 +1,4 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. @@ -13,10 +13,10 @@ logsource: detection: selection: ContextInfo|contains: 'Get-NetTCPConnection' - condition: selection + condition: selection falsepositives: - Unknown level: low tags: - attack.discovery - - attack.t1049 \ No newline at end of file + - attack.t1049 diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index 4e9033945..164442de5 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -3,7 +3,7 @@ id: cef24b90-dddc-4ae1-a09a-8764872f69fc description: | Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. - Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. + Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md status: experimental @@ -33,4 +33,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index 801228c9d..044061b79 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -15,8 +15,8 @@ detection: ContextInfo|contains: 'Reset-ComputerMachinePassword' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: medium tags: - attack.initial_access - - attack.t1078 \ No newline at end of file + - attack.t1078 diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 7dcc21f35..f1a8d129d 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -3,7 +3,7 @@ id: 6942bd25-5970-40ab-af49-944247103358 description: | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. - Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. + Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md status: experimental @@ -22,4 +22,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index 11dae35ce..62e7b3f06 100644 --- a/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/src/main/resources/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - App-V clients -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index 71c604502..3668a234f 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -18,11 +18,11 @@ logsource: definition: Script block logging must be enabled detection: selection_cmd: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - Copy-Item - '-Destination' selection_path: - ScriptBlockText|contains: + ScriptBlockText|contains: - '\Opera Software\Opera Stable\Login Data' - '\Mozilla\Firefox\Profiles' - '\Microsoft\Edge\User Data\Default' @@ -34,4 +34,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1555.003 \ No newline at end of file + - attack.t1555.003 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index 799b4e99c..1aa963ff0 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -1,7 +1,7 @@ title: PowerShell ADRecon Execution id: bf72941a-cba0-41ea-b18c-9aca3925690d status: experimental -description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 +description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 references: - https://github.com/sense-of-security/ADRecon - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index f76e0c978..a219f672c 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -1,4 +1,4 @@ -title: Get-ADUser Enumeration Using UserAccountControl Flags +title: Get-ADUser Enumeration Using UserAccountControl Flags id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8 status: experimental description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. @@ -14,12 +14,12 @@ logsource: detection: selection: #4194304 DONT_REQ_PREAUTH - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'Get-ADUser' - '-Filter' - 'useraccountcontrol' - '-band' - - '4194304' + - '4194304' condition: selection falsepositives: - Legitimate PowerShell scripts diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml index 8c8880442..ae25086d7 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 3f5bab8a1..c181b4e0b 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -12,7 +12,7 @@ logsource: category: ps_script detection: selection_cmdlet: - ScriptBlockText|contains: + ScriptBlockText|contains: - 'New-ScheduledTaskAction' - 'New-ScheduledTaskTrigger' - 'New-ScheduledTaskPrincipal' @@ -31,5 +31,5 @@ falsepositives: - Unknown level: medium tags: - - attack.persistence - - attack.t1053.005 \ No newline at end of file + - attack.persistence + - attack.t1053.005 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml index 600e33579..734b29785 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_copy_item_system32.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1556.002 \ No newline at end of file + - attack.t1556.002 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 49c656f18..604ca9a53 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -6,7 +6,7 @@ description: | The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) - (Citation: Microsoft COR_PROFILER Feb 2013) + (Citation: Microsoft COR_PROFILER Feb 2013) author: frack113 date: 2021/12/30 references: diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index ab12a9c07..2180d16e4 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -8,7 +8,7 @@ tags: - attack.execution - attack.t1059.001 - attack.persistence - - attack.t1136.001 + - attack.t1136.001 author: '@ROxPinTeddy' date: 2020/04/11 modified: 2021/10/16 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index 6c098c110..897fe2a92 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -23,4 +23,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003.003 + - attack.t1003.003 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 0ce4802c0..63a080f64 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -17,11 +17,11 @@ logsource: definition: EnableScriptBlockLogging must be set to enable detection: selection_action: - ScriptBlockText|contains: + ScriptBlockText|contains: - Get-WmiObject - gwmi selection_module: - ScriptBlockText|contains: + ScriptBlockText|contains: - MSAcpi_ThermalZoneTemperature - Win32_ComputerSystem condition: all of selection* diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index fac4d03e1..fe83b4807 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -14,7 +14,7 @@ logsource: definition: Script block logging must be enabled detection: selection_kiddie: - ScriptBlockText|contains: + ScriptBlockText|contains: - 'Get-PasswordVaultCredentials' - 'Get-CredManCreds' selection_rename_Password: @@ -34,4 +34,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1555 \ No newline at end of file + - attack.t1555 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index 5a5d0f0c0..091c18d97 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -1,7 +1,7 @@ title: Enable Windows Remote Management id: 991a9744-f2f0-44f2-bd33-9092eba17dc3 status: experimental -description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. +description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index dca1798f0..f0b742a4e 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -14,7 +14,7 @@ logsource: definition: Script block logging must be enabled detection: selection_cmd: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - vaultcmd - '/listcreds:' selection_option: @@ -27,4 +27,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1555 \ No newline at end of file + - attack.t1555 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml index e639d7baf..40211e6b8 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml @@ -3,7 +3,7 @@ id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 description: | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, - including whether or not the adversary fully infects the target and/or attempts specific actions. + including whether or not the adversary fully infects the target and/or attempts specific actions. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md status: experimental @@ -14,7 +14,7 @@ logsource: category: ps_script detection: selection: - ScriptBlockText|contains: + ScriptBlockText|contains: - ls - get-childitem - gci @@ -26,4 +26,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1083 \ No newline at end of file + - attack.t1083 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 0664cf3ce..49e0b6d9c 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -1,4 +1,4 @@ -title: Service Registry Permissions Weakness Check +title: Service Registry Permissions Weakness Check id: 95afc12e-3cbb-40c3-9340-84a032e596a3 status: experimental description: | diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml index 2518b05ed..28e7efa15 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -1,9 +1,9 @@ title: Suspicious Get-ADReplAccount id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73 status: experimental -description: +description: The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. - These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. + These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. date: 2022/02/06 author: frack113 references: @@ -15,7 +15,7 @@ logsource: definition: Script block logging must be enabled detection: selection: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - Get-ADReplAccount - '-All ' - '-Server ' diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index f6a1ad514..8eb259f39 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -19,7 +19,7 @@ detection: - 'Get-ChildItem' - ' -Recurse ' - ' -Path ' - - ' -Filter Bookmarks' + - ' -Filter Bookmarks' - ' -ErrorAction SilentlyContinue' - ' -Force' condition: selection @@ -29,4 +29,3 @@ level: low tags: - attack.discovery - attack.t1217 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 298d4ba4b..c387e0af4 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -1,7 +1,7 @@ title: Execute Invoke-command on Remote Host id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6 status: experimental -description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. +description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index b4aa1b056..366fdfe36 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -22,4 +22,4 @@ detection: condition: selection_4104 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 334e424a2..4a543c4c4 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -22,4 +22,4 @@ detection: condition: selection_4104 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index ae25eadb5..48972bb50 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -22,4 +22,4 @@ detection: condition: selection_4104 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index e855b695c..28bf3e0dc 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -13,10 +13,10 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'new-object' - 'text.encoding]::ascii' - ScriptBlockText|contains: + ScriptBlockText|contains: - 'system.io.compression.deflatestream' - 'system.io.streamreader' ScriptBlockText|endswith: 'readtoend' diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 6e2b8b568..07d8dda35 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -17,7 +17,7 @@ logsource: definition: EnableScriptBlockLogging must be set to enable detection: selection_basic: - ScriptBlockText|contains: 'Get-Keystrokes' + ScriptBlockText|contains: 'Get-Keystrokes' selection_high: # want to run in background and keyboard ScriptBlockText|contains|all: - 'Get-ProcAddress user32.dll GetAsyncKeyState' diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index 7c532498b..6b9458323 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -20,6 +20,6 @@ detection: selection: ScriptBlockText|contains: 'PromptForCredential' condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index bbc104ada..65fe0f938 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1558.003 \ No newline at end of file + - attack.t1558.003 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 1dfe52048..b204d7129 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -26,4 +26,4 @@ detection: condition: selection1 or selection2 level: medium falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP \ No newline at end of file + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml index 08bf14405..be121b39f 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml @@ -31,4 +31,3 @@ level: low tags: - attack.discovery - attack.t1518.001 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index 55560cea3..98fa104c1 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -3,7 +3,7 @@ id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b status: experimental description: | Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command and control server. + The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 6db433c5c..d0bf59f69 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -32,4 +32,4 @@ detection: condition: cmdlet and option and not filter falsepositives: - Administrator script -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index c299fe7e3..53d1d8ad4 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -16,7 +16,7 @@ logsource: definition: EnableScriptBlockLogging must be set to enable detection: selection_compspec: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'Start-Process' - '-FilePath "$env:comspec" ' - '-ArgumentList ' @@ -24,4 +24,4 @@ detection: condition: selection_compspec falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index 23da97199..9ace3769e 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -1,9 +1,9 @@ -title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User +title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User id: 88f0884b-331d-403d-a3a1-b668cf035603 description: | Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. - Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md status: experimental @@ -20,11 +20,11 @@ detection: - get-aduser - '-f ' - '-pr ' - - DoesNotRequirePreAuth + - DoesNotRequirePreAuth condition: 1 of test_* falsepositives: - Unknown level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml index f291e4a53..64f384a08 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -24,7 +24,7 @@ detection: condition: selection falsepositives: - Legitimate PowerShell scripts -level: medium +level: medium tags: - attack.discovery - attack.t1083 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index b533bf04b..816e8ea86 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -24,4 +24,4 @@ detection: condition: webclient and download falsepositives: - PowerShell scripts that download content from the Internet -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index 6c9bd060f..516cf747c 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -27,4 +27,4 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.t1059.003 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml index b8be6f52d..cf140767f 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1552.001 \ No newline at end of file + - attack.t1552.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml index 6dc8e7ace..1f220fcb7 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml @@ -22,4 +22,3 @@ level: low tags: - attack.discovery - attack.t1018 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml index ecb0a5a27..f11c3655d 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml @@ -22,4 +22,3 @@ level: low tags: - attack.discovery - attack.t1069.002 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 2477e7898..0b03fc80c 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -5,7 +5,7 @@ author: frack113 date: 2022/01/23 description: | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. - Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. + Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#t1071001---web-protocols logsource: @@ -24,4 +24,3 @@ level: medium tags: - attack.command_and_control - attack.t1071.001 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index f81018dbe..76b352066 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -14,7 +14,7 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - New-Object + - New-Object - IO.FileStream - '\\\\.\\' condition: selection diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index d613d7246..77b95ed88 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -27,4 +27,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml index b89413bba..f6838768d 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -4,7 +4,7 @@ status: experimental author: frack113 date: 2021/07/21 modified: 2021/10/16 -description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. +description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md tags: @@ -21,7 +21,7 @@ detection: - 'Microsoft.Office.Interop.Outlook' - 'Microsoft.Office.Interop.Outlook.olDefaultFolders' - '-comobject outlook.application' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index c5d2142b3..1e2b477ef 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -23,4 +23,4 @@ falsepositives: level: low tags: - attack.credential_access - - attack.t1110.001 \ No newline at end of file + - attack.t1110.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 7a45d7ab6..81d7735a7 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -1,6 +1,6 @@ title: Suspicious New-PSDrive to Admin Share id: 1c563233-030e-4a07-af8c-ee0490a66d3a -description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. +description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 @@ -25,4 +25,4 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1021.002 \ No newline at end of file + - attack.t1021.002 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index b58fc1988..612144471 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -5,7 +5,7 @@ author: frack113 date: 2021/12/26 description: | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. - Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. + Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group logsource: @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains|all: - 'Remove-ADGroupMember' - '-Identity ' - - '-Members ' + - '-Members ' condition: selection falsepositives: - Unknown @@ -25,4 +25,3 @@ level: medium tags: - attack.impact - attack.t1531 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index 6800f9f92..039832956 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -3,7 +3,7 @@ id: 95f0643a-ed40-467c-806b-aac9542ec5ab description: | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. - Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. + Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md status: experimental @@ -21,4 +21,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index ff6cadd46..15b142c7f 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -16,7 +16,7 @@ detection: - System.Net.Security.SslStream - Net.Security.RemoteCertificateValidationCallback - '.AuthenticateAsClient' - condition: selection + condition: selection falsepositives: - Legitimate administrative script level: low diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 543556f4c..c5aaf2895 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains|all: - 'Get-ItemProperty' - 'Registry::' - - 'HKEY_CURRENT_USER\Control Panel\Desktop\' + - 'HKEY_CURRENT_USER\Control Panel\Desktop\' - 'WallPaper' selection_2: ScriptBlockText|contains: SystemParametersInfo(20,0,*,3) @@ -28,4 +28,3 @@ level: low tags: - attack.impact - attack.t1491.001 - diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index 1a394505a..82241fb7b 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -4,7 +4,7 @@ status: experimental author: frack113 date: 2021/08/23 modified: 2021/10/16 -description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md tags: @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Admin script -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index 862a0d9c0..a19f3895c 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -15,7 +15,7 @@ detection: ScriptBlockText|contains|all: - 'Get-WmiObject' - 'Win32_Shadowcopy' - - '.Delete()' + - '.Delete()' condition: selection falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index da2d506fd..83b97f656 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -14,11 +14,11 @@ logsource: category: ps_script detection: selection: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'powershell' - 'WindowStyle' - 'Hidden' condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 49bfae4ab..4a9ef0e2f 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -24,4 +24,4 @@ detection: condition: selection falsepositives: - App-V clients -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index 0585dba7f..c711828fe 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -3,7 +3,7 @@ id: adf876b3-f1f8-4aa9-a4e4-a64106feec06 status: experimental description: | Adversaries may communicate using a protocol and port paring that are typically not associated. - For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. + For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index ac9457f21..4059395bb 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -4,7 +4,7 @@ status: experimental author: frack113 date: 2021/08/03 modified: 2021/10/16 -description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. +description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml index 99083248d..4e4ff9649 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml @@ -19,11 +19,11 @@ detection: ScriptBlockText|contains|all: - 'Add-Content' - '$profile' - - '-Value' - ScriptBlockText|contains: + - '-Value' + ScriptBlockText|contains: - 'Start-Process' - '""' #cleanup action condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index a245cab0b..d049f3be2 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -13,7 +13,7 @@ references: logsource: product: windows category: ps_script -detection: +detection: selection: ScriptBlockText|contains|all: - Set-NetFirewallProfile diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index b52c9b8a4..d6df2ed44 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -24,4 +24,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1547.004 \ No newline at end of file + - attack.t1547.004 diff --git a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 65677d9dc..8091fff0d 100644 --- a/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/src/main/resources/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -4,7 +4,7 @@ status: experimental author: frack113 date: 2021/08/19 modified: 2021/10/16 -description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. +description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 @@ -17,17 +17,17 @@ logsource: definition: EnableScriptBlockLogging must be set to enable detection: selection_ioc: - - ScriptBlockText|contains|all: + - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - '-ClassName __EventFilter ' - - '-Property ' #is a variable name + - '-Property ' #is a variable name - ScriptBlockText|contains|all: - 'New-CimInstance ' - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - - '-Property ' #is a variable name + - '-Property ' #is a variable name condition: selection_ioc falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml index 181ec14a3..f29719782 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml @@ -13,9 +13,9 @@ detection: selection: TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION - + call_trace: # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B) - CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+' + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ')' condition: selection and call_trace diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml index 5fe6da531..54e9202ae 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml @@ -14,9 +14,9 @@ logsource: category: process_access product: windows detection: - selection: + selection: TargetImage|endswith: '\lsass.exe' - CallTrace|contains|all: + CallTrace|contains|all: - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' - '|C:\\Windows\\System32\\KERNELBASE.dll+' - '_ctypes.pyd+' diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 6ae6c2ee1..86e14c192 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -43,4 +43,4 @@ detection: condition: selection and not 1 of filter* falsepositives: - False positives are present when looking for 0x1410. Exclusions may be required. -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml index 8aa0e4c52..45526792a 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml @@ -18,8 +18,8 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - SourceImage|endswith: - - '\TrolleyExpress.exe' # Citrix + SourceImage|endswith: + - '\TrolleyExpress.exe' # Citrix - '\ProcessDump.exe' # Cisco Jabber - '\dump64.exe' # Visual Studio GrantedAccess|endswith: @@ -52,4 +52,4 @@ detection: condition: selection falsepositives: - Unlikely, since these tools shouldn't access lsass.exe at all -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml index ea79a4243..7036a2bcc 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml @@ -48,4 +48,4 @@ detection: condition: selection falsepositives: - Rare programs that contain the word dump in their name and access lsass -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml b/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml index 53b05c85e..ace45af4d 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml @@ -13,9 +13,9 @@ logsource: category: process_access product: windows detection: - selection: + selection: TargetImage|endswith: '\lsass.exe' - CallTrace|contains|all: + CallTrace|contains|all: - 'C:\Windows\SYSTEM32\ntdll.dll+' - 'C:\Windows\System32\KERNELBASE.dll+' - 'libffi-7.dll' @@ -25,4 +25,4 @@ detection: condition: selection level: critical falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml b/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml index 167885c57..4fe2e10f8 100644 --- a/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml +++ b/src/main/resources/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml @@ -15,7 +15,7 @@ detection: selection_memory: GrantedAccess: '0x143a' filter_trusted_process_access: - SourceImage|endswith: + SourceImage|endswith: - '*\services.exe' - '*\msiexec.exe' condition: selection_process and selection_memory and not filter_trusted_process_access diff --git a/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index 171a30883..190438d77 100644 --- a/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/src/main/resources/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -13,11 +13,11 @@ logsource: product: windows detection: selection: - GrantedAccess: + GrantedAccess: - '0x147a' - '0x1f3fff' CallTrace|contains: 'UNKNOWN' condition: selection falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml index 817143908..610dd49e8 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml @@ -22,7 +22,7 @@ logsource: category: process_creation detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'schtasks' - '\Application Experience\Microsoft Compatibility Appraiser' condition: selection diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml index 93d568e96..aa8388f20 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'domainlist' - 'trustdmp' - 'dcmodes' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml index badd22c44..c54e305fe 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml @@ -37,7 +37,7 @@ detection: - ' /y ' - ' /d ' - ' /o ' - condition: selection_stream and (1 of selection_tools_*) + condition: selection_stream and (1 of selection_tools_*) falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml index ab64b9b31..c623859af 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml index 4cf3b46ed..33c429734 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '--install' - '--start-with-win' - '--silent' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml index 275c219cf..d0d8be62a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml index f32610c6b..2a018c3f9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml @@ -23,7 +23,7 @@ fields: falsepositives: - Unlikely level: high -tags: +tags: - attack.persistence - attack.t1053 - attack.t1053.005 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml index a831dbe8d..4e52d620c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml @@ -26,7 +26,7 @@ logsource: detection: selection_process0: CommandLine|contains: '\Service.exe' - CommandLine|endswith: + CommandLine|endswith: - 'i' - 'u' selection_process1: @@ -36,7 +36,7 @@ detection: Image|contains: '\Windows\Temp\DB\' Image|endswith: '.exe' selection_process3: - CommandLine|contains|all: + CommandLine|contains|all: - '\nslookup.exe' - '-q=TXT' ParentImage|contains: '\Autoit' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml index ffabc8685..551a1f74f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium.yml @@ -29,4 +29,4 @@ detection: condition: legitimate_executable and not legitimate_process_path falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml index 3edf95205..907c72e52 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) tags: - attack.credential_access - - attack.t1212 + - attack.t1212 - attack.command_and_control - attack.t1071 logsource: @@ -41,4 +41,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml index c4c312d17..e575abcb4 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml @@ -21,7 +21,7 @@ detection: - '-autoreconnect ' - '-connect ' - '-id:' - condition: selection + condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml index aba2a631d..66419bf7a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml @@ -30,7 +30,7 @@ detection: CommandLine|contains|all: - 'vssadmin list shadows' - 'Temp\__output' - selection4: + selection4: CommandLine|contains: '%TEMP%\execute.bat' selection5: Image|endswith: 'Users\Public\opera\Opera_browser.exe' @@ -52,11 +52,11 @@ detection: - 'Microsoft\Exchange Server\' - 'inetpub\wwwroot' selection10: - CommandLine|contains: + CommandLine|contains: - '\Temp\xx.bat' - 'Windows\WwanSvcdcs' - 'Windows\Temp\cw.exe' - selection11: + selection11: CommandLine|contains|all: - '\comsvcs.dll' - 'Minidump' @@ -71,6 +71,6 @@ falsepositives: - Unknown level: high tags: - - attack.persistence + - attack.persistence - attack.t1546 - - attack.t1053 \ No newline at end of file + - attack.t1053 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml index 5de08498b..36f33bd8f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection1: - # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. + # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. # Setting these registry keys is unique to the Ke3chang and TidePool malware families. # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index b6c6b6aef..8124b9920 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -28,4 +28,4 @@ detection: condition: 1 of selection* falsepositives: - Should not be any false positives -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml index 95d5e2288..7cbf61784 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml @@ -8,7 +8,7 @@ references: tags: - attack.g0032 - attack.execution - - attack.t1059 + - attack.t1059 author: Florian Roth, wagga date: 2020/12/23 modified: 2021/06/27 @@ -17,7 +17,7 @@ logsource: product: windows detection: selection_cmd1: - CommandLine|contains|all: + CommandLine|contains|all: - 'cmd.exe /c ' - ' -p 0x' selection_cmd2: @@ -25,7 +25,7 @@ detection: - 'C:\ProgramData\' - 'C:\RECYCLER\' selection_rundll1: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32.exe ' - 'C:\ProgramData\' selection_rundll2: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml index 6e04b4af0..ebdc98e0b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 120eaa9c6..2b3d0f50e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -28,4 +28,4 @@ detection: condition: selection level: critical falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index 86ddd5b56..22f09208c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -44,4 +44,4 @@ detection: condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml index 27dc40646..b0bf138df 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml @@ -19,14 +19,14 @@ logsource: product: windows detection: selection1: - CommandLine|contains|all: + CommandLine|contains|all: - 'Invoke-WMIMethod win32_process -name create -argumentlist' - 'rundll32 c:\windows' selection2: - CommandLine|contains|all: + CommandLine|contains|all: - 'wmic /node:' - - 'process call create "rundll32 c:\windows' + - 'process call create "rundll32 c:\windows' condition: selection1 or selection2 falsepositives: - Unknown, unlikely, but possible -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index 8897c3feb..5aeb7d762 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -10,7 +10,7 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 tags: - - attack.discovery + - attack.discovery - attack.t1012 - attack.defense_evasion - attack.t1036.004 @@ -25,7 +25,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'checkadmin.exe 127.0.0.1 -all' - 'netsh advfirewall firewall add rule name=powershell dir=in' - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1' @@ -39,4 +39,4 @@ detection: condition: selection falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml index f31bf7fe5..20b74d7fe 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml @@ -7,7 +7,7 @@ date: 2020/03/13 modified: 2022/04/14 references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 -tags: +tags: - attack.t1204 - attack.t1566.001 - attack.execution @@ -21,9 +21,9 @@ detection: filter: CommandLine|contains: 'immersivecontrolpanel' condition: selection and not filter -falsepositives: +falsepositives: - Unknown -fields: +fields: - ParentProcess - CommandLine - ParentCommandLine diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml index 36d0cb0d8..f12680402 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system.yml @@ -20,4 +20,4 @@ falsepositives: level: low tags: - attack.defense_evasion - - attack.t1564.001 \ No newline at end of file + - attack.t1564.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 8c2ea4c57..0652c0250 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -42,4 +42,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1564.001 \ No newline at end of file + - attack.t1564.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml index 05550d6de..882e7da6b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_automated_collection.yml @@ -29,7 +29,7 @@ detection: - ' /s ' selection_findstr: OriginalFileName: FINDSTR.EXE - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /si ' condition: selection_ext and (selection_dir or selection_findstr) @@ -40,4 +40,4 @@ tags: - attack.collection - attack.t1119 - attack.credential_access - - attack.t1552.001 \ No newline at end of file + - attack.t1552.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml index 7aa6fba00..f4bb79986 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml @@ -37,4 +37,4 @@ fields: - CommandLine falsepositives: - Unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml index e318064d8..172f2fdc9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml @@ -18,7 +18,7 @@ logsource: detection: selection: # Win32_Shadowcopy | ForEach-Object - CommandLine|contains: + CommandLine|contains: - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA' - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A' - 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA' @@ -28,4 +28,4 @@ fields: - ParentCommandLine falsepositives: - Unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml index 7e159e1a2..ea671c75e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml @@ -43,4 +43,4 @@ fields: - CommandLine falsepositives: - Unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 1a7b53840..5756e3196 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -20,12 +20,12 @@ logsource: detection: selection: Image|endswith: '\bitsadmin.exe' - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_domain: - CommandLine|contains: + CommandLine|contains: - 'raw.githubusercontent.com' - 'gist.githubusercontent.com' - 'pastebin.com' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml index 1d5d7a4ed..05c65a9ed 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml @@ -25,7 +25,7 @@ detection: - ' /create ' - ' /addfile ' selection_extension: - CommandLine|contains: + CommandLine|contains: - '.asax' - '.ashx' - '.asmx' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index c334f2492..2b4dbee13 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -25,7 +25,7 @@ detection: - ' /create ' - ' /addfile ' selection_folder: - CommandLine|contains: + CommandLine|contains: - 'C:\Users\Public\' - '%public%' - '\Desktop\' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml index 9bef6b0f7..f95c5d73f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_clip.yml @@ -3,7 +3,7 @@ id: ddeff553-5233-4ae9-bbab-d64d2bd634be status: experimental author: frack113 date: 2021/07/27 -description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. +description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md @@ -16,7 +16,7 @@ logsource: detection: selection: OriginalFileName: clip.exe - condition: selection + condition: selection falsepositives: - Unknown level: low diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml index 9c8a3796b..29d1b1cd9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cmd_delete.yml @@ -4,7 +4,7 @@ status: experimental description: | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. - Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. author: frack113 date: 2022/01/15 references: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml index 33a39958b..a8628b4b0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml @@ -36,4 +36,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.t1059.003 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml index 871b46ca3..a4eaf8209 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml @@ -34,4 +34,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.t1059.003 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml index 851989769..47c8f63d1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml @@ -10,22 +10,22 @@ date: 2021/07/27 modified: 2022/03/05 tags: - attack.execution - - attack.t1059 + - attack.t1059 logsource: category: process_creation product: windows detection: - selection1: + selection1: CommandLine|contains: '\cmd.exe /C whoami' ParentImage|startswith: 'C:\Temp' selection2: CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' - ParentCommandLine|contains: + ParentCommandLine|contains: - '/C whoami' - 'cmd.exe /C echo' - ' > \\\\.\\pipe' selection3: - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c echo' - '> \\\\.\\pipe' - '\whoami.exe' @@ -38,4 +38,3 @@ detection: falsepositives: - Other programs that cause these patterns (please report) level: high - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml index 51f19e6c2..506842b8b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml @@ -4,9 +4,9 @@ status: experimental author: frack113 date: 2021/08/16 modified: 2021/12/02 -description: Detects a command used by conti to dump database +description: Detects a command used by conti to dump database references: - - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 tags: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml index 46ac08371..1ac92010e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml @@ -35,4 +35,4 @@ detection: condition: 1 of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml index ddea6a389..bc8e51117 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml @@ -11,7 +11,7 @@ logsource: category: process_creation product: windows detection: - # Shutdown in safe mode immediately + # Shutdown in safe mode immediately selection: CommandLine|contains: - 'shutdown /r /f /t 00' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml index 4db11b093..043064bfa 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml @@ -23,7 +23,7 @@ detection: - 'LS1kb25hdGUtbGV2ZWw9' - '0tZG9uYXRlLWxldmVsP' - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// + # base64 encoded: stratum+tcp:// and stratum+udp:// - 'c3RyYXR1bSt0Y3A6Ly' - 'N0cmF0dW0rdGNwOi8v' - 'zdHJhdHVtK3RjcDovL' @@ -36,4 +36,4 @@ falsepositives: level: high tags: - attack.impact - - attack.t1496 \ No newline at end of file + - attack.t1496 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml index a4002af91..e121e8c1c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml @@ -28,4 +28,4 @@ falsepositives: level: high tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml index cc35645cb..2b78addfd 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml @@ -20,4 +20,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1036 \ No newline at end of file + - attack.t1036 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml index 929306f10..7ca3b9bdc 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_dinjector.yml @@ -26,4 +26,4 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml index 7f43e5439..3a29b3b41 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml @@ -21,7 +21,7 @@ logsource: detection: selection: Image|endswith: '\dnscmd.exe' - CommandLine|contains|all: + CommandLine|contains|all: - '/config' - '/serverlevelplugindll' condition: selection @@ -34,4 +34,4 @@ fields: - ParentCommandLine - Image - User - - TargetObject \ No newline at end of file + - TargetObject diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml index a6cd04c13..1abb6da40 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_dsim_remove.yml @@ -1,7 +1,7 @@ title: Dism Remove Online Package id: 43e32da2-fdd0-4156-90de-50dfd62636f9 status: experimental -description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images author: frack113 date: 2022/01/16 references: @@ -34,4 +34,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml index 4c90e2588..097b81ebe 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml @@ -22,4 +22,4 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1059.001 + - attack.t1059.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml index 0f13b0414..1070b6286 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml @@ -41,4 +41,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1552.002 \ No newline at end of file + - attack.t1552.002 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index c07194735..9347b05e4 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -34,4 +34,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1552.002 \ No newline at end of file + - attack.t1552.002 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 4e7dbfd6f..1c69fcb1c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -1,4 +1,4 @@ -title: Esentutl Steals Browser Information +title: Esentutl Steals Browser Information id: 6a69f62d-ce75-4b57-8dce-6351eb55b362 status: experimental description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml index 5ee88e8ea..08aa18ec1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_evil_winrm.yml @@ -1,7 +1,7 @@ title: WinRM Access with Evil-WinRM id: a197e378-d31b-41c0-9635-cfdf1c1bb423 status: experimental -description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index 1202cc9f2..31d4a0d2e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -33,4 +33,4 @@ fields: - ParentCommandLine falsepositives: - System administrator Usage -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml index cd26057e0..97619c96f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml @@ -1,4 +1,4 @@ -title: Possible InstallerFileTakeOver LPE CVE-2021-41379 +title: Possible InstallerFileTakeOver LPE CVE-2021-41379 id: af8bbce4-f751-46b4-8d91-82a33a736f61 status: experimental description: Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml index 05869db8d..f305b18a8 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml @@ -156,9 +156,9 @@ detection: - '\Winobj.exe' - '\Winobj64.exe' - '\ZoomIt.exe' - - '\ZoomIt64.exe' + - '\ZoomIt64.exe' filter_valid: - Company: + Company: - 'Sysinternals - www.sysinternals.com' - 'Sysinternals' filter_empty: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 75e245400..8a3068193 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: \findstr.exe CommandLine|contains|all: - - cpassword + - cpassword - \sysvol\ - .xml condition: selection @@ -21,5 +21,5 @@ falsepositives: - Unknown level: high tags: - - attack.credential_access - - attack.t1552.006 \ No newline at end of file + - attack.credential_access + - attack.t1552.006 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml index 74f481130..d1e507a3b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_gotoopener.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml index 98602bc2c..1d1819a16 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Very unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml index 8d07794d6..c4b0d6eac 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_koadic.yml @@ -30,4 +30,4 @@ tags: - attack.execution - attack.t1059.003 - attack.t1059.005 - - attack.t1059.007 \ No newline at end of file + - attack.t1059.007 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml index cd0b2e9c0..78b12947c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hack_wce.yml @@ -30,4 +30,4 @@ detection: condition: ( selection1 or selection2 ) and not filter falsepositives: - Another service that uses a single -s command line switch -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml index 97c1e893e..912fe263e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - - Imphash: + - Imphash: - BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - 3A19059BD7688CB88E70005F18EFC439 # PetitPotam - 9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz @@ -23,7 +23,7 @@ detection: - 725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - 672B13F4A0B6F27D29065123FE882DFC # Mimikatz - 0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - 23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - 23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - 9FB060C2977A9D9B782440B98D410C3E # RoguePotato - B18A1401FF8F444056D29450FBC0A6CE # Pwdump - 13F08707F759AF6003837A150A371BA1 # Pwdump @@ -53,7 +53,7 @@ detection: - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - IMPHASH=9FB060C2977A9D9B782440B98D410C3E # RoguePotato - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump @@ -75,4 +75,4 @@ detection: condition: selection falsepositives: - Legitimate use of one of these tools -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml index 33f18d2c5..b626091a2 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hh_chm.yml @@ -25,4 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1218.001 \ No newline at end of file + - attack.t1218.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml index eae281baf..fb4cf5b64 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml @@ -22,4 +22,4 @@ detection: condition: 1 of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml index 4843a988b..19fe6fbd3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml @@ -12,9 +12,9 @@ logsource: detection: selection: Image|endswith: \appcmd.exe - CommandLine|contains|all: - - set - - config + CommandLine|contains|all: + - set + - config - '/section:httplogging' - '/dontLog:true' condition: selection diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml index 9eb0aefd9..0facc5ef1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - - Image|contains: + - Image|contains: - '\goldenPac' - '\karmaSMB' - '\kintercept' @@ -26,7 +26,7 @@ detection: - '\smbrelayx' - '\wmiexec' - '\wmipersist' - - Image|endswith: + - Image|endswith: # - '\addcomputer_windows.exe' - '\atexec_windows.exe' - '\dcomexec_windows.exe' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index a2e1a6ffa..3c0650742 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -15,12 +15,12 @@ logsource: product: windows detection: selection_other: - # *** wmiexec.py + # *** wmiexec.py # parent is wmiprvse.exe # examples: # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 # cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 - # *** dcomexec.py -object MMC20 + # *** dcomexec.py -object MMC20 # parent is mmc.exe # example: # "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml index 85986ef84..d058ba773 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml @@ -15,7 +15,7 @@ detection: CommandLine|contains|all: - 'InfDefaultInstall.exe ' - '.inf' - condition: selection + condition: selection fields: - ComputerName - User @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1218 \ No newline at end of file + - attack.t1218 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml index a4892354d..7d894c189 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml @@ -17,7 +17,7 @@ detection: - 'rundll32' - 'shell32.dll' - 'shellexec_rundll' - CommandLine|contains: + CommandLine|contains: - 'value' - 'invoke' - 'comspec' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml index ccde53ca3..461d533c3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_logmein.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml index 7214f0343..8b29e96c3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml @@ -1,7 +1,7 @@ title: Suspicious Subsystem for Linux Bash Execution id: 5edc2273-c26f-406c-83f3-f4d948e740dd status: experimental -description: Performs execution of specified file, can be used as a defensive evasion. +description: Performs execution of specified file, can be used as a defensive evasion. references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ tags: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml index 04a8b5dd2..4f999508b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'CL_Invocation.ps1' - 'SyncInvoke' # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml index 177e320df..de4795593 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml @@ -3,7 +3,7 @@ id: 575dce0c-8139-4e30-9295-1ee75969f7fe description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target status: experimental references: - - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs + - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs author: blueteamer8699 date: 2022/01/03 tags: @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'cscript.exe' - 'gatherNetworkInfo.vbs' condition: selection diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml index cd7c5c12c..ec4bf10f3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml @@ -1,4 +1,4 @@ -title: Suspicious Diantz Alternate Data Stream Execution +title: Suspicious Diantz Alternate Data Stream Execution id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd status: experimental description: Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file. @@ -18,7 +18,7 @@ detection: - diantz.exe - .cab CommandLine|re: ':[^\\\\]' - condition: selection + condition: selection falsepositives: - Very Possible level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index 5b7ef48c7..f9e2b4aee 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -1,7 +1,7 @@ title: Suspicious Diantz Download and Compress Into a CAB File id: 185d7418-f250-42d0-b72e-0c8b70661e93 status: experimental -description: Download and compress a remote file and store it in a cab file on local machine. +description: Download and compress a remote file and store it in a cab file on local machine. references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ tags: @@ -16,9 +16,9 @@ detection: selection: CommandLine|contains|all: - diantz.exe - - ' \\' + - ' \\' - '.cab' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml index 34abd4ae3..104dd0bc4 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml @@ -1,4 +1,4 @@ -title: Suspicious Dump64.exe Execution +title: Suspicious Dump64.exe Execution id: 129966c9-de17-4334-a123-8b58172e664d description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder status: experimental @@ -9,7 +9,7 @@ references: logsource: product: windows category: process_creation -detection: +detection: selection: Image|endswith: '\dump64.exe' procdump_flags: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml index 7911e9cc3..38b34c640 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml @@ -2,7 +2,7 @@ title: Monitoring Winget For LOLbin Execution id: 313d6012-51a0-4d93-8dfc-de8553239e25 description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later. status: experimental -references: +references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install author: Sreeman, Florian Roth, Frack113 date: 2020/04/21 @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'winget' - 'install' CommandLine|contains: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml index 079772176..d47b5ada6 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml @@ -1,4 +1,4 @@ -title: Suspicious Extrac32 Alternate Data Stream Execution +title: Suspicious Extrac32 Alternate Data Stream Execution id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e status: experimental description: Extract data from cab file and hide it in an alternate data stream @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ tags: - attack.defense_evasion - - attack.t1564.004 + - attack.t1564.004 author: frack113 date: 2021/11/26 logsource: @@ -18,7 +18,7 @@ detection: - extrac32.exe - .cab CommandLine|re: ':[^\\\\]' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml index 9970234f9..a8d172171 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -42,4 +42,4 @@ tags: - attack.t1218 - attack.t1564.004 - attack.t1552.001 - - attack.t1105 \ No newline at end of file + - attack.t1105 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 02c87ce21..18d0ececa 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -19,7 +19,7 @@ detection: CurrentDirectory: - 'c:\windows\system32\' - 'c:\windows\sysWOW64\' - filter_missing: + filter_missing: CurrentDirectory: null condition: lolbin and not 1 of filter_* falsepositives: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml index 2a0444ef5..485d94708 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '\jsc.exe' CommandLine|contains: '.js' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml index 7053d03df..fdffaa1db 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml @@ -1,7 +1,7 @@ title: Suspicious OfflineScannerShell.exe Execution From Another Folder id: 02b18447-ea83-4b1b-8805-714a8a34546a status: experimental -description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory +description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory references: - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ author: frack113 @@ -14,7 +14,7 @@ detection: Image|endswith: '\OfflineScannerShell.exe' filter_correct: CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' - filter_missing: + filter_missing: CurrentDirectory: null condition: lolbas and not 1 of filter_* falsepositives: @@ -22,4 +22,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1218 + - attack.t1218 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml index a9e8bce20..096e79af5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -12,15 +12,15 @@ logsource: detection: selection: Image|endswith: '\PrintBrm.exe' - CommandLine|contains|all: + CommandLine|contains|all: - ' -f' - '.zip' - condition: selection + condition: selection falsepositives: - Unknown level: high tags: - attack.command_and_control - - attack.t1105 + - attack.t1105 - attack.defense_evasion - - attack.t1564.004 + - attack.t1564.004 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml index c99fcd5f1..7ff14b998 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml @@ -20,4 +20,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1216.001 \ No newline at end of file + - attack.t1216.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml index 0264f5a95..1043b5b95 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml @@ -15,7 +15,7 @@ detection: selection: Image|endswith: '\replace.exe' argument: - CommandLine|contains: + CommandLine|contains: - '/a' - '-a' condition: selection and argument diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 693a98743..2da66feb5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -24,4 +24,4 @@ detection: condition: all of selection* falsepositives: - Legitimate use of the UI Accessibility Checker -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 05d87b214..aeef7b3ec 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -21,4 +21,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml index 0883160aa..6ab82c6c9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -19,4 +19,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1127 + - attack.t1127 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml index ffccba042..78cff6c86 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml @@ -9,7 +9,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 -author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 modified: 2021/09/21 tags: @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Legitimate usage by software developers/testers -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml index f05033d91..4176c1fe6 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml @@ -38,4 +38,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index b593a5104..d702f8db1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -1,6 +1,6 @@ title: Lolbins Process Creation with WmiPrvse id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 -description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. +description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml index 2241ded9a..cc0c5ff35 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml @@ -26,7 +26,7 @@ fields: - CommandLine - ParentCommandLine tags: - - attack.persistence + - attack.persistence - attack.t1505.003 - attack.resource_development - - attack.t1584.006 \ No newline at end of file + - attack.t1584.006 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml index b777f363a..c4acf4239 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_adwind.yml @@ -26,4 +26,4 @@ detection: - 'Retrive' - '.vbs ' condition: selection -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml index c5ff7aa41..018edade4 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml @@ -29,4 +29,4 @@ detection: condition: sc_cmd or wmic_cmd falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml index 6a98c74bc..88b420528 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection1: - CommandLine|contains: + CommandLine|contains: - '=[char][byte](''0x''+' - ' -work worker0 -path ' selection2: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml index e2be55465..821c35409 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti.yml @@ -25,4 +25,4 @@ falsepositives: level: high tags: - attack.t1587.001 - - attack.resource_development \ No newline at end of file + - attack.resource_development diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml index 23a992248..ea9da151e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.collection - - attack.t1560 \ No newline at end of file + - attack.t1560 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 36f686290..b8418cbdf 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml index c0ba595f8..e730908b0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_emotet.yml @@ -39,4 +39,3 @@ fields: falsepositives: - Unlikely level: high - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index 61ff3daf2..208a2822e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -18,7 +18,7 @@ detection: - '\\\\.\\pipe\\' select_rundll32_dash1: Image|endswith: '\rundll32.exe' - CommandLine|endswith: + CommandLine|endswith: - '.dat,#1' - '.dat #1' # Sysmon removes comma select_perfc_keyword: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index 59be92668..f04667dd3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -18,7 +18,7 @@ logsource: detection: selection_1: ParentImage|endswith: '\services.exe' - selection_2: + selection_2: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - CommandLine|contains|all: - 'cmd' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index b0f591390..47e22650b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -20,7 +20,7 @@ detection: - 'sc ' - 'config ' - 'binpath=' - selection_cmdline_2: + selection_cmdline_2: CommandLine|contains|all: - 'sc ' - 'failure' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml index 633f97bac..403dc86c1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains|all: - 'bitsadmin' - '/SetNotifyCmdLine' - CommandLine|contains: + CommandLine|contains: - '%COMSPEC%' - 'cmd.exe' - 'regsvr32.exe' @@ -25,7 +25,7 @@ detection: CommandLine|contains|all: - 'bitsadmin' - '/Addfile' - CommandLine|contains: + CommandLine|contains: - 'http:' - 'https:' - 'ftp:' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index cc45d4445..ec9f2eaf9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - Image|endswith: '\msiexec.exe' + Image|endswith: '\msiexec.exe' CommandLine|contains|all: - ' /i' - ' /q' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml index 78b37477c..82099cf89 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml @@ -10,7 +10,7 @@ modified: 2021/06/13 tags: - car.2013-04-002 - attack.execution - - attack.t1059 + - attack.t1059 logsource: category: process_creation product: windows diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml index a2b549207..a5e750a8e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_net_enum.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: 'view' @@ -29,4 +29,4 @@ fields: - CommandLine falsepositives: - Legitimate use of net.exe utility by legitimate user -level: low +level: low diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml index 0e8c831ce..21f473896 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_netcat_execution.yml @@ -6,7 +6,7 @@ date: 2021/07/21 modified: 2022/02/23 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - - https://nmap.org/ncat/ + - https://nmap.org/ncat/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md tags: - attack.command_and_control diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index d42eda483..7ef17113c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -27,4 +27,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.004 \ No newline at end of file + - attack.t1562.004 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml index 10d445ccc..7453ff803 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml @@ -13,11 +13,11 @@ logsource: product: windows detection: selection_loop: - CommandLine|contains: + CommandLine|contains: - 'for ' - 'foreach ' selection_tools: - CommandLine|contains: + CommandLine|contains: - 'nslookup' - 'ping' condition: all of selection_* diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml index c772b686b..9261c196c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml @@ -17,7 +17,7 @@ detection: selection: Image|endswith: '\powershell.exe' filter: - ParentImage|endswith: + ParentImage|endswith: - '\explorer.exe' - '\CompatTelRunner.exe' condition: selection and not filter diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml index 789858b24..79c7db19b 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_outlook_shell.yml @@ -40,7 +40,7 @@ detection: - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - '\msdt.exe' # CVE-2022-30190 - # Several FPs with rundll32.exe - we started excluding specific use cases and + # Several FPs with rundll32.exe - we started excluding specific use cases and # ended commenting out all rundll32.exe sub processes #filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml index bb111e313..8dd9fad21 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - Very unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index 2342152ff..afc8a8bd3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection1: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection2: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml index c4351ed3b..367a2d1d5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml @@ -12,7 +12,7 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - CommandLine|contains: + CommandLine|contains: - '-f C:\Users\Public' - '-f "C:\Users\Public' - '-f %Public%' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml index 2c86cf79d..aabd6844d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml @@ -1,6 +1,6 @@ title: CreateDump Process Dump id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 -description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory +description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory status: experimental references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml index abb3d0378..2cbc426a3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml @@ -1,6 +1,6 @@ title: RdrLeakDiag Process Dump id: 6355a919-2e97-4285-a673-74645566340d -description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory +description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory status: experimental references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml index 49ce2e9e4..75550dc0d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml @@ -1,6 +1,6 @@ title: Suspicious DumpMinitool Usage id: eb1c4225-1c23-4241-8dd4-051389fde4ce -description: Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe +description: Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe status: experimental references: - https://twitter.com/mrd0x/status/1511415432888131586 @@ -19,13 +19,13 @@ detection: - Image|endswith: '\DumpMinitool.exe' - OriginalName: 'DumpMinitool.exe' filter_folder: - Image|contains: + Image|contains: - '\Microsoft Visual Studio\' - '\Extensions\' # https://github.com/microsoft/vstest/blob/main/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159 susp_flags: CommandLine|contains: '.txt' cmd_has_flags: - CommandLine|contains: ' Full' + CommandLine|contains: ' Full' filter_cmd_misses_flags: CommandLine|contains: '--dumpType' condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) ) diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml index 438d33ed7..529008b0a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml @@ -26,7 +26,7 @@ detection: - '\wininit.exe' - '\winlogon.exe' filter_sys: - - ParentImage|endswith: + - ParentImage|endswith: - '\SavService.exe' - '\ngen.exe' - ParentImage|contains: @@ -47,4 +47,4 @@ level: low tags: - attack.defense_evasion - attack.t1036.003 - - attack.t1036.005 \ No newline at end of file + - attack.t1036.005 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml index 96687d496..2bd1fb2f2 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml @@ -1,5 +1,5 @@ title: Process Dump via RdrLeakDiag.exe -id: edadb1e5-5919-4e4c-8462-a9e643b02c4b +id: edadb1e5-5919-4e4c-8462-a9e643b02c4b description: Detects a process memory dump performed by RdrLeakDiag.exe status: experimental level: high @@ -18,5 +18,5 @@ detection: OriginalFileName: RdrLeakDiag.exe CommandLine|contains: fullmemdmp condition: selection -falsepositives: +falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 9bacedfbd..7c6584b38 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -20,7 +20,7 @@ logsource: product: windows detection: selection_comsvcs: - CommandLine|contains: + CommandLine|contains: - 'comsvcs.dll' - 'rundll32' - '.dmp' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml index 9cd29abb4..9cf8b2fa7 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml @@ -18,7 +18,7 @@ detection: CommandLine|contains|all: - '"ms-word' - '.docx"' - condition: selection + condition: selection fields: - ComputerName - User diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml index eda2ef47b..fae149933 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -12,7 +12,7 @@ logsource: detection: selection: ParentImage|startswith: 'C:\Users\Public\' - CommandLine|contains: + CommandLine|contains: - 'powershell' - 'cmd.exe /c ' - 'cmd /c ' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml index 987211efa..1fcf82b53 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml @@ -23,4 +23,4 @@ falsepositives: level: critical tags: - attack.t1587 - - attack.resource_development \ No newline at end of file + - attack.resource_development diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml index 3fd5ac17d..f081e6c49 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_pypykatz.yml @@ -24,4 +24,4 @@ falsepositives: level: high tags: - attack.credential_access - - attack.t1003.002 \ No newline at end of file + - attack.t1003.002 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml index 7c99f0283..5642cdece 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml @@ -27,4 +27,4 @@ detection: condition: selection_image and 1 of selection_cli* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index ef9ededa7..b7f7e0c8e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg' - ' ADD ' - 'Software\Microsoft\Windows\CurrentVersion\Run' @@ -22,4 +22,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index 48e1577e4..edc9994c5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -29,4 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.001 + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 7b56642af..e055c07b6 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -1,7 +1,7 @@ title: Enabling RDP Service via Reg.exe id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: experimental -description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host +description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 0cff37fc3..6305e59cc 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -30,4 +30,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1574.011 \ No newline at end of file + - attack.t1574.011 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml index c8ce2752f..20c482457 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini.yml @@ -27,4 +27,4 @@ fields: - CommandLine falsepositives: - Legitimate modification of keys -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 4541b899f..a59b4e9ea 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -27,4 +27,4 @@ fields: - CommandLine falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml index 86fe6b6cc..a23433dd1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml @@ -19,7 +19,7 @@ detection: CommandLine|contains|all: - ' -RemoveDefinitions' - ' -All' - condition: selection + condition: selection fields: - ComputerName - User diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml index 7aafd7fa7..44e963fda 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml @@ -20,4 +20,4 @@ detection: condition: selection and not 1 of filter* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml index 8cfbde408..bceec686f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml @@ -19,7 +19,7 @@ logsource: detection: selection1: Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der - CommandLine|contains|all: + CommandLine|contains|all: - '-addstore' - 'root' selection2: @@ -30,4 +30,4 @@ detection: condition: selection1 or selection2 level: medium falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP \ No newline at end of file + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml index cca0a3e26..fc3791c26 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_from_zip.yml @@ -18,4 +18,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1485 \ No newline at end of file + - attack.t1485 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml index 20c4e94b9..3c38dbceb 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml @@ -18,7 +18,7 @@ logsource: product: windows detection: selection_1: - CommandLine|contains: + CommandLine|contains: - 'VBoxRT.dll,RTR3Init' - 'VBoxC.dll' - 'VBoxDrv.sys' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml index ccb3294ad..c4aa4da56 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml @@ -5,7 +5,7 @@ description: Detects rundll32.exe executing from an abnormal drive such as a mou author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2022/01/25 modified: 2022/02/14 -references: +references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ tags: - attack.t1218.001 @@ -15,7 +15,7 @@ logsource: detection: selection: Image|endswith: '\rundll32.exe' - filter: + filter: - CurrentDirectory|contains: 'C:\' - CurrentDirectory: '' filter_null: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 22ca470aa..5dfcdc7f4 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -23,4 +23,4 @@ falsepositives: - Unknown level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index 48dc6b8a8..d94dca336 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -1,7 +1,7 @@ title: Rundll32 Registered COM Objects id: f1edd233-30b5-4823-9e6a-c4171b24d316 status: experimental -description: load malicious registered COM objects +description: load malicious registered COM objects references: - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index a0b203ea0..c42f1058c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -3,7 +3,7 @@ id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967 status: experimental description: 'Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local' author: 'pH-T' -references: +references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/03/15 logsource: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 137c87fb9..18efe706d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -3,7 +3,7 @@ id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 status: experimental description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' -references: +references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 modified: 2022/03/15 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml index 446bee5d3..411f6ea0c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_screenconnect.yml @@ -4,7 +4,7 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml index 8cb212b0f..37f1a9e4d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml @@ -19,4 +19,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml index 7e296e62d..116cd4794 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_software_discovery.yml @@ -28,4 +28,4 @@ detection: condition: selection level: medium falsepositives: - - Legitimate administration activities \ No newline at end of file + - Legitimate administration activities diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml index 897fde0bb..8d1d9a5b3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml @@ -3,7 +3,7 @@ id: b57ba453-b384-4ab9-9f40-1038086b4e53 status: experimental author: frack113 date: 2021/12/20 -description: Detects dump of credentials in VeeamBackup dbo +description: Detects dump of credentials in VeeamBackup dbo references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml index 38423a777..4d88c7bd3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml @@ -34,4 +34,4 @@ detection: condition: selection_process falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml index 2eeba8dcf..88c8d0dbc 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml @@ -1,6 +1,6 @@ -title: Suspicious Auditpol Usage +title: Suspicious Auditpol Usage id: 0a13e132-651d-11eb-ae93-0242ac130002 -description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. status: experimental author: Janantha Marasinghe (https://github.com/blueteam0ps) references: @@ -18,7 +18,7 @@ detection: selection_auditpol_binary: Image|endswith: '\auditpol.exe' selection_auditpol_command: - CommandLine|contains: + CommandLine|contains: - 'disable' # disables a specific audit policy - 'clear' # delete or clears audit policy - 'remove' # removes an audit policy diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml index 89f588498..b4d4e4fe0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml @@ -25,4 +25,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml index 831fefe48..7512f1f64 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind.yml @@ -1,7 +1,7 @@ title: Suspicious AdFind Execution id: 75df3b17-8bcc-4565-b89b-c9898acef911 status: experimental -description: Detects the execution of a AdFind for Active Directory enumeration +description: Detects the execution of a AdFind for Active Directory enumeration references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml index b04dbd07e..d8f700180 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml @@ -1,7 +1,7 @@ title: Suspicious AdFind Enumerate id: 455b9d50-15a1-4b99-853f-8d37655a4c1b status: experimental -description: Detects the execution of a AdFind for enumeration +description: Detects the execution of a AdFind for enumeration references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md @@ -24,7 +24,7 @@ detection: - pwdhistorylength - pwdproperties test_6: #Enumerate Active Directory Admins - CommandLine|contains: '-sc admincountdmp' + CommandLine|contains: '-sc admincountdmp' test_8: #Enumerate Active Directory Exchange AD Objects CommandLine|contains: '-sc exchaddresses' condition: selection and 1 of test_* @@ -33,4 +33,4 @@ falsepositives: level: medium tags: - attack.discovery - - attack.t1087.002 \ No newline at end of file + - attack.t1087.002 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml index 479f969a6..2b444e299 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of Adidnsdump +title: Suspicious Execution of Adidnsdump id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 status: experimental description: | diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml index 30aa152ec..b60392f04 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml @@ -1,7 +1,7 @@ title: Suspicious AdvancedRun Runas Priv User id: fa00b701-44c6-4679-994d-5a18afa8a707 status: experimental -description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts +description: Detects the execution of AdvancedRun utitlity in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts references: - https://twitter.com/splinter_code/status/1483815103279603714 - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 @@ -19,12 +19,12 @@ detection: - '/EXEFilename' - '/CommandLine' selection_runas: - - CommandLine|contains: + - CommandLine|contains: - ' /RunAs 8 ' - ' /RunAs 4 ' - ' /RunAs 10 ' - ' /RunAs 11 ' - - CommandLine|endswith: + - CommandLine|endswith: - '/RunAs 8' - '/RunAs 4' - '/RunAs 10' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml index 073b04bb3..1eadb9f0a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml @@ -34,4 +34,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml index 4a1fc1312..073a8e99d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml @@ -43,4 +43,4 @@ fields: - CommandLine falsepositives: - Unlikely -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml index d64eb0441..dbf90dbf3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml @@ -5,7 +5,7 @@ description: Detects transferring files from system on a server bitstransfer Pow references: - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps tags: - - attack.exfiltration + - attack.exfiltration - attack.persistence - attack.t1197 date: 2021/08/19 @@ -15,11 +15,11 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' - CommandLine|contains: + CommandLine|contains: - 'Get-BitsTransfer' - 'Add-BitsFile' condition: selection diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml index 75a8be92a..108da327a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml @@ -1,7 +1,7 @@ title: Obfuscated Command Line Using Special Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 status: experimental -description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. author: frack113 references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation @@ -13,7 +13,7 @@ logsource: detection: selection: #find the sysmon event - CommandLine|contains: + CommandLine|contains: - 'â' - '€' - '£' @@ -27,4 +27,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1027 \ No newline at end of file + - attack.t1027 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml index 0c0d63abc..f42064359 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cipher.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1485 \ No newline at end of file + - attack.t1485 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml index a03d6071b..89f409b05 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml @@ -19,4 +19,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index c3e68b05b..7a167be95 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\cmd.exe' ParentCommandLine|contains: ' /c ' Image|endswith: '\chcp.com' - CommandLine|endswith: + CommandLine|endswith: - 'chcp' - 'chcp ' - 'chcp ' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml index e1c9bd854..cfc788414 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_covenant.yml @@ -32,4 +32,4 @@ tags: - attack.execution - attack.defense_evasion - attack.t1059.001 - - attack.t1564.003 \ No newline at end of file + - attack.t1564.003 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml index d34670f50..6135c39be 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_csi.yml @@ -1,4 +1,4 @@ -title: Suspicious Csi.exe Usage +title: Suspicious Csi.exe Usage id: 40b95d31-1afc-469e-8d34-9a3a667d058e description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' status: experimental @@ -22,17 +22,17 @@ detection: basic: - Image|endswith: '\csi.exe' - Image|endswith: '\rcsi.exe' - renamed: + renamed: - OriginalFileName: 'csi.exe' - OriginalFileName: 'rcsi.exe' - selection: + selection: Company: 'Microsoft Corporation' condition: (basic or renamed) and selection fields: - ComputerName - User - CommandLine - - ParentCommandLine + - ParentCommandLine falsepositives: - - Legitimate usage by software developers + - Legitimate usage by software developers level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml index c065e0976..ff006662d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_del.yml @@ -8,7 +8,7 @@ references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D tags: - attack.defense_evasion - - attack.t1070.004 + - attack.t1070.004 logsource: category: process_creation product: windows @@ -23,7 +23,7 @@ detection: - 'del *.dll' - 'C:\ProgramData\' condition: susp_del_exe or susp_del_dll -#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit +#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml index 75afd1572..61030766e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml @@ -15,10 +15,10 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t msi-install ' - ' -i http' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml index 9dfc4ab19..167441ed1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1218 + - attack.t1218 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml index 81cd2e782..5fa80c212 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_dir.yml @@ -21,4 +21,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1217 \ No newline at end of file + - attack.t1217 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml index 0d6f91371..f2e93c18e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml @@ -9,7 +9,7 @@ tags: - attack.defense_evasion - attack.t1562.001 - attack.t1070.001 -author: Florian Roth +author: Florian Roth date: 2021/02/11 modified: 2021/12/02 logsource: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml index 2f2336e35..e29ff857d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -1,13 +1,13 @@ title: Raccine Uninstall id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc status: experimental -description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. +description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. references: - https://github.com/Neo23x0/Raccine tags: - attack.defense_evasion - attack.t1562.001 -author: Florian Roth +author: Florian Roth date: 2021/01/21 modified: 2021/07/14 logsource: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml index e7fd6469d..ba1c7f4e2 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml @@ -19,4 +19,4 @@ falsepositives: level: high tags: - attack.discovery - - attack.t1518.001 \ No newline at end of file + - attack.t1518.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml index e82c9ff8b..c84925073 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Admin activity (unclear what they do nowadays with finger.exe) -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml index ebcb5e299..abf94646d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_firewall_disable.yml @@ -21,7 +21,7 @@ detection: - opmode - 'mode=disable' selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - netsh - advfirewall - set diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml index 0c73ba0dc..adf81da73 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml @@ -5,7 +5,7 @@ description: Detects cases in which a user uses the built-in Windows utility gpr references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult - - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ + - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: frack113 date: 2022/05/01 @@ -18,7 +18,7 @@ detection: CommandLine|contains: - '/z' - '/v' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml index c2b6eccf7..49fb52c83 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_hostname.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of Hostname +title: Suspicious Execution of Hostname id: 7be5fb68-f9ef-476d-8b51-0256ebece19e status: experimental description: Use of hostname to get information diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml index d4ece5241..4a01fbe5f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of InstallUtil Without Log +title: Suspicious Execution of InstallUtil Without Log id: d042284c-a296-4988-9be5-f424fadcc28c status: experimental description: Uses the .NET InstallUtil.exe application in order to execute image without log diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml index f5b113d91..48f3736aa 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml @@ -15,7 +15,7 @@ detection: CommandLine|contains|all: - 'SOFTWARE\Microsoft\Cryptography' - '/v ' - - 'MachineGuid' + - 'MachineGuid' condition: selection falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml index efe15ece8..926748839 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml @@ -21,10 +21,10 @@ detection: - Imphash: 'd8b52ef6aaa3a81501bdfff9dbb96217' - Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217' selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /n 1 ' - ' -n 1 ' condition: all of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml index 83266600c..18b283524 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml @@ -8,7 +8,7 @@ references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: - attack.execution - - attack.t1106 + - attack.t1106 author: Florian Roth date: 2021/07/17 logsource: @@ -25,10 +25,10 @@ detection: - '\powershell.exe' # Suspicious folders selection2: - CommandLine|contains: + CommandLine|contains: - '\AppData\Local' - 'C:\Windows\Temp' - - 'C:\Users\Public' + - 'C:\Users\Public' # Suspicious Execution Locations filter3: Image|contains: @@ -36,10 +36,10 @@ detection: - 'C:\Windows\SysWOW64' # Suspicious extensions filter4: - CommandLine|contains: + CommandLine|contains: - '.htm' - '.hta' - CommandLine|endswith: + CommandLine|endswith: - 'mshta.exe' - 'mshta' condition: selection_base and ( selection1 or selection2 ) or ( selection_base and not filter3 ) or ( selection_base and not filter4 ) diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml index 76e390e19..741d2a37d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml @@ -13,7 +13,7 @@ detection: selection1: Image: C:\Windows\System32\net.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - 'net' - ' use ' - ':*\\' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml index 279ff01f6..64d6195c1 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml @@ -1,7 +1,7 @@ title: Suspicious Listing of Network Connections id: 1c67a717-32ba-409b-a45d-0fb704a73a81 status: experimental -description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. +description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery author: frack113 @@ -28,4 +28,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1049 \ No newline at end of file + - attack.t1049 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml index 28482d55f..6a2564354 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nmap.yml @@ -13,10 +13,10 @@ logsource: detection: selection: OriginalFileName: nmap.exe - condition: selection + condition: selection falsepositives: - Network administator computeur level: high tags: - attack.discovery - - attack.t1046 \ No newline at end of file + - attack.t1046 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index d89582a80..9d7aba57e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -86,4 +86,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml index fbb423399..53f8b708d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml @@ -1,6 +1,6 @@ -title: Suspicious NT Resource Kit Auditpol Usage +title: Suspicious NT Resource Kit Auditpol Usage id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e -description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. status: experimental author: Nasreddine Bencherchali @nas_bench references: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml index 6369ab36d..dfadff5f2 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml @@ -6,7 +6,7 @@ references: - https://www.x86matthew.com/view_post?id=ntdll_pipe tags: - attack.defense_evasion -author: Florian Roth +author: Florian Roth date: 2022/03/05 logsource: category: process_creation diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 73f856eca..307aa72b4 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -4,7 +4,7 @@ description: Detects suspicious process patterns used in NTDS.DIT exfiltration status: experimental author: Florian Roth references: - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://pentestlab.blog/tag/ntds-dit/ - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1 @@ -20,7 +20,7 @@ logsource: detection: selection_tool: # https://github.com/zcgonvh/NTDSDumpEx - - Image|endswith: + - Image|endswith: - '\NTDSDump.exe' - '\NTDSDumpEx.exe' - CommandLine|contains|all: @@ -62,4 +62,4 @@ detection: condition: 1 of selection* or all of set1* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml index 2da28f36c..994bbc3ae 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml @@ -15,7 +15,7 @@ logsource: detection: encoded: Image|endswith: '\powershell.exe' - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' -en ' - ' -enc ' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml index 830281b0b..1709d4bc9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - '\HarddiskVolumeShadowCopy' - 'ystem32\config\sam' selection_2: @@ -26,7 +26,7 @@ detection: - 'copy $_.' - '.File]::Copy(' condition: all of selection* -falsepositives: +falsepositives: - Some rare backup scenarios - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml index 13baad93e..6d24ff9f2 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml @@ -25,4 +25,4 @@ detection: falsepositives: - Other tools with the same command line flag combination - Legitimate uses as part of Visual Studio development -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml index 1d194067c..fa2478c4c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml @@ -20,10 +20,10 @@ detection: - 'PAExec' - 'accepteula' - 'cmd /c ' - condition: selection_supporting_flags and selection_cmd_to_system + condition: selection_supporting_flags and selection_cmd_to_system falsepositives: - - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) + - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) level: high tags: - attack.develop_capabilities - - attack.t1587.001 \ No newline at end of file + - attack.t1587.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml index 972ce610d..132e57978 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml @@ -1,4 +1,4 @@ -title: PsExec/PAExec Flags +title: PsExec/PAExec Flags id: 207b0396-3689-42d9-8399-4222658efc99 status: experimental description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line @@ -14,7 +14,7 @@ logsource: product: windows detection: selection_flags_1: # Escalation to LOCAL_SYSTEM - CommandLine|endswith: + CommandLine|endswith: - ' -s cmd.exe' - ' -s -i cmd.exe' selection_flags_2: @@ -24,14 +24,14 @@ detection: - ' -p ' - ' \\' filter: - CommandLine|contains: + CommandLine|contains: - 'paexec' - 'PsExec' condition: ( selection_flags_1 or selection_flags_2 ) and not filter falsepositives: - Weird admins that rename their tools - - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing level: high tags: - attack.develop_capabilities - - attack.t1587.001 \ No newline at end of file + - attack.t1587.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml index 28e8f04fa..671a957d9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml @@ -1,4 +1,4 @@ -title: Rar Usage with Password and Compression Level +title: Rar Usage with Password and Compression Level id: faa48cae-6b25-4f00-a094-08947fef582f status: experimental description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. @@ -26,4 +26,4 @@ detection: falsepositives: - Legitimate use of Winrar command line version - Other command line tools, that use these flags -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml index 9e29faf26..aaf52a7e9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml @@ -23,4 +23,4 @@ detection: condition: selection and not filter falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml index 9dfaab71a..1b7415fcf 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml @@ -1,8 +1,8 @@ title: Rclone Execution via Command Line or PowerShell -id: e37db05d-d1f9-49c8-b464-cee1a4b11638 +id: e37db05d-d1f9-49c8-b464-cee1a4b11638 related: - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes + type: obsoletes - id: cb7286ba-f207-44ab-b9e6-760d82b84253 type: obsoletes description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml index 040477109..f91da6f4e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_redir_local_admin_share.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - '> \\\\127.0.0.1\\admin$' - '> \\\\localhost\\admin$' condition: selection diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml index d5231b3d5..2059613d5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains|all: - 'reg' - 'add' - - 'hkcu\software\classes\ms-settings\shell\open\command' + - 'hkcu\software\classes\ms-settings\shell\open\command' - '/v' - 'DelegateExecute' selection_3: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml index b210e6045..46f8a0bb0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml @@ -12,7 +12,7 @@ logsource: detection: selection: Image|endswith: '\regedit.exe' - ParentImage|endswith: + ParentImage|endswith: - '\TrustedInstaller.exe' - '\ProcessHacker.exe' condition: selection @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.privilege_escalation - - attack.t1548 \ No newline at end of file + - attack.t1548 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml index f7690358b..2f12c76eb 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_flags: - CommandLine|contains|all: + CommandLine|contains|all: - ' /s' - ' /u' selection_ip: @@ -32,4 +32,4 @@ detection: condition: all of selection* falsepositives: - FQDNs that start with a number -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml index 28d587b80..146940354 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml @@ -7,7 +7,7 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html tags: - attack.defense_evasion - - attack.t1218.010 + - attack.t1218.010 author: frack113 date: 2021/11/29 logsource: @@ -16,7 +16,7 @@ logsource: detection: selection: Image|endswith: '\regsvr32.exe' - CommandLine|endswith: '.jpg' # can add other + CommandLine|endswith: '.jpg' # can add other condition: selection falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml index 5fd6ffc94..0d1c958eb 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml @@ -18,7 +18,7 @@ detection: selection: Image|endswith: '\regsvr32.exe' filter: - CommandLine|contains: + CommandLine|contains: - '.dll' - '.ocx' - '.cpl' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml index 06c4680f6..2d75f71b0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml @@ -16,14 +16,14 @@ detection: selection2: OriginalFileName: 'PAExec.exe' filter: - Image|endswith: + Image|endswith: - '\PAexec.exe' - '\paexec.exe' condition: ( selection1 or selection2 ) and not filter falsepositives: - Weird admins that rename their tools - - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing + - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing level: high tags: - - attack.defense_evasion - - attack.t1202 \ No newline at end of file + - attack.defense_evasion + - attack.t1202 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml index d53ee33f4..65c3d22ba 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_run_folder.yml @@ -17,7 +17,7 @@ detection: - '\Temp\' - '\Temporary Internet' filter_parent: - - ParentImage: + - ParentImage: - 'C:\Windows\System32\cleanmgr.exe' - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' - 'C:\Windows\System32\dxgiadaptercache.exe' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml index 7018898a6..5caaf7710 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32.exe' - 'Execute' - 'RegRead' @@ -22,4 +22,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1055 \ No newline at end of file + - attack.t1055 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index dfef79f64..7348fff7a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -23,4 +23,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml index bf9d1b0e9..619e4ec24 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml @@ -7,7 +7,7 @@ references: author: Florian Roth date: 2022/04/21 tags: - - attack.credential_access + - attack.credential_access - attack.t1555.004 logsource: category: process_creation diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml index b1a6486ae..867728a58 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml @@ -15,7 +15,7 @@ detection: filter1: ParentImage|endswith: '\svchost.exe' filter2: - ParentImage|contains: + ParentImage|contains: - '\AppData\Local\' - '\Microsoft\Edge\' condition: selection and not filter1 and not filter2 @@ -26,5 +26,5 @@ falsepositives: - Possible but rare level: high tags: - - attack.defense_evasion - - attack.t1202 \ No newline at end of file + - attack.defense_evasion + - attack.t1202 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml index 746676b78..e283ab2e7 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml @@ -25,4 +25,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1218.011 + - attack.t1218.011 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml index 4dccc6f8a..67dc98497 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml @@ -14,7 +14,7 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\cmd.exe' CommandLine|contains: 'user32.dll,' - selection_function: + selection_function: CommandLine|contains: 'LockWorkStation' condition: all of selection* fields: @@ -24,4 +24,4 @@ falsepositives: - Scritps or links on the user desktop used to lock the workstation instead of Windows+L or the menu option level: medium tags: - - attack.defense_evasion + - attack.defense_evasion diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml index 65fda53ba..03ad8b432 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml @@ -12,7 +12,7 @@ logsource: detection: selection: Image|endswith: '\schtasks.exe' - CommandLine|contains|all: + CommandLine|contains|all: - ' /create ' - ' /sc once ' - '\Temp\' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 394bb15fe..42bebe751 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -12,13 +12,13 @@ logsource: detection: schtasks_exe: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - /Change - /TN - /disable - #split to add other + #split to add other schtasks_name: - CommandLine|contains: '\Microsoft\Windows\SystemRestore\SR' + CommandLine|contains: '\Microsoft\Windows\SystemRestore\SR' condition: all of schtasks_* falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml index 6d9b0e34e..16169d293 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml @@ -7,7 +7,7 @@ references: - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 tags: - attack.execution - - attack.t1053.005 + - attack.t1053.005 author: Florian Roth date: 2022/02/21 modified: 2022/03/11 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml index ac588817b..276f358ef 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml @@ -6,7 +6,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical tags: - attack.execution - - attack.t1053.005 + - attack.t1053.005 author: Florian Roth date: 2022/04/15 logsource: @@ -17,12 +17,12 @@ detection: Image|endswith: '\schtasks.exe' CommandLine|contains: ' /create ' selection_command: - CommandLine|contains: + CommandLine|contains: - 'powershell' - 'cmd /c ' - 'cmd.exe /c ' selection1_all_folders: - CommandLine|contains: + CommandLine|contains: - 'C:\ProgramData\' - '%ProgramData%' condition: all of selection* diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml index 57497150c..7ae9ac3bd 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml @@ -1,4 +1,4 @@ -title: Suspicious Add Scheduled Task From User AppData Temp +title: Suspicious Add Scheduled Task From User AppData Temp id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 description: schtasks.exe create task from user AppData\Local\Temp status: experimental diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml index d146d9dca..a4f02fda3 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml @@ -4,7 +4,7 @@ status: experimental description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support) references: - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies -author: Florian Roth +author: Florian Roth date: 2021/02/11 logsource: category: process_creation @@ -22,5 +22,5 @@ falsepositives: - Legitimate use by administrative staff level: high tags: - - attack.initial_access - - attack.t1133 \ No newline at end of file + - attack.initial_access + - attack.t1133 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml index 27fc22b0d..e1edd3d4d 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml @@ -1,4 +1,4 @@ -title: Suspicious ScreenSave Change by Reg.exe +title: Suspicious ScreenSave Change by Reg.exe id: 0fc35fc3-efe6-4898-8a37-0b233339524f status: experimental author: frack113 @@ -50,4 +50,4 @@ detection: condition: selection_reg and 1 of selection_option_* falsepositives: - GPO -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index 8ac20c618..6aee99e26 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -34,7 +34,7 @@ detection: - 'cscript.exe' - 'cmd.exe' folders: - Image|contains: + Image|contains: - '\Windows\Temp' - '\Temporary Internet' - '\AppData\Local\Temp' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index fa3b379c8..fab55fe05 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -20,7 +20,7 @@ detection: - '\mshta.exe' - '\wscript.exe' - '\cscript.exe' - CommandLine|contains: + CommandLine|contains: - '\Windows\Temp' - '\Temporary Internet' - '\AppData\Local\Temp' @@ -29,7 +29,7 @@ detection: - '%TMP%' - '%LocalAppData%\Temp' filter: - CommandLine|contains: + CommandLine|contains: - ' >' - 'Out-File' - 'ConvertTo-Json' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml index 9b011d35f..073315698 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml @@ -29,4 +29,3 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml index f435334e9..0702c4ae9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml @@ -11,13 +11,13 @@ logsource: product: windows detection: selection: - Image|contains: + Image|contains: - '\Users\Public\' - '\$Recycle.bin' - '\Users\All Users\' - '\Users\Default\' - '\Users\Contacts\' - - '\Users\Searches\' + - '\Users\Searches\' - 'C:\Perflogs\' - '\config\systemprofile\' - '\Windows\Fonts\' @@ -31,5 +31,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1202 \ No newline at end of file + - attack.defense_evasion + - attack.t1202 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml index dbc592b76..4d80a6f19 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml @@ -23,7 +23,7 @@ detection: - ' McAfeeDLPAgentService' - ' Trend Micro Deep Security Manager' - ' TMBMServer' - # Feel free to add more service name + # Feel free to add more service name condition: all of selection* fields: - ComputerName diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml index 25032789c..2440ff83a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml @@ -1,7 +1,7 @@ title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 id: 75578840-9526-4b2a-9462-af469a45e767 status: experimental -description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 +description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 author: Florian Roth date: 2021/07/14 references: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml index 9e057ebfc..b3e728136 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml @@ -11,7 +11,7 @@ logsource: product: windows tags: - attack.credential_access - - attack.t1555 + - attack.t1555 - cve.2021.35211 detection: selection: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index 34ff6cca7..cfe78a138 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of SharpView Aka PowerView +title: Suspicious Execution of SharpView Aka PowerView id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d status: experimental description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems @@ -152,4 +152,4 @@ tags: - attack.t1069.002 - attack.t1482 - attack.t1135 - - attack.t1033 \ No newline at end of file + - attack.t1033 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml index 0ae38fb87..05fa8106c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml @@ -1,7 +1,7 @@ -title: Suspicious Execution of Shutdown +title: Suspicious Execution of Shutdown id: 34ebb878-1b15-4895-b352-ca2eeb99b274 status: experimental -description: Use of the commandline to shutdown or reboot windows +description: Use of the commandline to shutdown or reboot windows author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md @@ -13,8 +13,8 @@ logsource: detection: selection: Image|endswith: \shutdown.exe - CommandLine|contains: - - '/r ' + CommandLine|contains: + - '/r ' - '/s ' condition: selection falsepositives: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml index 92bb4848c..91f76524f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml @@ -19,5 +19,5 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion - - attack.t1202 \ No newline at end of file + - attack.defense_evasion + - attack.t1202 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml index cf2c22f48..113c0103c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml @@ -78,4 +78,4 @@ fields: - CommandLine falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 797350510..93ecbe42c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -63,4 +63,4 @@ falsepositives: - Gitkraken - Slack - Teams -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 6c8d7a93a..4da12b0b0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -62,7 +62,7 @@ detection: - 'token::' #Mimikatz - 'vault::cred' #Mimikatz - 'vault::list' #Mimikatz - - ' p::d ' # Mimikatz + - ' p::d ' # Mimikatz - ';iex(' # PowerShell IEX - 'MiniDump' # Process dumping method apart from procdump - 'net user ' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml index 814f9e17a..adb410b5f 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of Systeminfo +title: Suspicious Execution of Systeminfo id: 0ef56343-059e-4cb6-adc1-4c3c967c5e46 status: experimental description: Use of systeminfo to get information diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml index 962297b44..5fed6efa6 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_takeown.yml @@ -1,4 +1,4 @@ -title: Suspicious Recursif Takeown +title: Suspicious Recursif Takeown id: 554601fb-9b71-4bcc-abf4-21a611be4fde status: experimental description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index 2b71b9c66..9b16b2985 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -26,4 +26,3 @@ detection: falsepositives: - The process spawned by vsjitdebugger.exe is uncommon. level: medium - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index b286838b9..785cd57d8 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -27,4 +27,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1055 \ No newline at end of file + - attack.t1055 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml index 03e4273c5..9552c6bc5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml @@ -1,7 +1,7 @@ title: Windows Credential Manager Access via VaultCmd id: 58f50261-c53b-4c88-bd12-1d71f12eda4c status: experimental -description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe +description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe author: frack113 date: 2022/04/08 modified: 2022/05/13 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml index cc1721cc0..4e1d52901 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml @@ -25,4 +25,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml index 416b8f301..20a1c76e9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml @@ -17,7 +17,7 @@ detection: CommandLine|contains|all: - 'reg' - ' add ' - - '\Services\VSS\Diag' + - '\Services\VSS\Diag' - '/d Disabled' condition: selection falsepositives: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml index ef3327d7d..e1311e134 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd.yml @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index 46b127cb1..541e66dc0 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -38,4 +38,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1217 \ No newline at end of file + - attack.t1217 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml index 7fa86299a..0dcff7cec 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml @@ -24,4 +24,4 @@ falsepositives: level: high tags: - attack.collection - - attack.t1560.001 \ No newline at end of file + - attack.t1560.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml index 3f65047b3..2b6723bd9 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml @@ -15,16 +15,16 @@ logsource: product: windows detection: selection: - - Image|endswith: + - Image|endswith: - '\rar.exe' - '\winrar.exe' - Description: 'Command line RAR' filter: - Image|contains: + Image|contains: - '\WinRAR' - 'C:\Windows\Temp' - '\UnRAR.exe' condition: selection and not filter falsepositives: - Legitimate use of WinRAR in a folder of a software that bundles WinRAR -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml index bfd2f6cf6..3f15726f5 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml @@ -14,14 +14,14 @@ logsource: category: process_creation product: windows detection: - contains_format_pretty_arg: + contains_format_pretty_arg: CommandLine|contains: - 'format:pretty' - 'format:"pretty"' - 'format:"text"' - 'format:text' image_from_system_folder: - Image|startswith: + Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' contains_winrm: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml index caf3e2331..48afb3863 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml @@ -23,7 +23,7 @@ detection: - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - condition: selection + condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index 09e2c4428..628c2e045 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -11,8 +11,8 @@ date: 2017/08/28 modified: 2021/09/12 author: Markus Neis tags: - - attack.resource_development - - attack.t1588.002 + - attack.resource_development + - attack.t1588.002 logsource: category: process_creation product: windows diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml index 505f7d952..b7627f599 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml @@ -22,7 +22,7 @@ detection: - 'unload' - 'sys' condition: selection -falsepositives: +falsepositives: - Unknown level: high fields: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml index b461488fb..418bdb816 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml @@ -2,7 +2,7 @@ title: UAC Bypass via Event Viewer id: be344333-921d-4c4d-8bb8-e584cf584780 related: - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 - type: derived + type: derived status: experimental description: Detects UAC bypass method using Windows event viewer references: @@ -30,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml index 194a60308..e94199583 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_psexec.yml @@ -35,4 +35,4 @@ detection: condition: selection falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml index ea0ad60e7..4796a0437 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml @@ -25,4 +25,4 @@ fields: - ParentCommandLine falsepositives: - Legitimate use by administrators -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml index 9c858b127..6fd41d735 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_tor_browser.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - '\tor.exe' - '\Tor Browser\Browser\firefox.exe' condition: selection diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml index 02b621faf..1abe05231 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_trust_discovery.yml @@ -23,7 +23,7 @@ logsource: detection: selection_nltest_v1: Image|endswith: '\nltest.exe' - CommandLine|contains: + CommandLine|contains: - 'domain_trusts' - 'all_trusts' - '/trusted_domains' @@ -31,7 +31,7 @@ detection: selection_dsquery_v1: Image|endswith: '\dsquery.exe' CommandLine|contains: 'trustedDomain' - selection_dsquery_v2: + selection_dsquery_v2: Image|endswith: '\dsquery.exe' CommandLine|contains|all: - '-filter' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml index 81de7aa9d..ae502a214 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml @@ -18,7 +18,7 @@ detection: - '\WindowsSensor.exe' - ' /uninstall' - ' /quiet' - condition: selection + condition: selection fields: - ComputerName - User diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml index d948f9b39..7a2561d1c 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml @@ -1,4 +1,4 @@ -title: Uninstall Sysinternals Sysmon +title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: experimental description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: + Image|endswith: - \Sysmon64.exe - \Sysmon.exe CommandLine|contains: '-u' diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml index 75b3ec1fa..e777d578a 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml @@ -26,17 +26,17 @@ detection: - '\caddy.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentImage|contains: + ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - CommandLine|contains: + CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' # Suspicious child processes @@ -67,7 +67,7 @@ detection: Image|endswith: # Credential stealing - '\ntdsutil.exe' - # AD recon + # AD recon - '\ldifde.exe' - '\adfind.exe' # Process dumping @@ -82,11 +82,11 @@ detection: - ' -NoP ' # Often used in malicious PowerShell commands - ' -W Hidden ' # Often used in malicious PowerShell commands - ' -decode ' # Used with certutil - - ' /decode ' # Used with certutil + - ' /decode ' # Used with certutil - 'reg save ' # save registry SAM - syskey extraction - '.downloadstring(' # PowerShell download command - '.downloadfile(' # PowerShell download command - - 'FromBase64String' # PowerShell encoded payload + - 'FromBase64String' # PowerShell encoded payload - ' /ticket:' # Rubeus - ' sekurlsa' # Mimikatz - '.dmp full' # Process dumping method apart from procdump diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml index 344808bb8..cbfe56d48 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml @@ -23,17 +23,17 @@ detection: - '\caddy.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentImage|contains: + ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - CommandLine|contains: + CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' recon: diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml index 3f89a2ea0..51c274424 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml @@ -24,17 +24,17 @@ detection: - '\tomcat.exe' - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html selection_webserver_characteristics_tomcat1: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentImage|contains: + ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentCommandLine|contains: + ParentCommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' - 'catalina.home' @@ -52,4 +52,3 @@ fields: falsepositives: - Particular web applications may spawn a shell process legitimately level: high - diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml index bd98b67a3..7370c9299 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_whoami_priv.yml @@ -1,7 +1,7 @@ title: Run Whoami Showing Privileges id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b status: experimental -description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. +description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml index 59c7fc5b5..0539acb6e 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml @@ -5,9 +5,9 @@ description: Detects the Installation of a Exchange Transport Agent references: - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 tags: - - attack.persistence - - attack.t1505.002 -author: Tobias Michalski + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski date: 2021/06/08 modified: 2021/09/19 logsource: @@ -21,4 +21,4 @@ falsepositives: - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium fields: - - AssemblyPath \ No newline at end of file + - AssemblyPath diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index 750a2cc57..4b27580a6 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -29,4 +29,4 @@ level: high tags: - attack.execution - attack.t1047 - - attack.t1059.001 \ No newline at end of file + - attack.t1059.001 diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index ac6ec4bbd..2906b7e70 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -20,7 +20,7 @@ detection: - process - qfe filter: - CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` + CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - call - create condition: all of selection* and not filter diff --git a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index 260821395..d825996fa 100644 --- a/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/src/main/resources/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -1,4 +1,4 @@ -title: WMI Uninstall An Application +title: WMI Uninstall An Application id: b53317a0-8acf-4fd1-8de8-a5401e776b96 status: experimental description: Uninstall an application with wmic diff --git a/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 6011077e3..6fe3d89c0 100644 --- a/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/src/main/resources/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -64,4 +64,3 @@ fields: falsepositives: - Legitimate Administrator using tool for raw access or ongoing forensic investigation level: low # far too many false positives - diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml index 94dfc6975..e6c953b42 100644 --- a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml +++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_netwire.yml @@ -1,8 +1,8 @@ title: NetWire RAT Registry Key id: 1d218616-71b0-4c40-855b-9dbe75510f7f description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire -Note: You likely will have to change the sysmon configuration file. - Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, +Note: You likely will have to change the sysmon configuration file. + Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set netwire in my configuration. status: experimental @@ -28,4 +28,4 @@ falsepositives: - Unknown tags: - attack.defense_evasion - - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary \ No newline at end of file + - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml index e9c902311..fd1ff07c7 100644 --- a/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml +++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml @@ -27,4 +27,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml index 03df88539..54bbe11f7 100644 --- a/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject|contains|all: + TargetObject|contains|all: - 'HKU\' - 'Classes\CLSID\' - '\TreatAs' @@ -23,4 +23,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1546.015 \ No newline at end of file + - attack.t1546.015 diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index 7f17c2c24..0e5d1bf47 100644 --- a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -20,5 +20,5 @@ falsepositives: - Programs that use the same Registry Key level: low tags: - - attack.resource_development - - attack.t1588.002 \ No newline at end of file + - attack.resource_development + - attack.t1588.002 diff --git a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml index 7d197391c..b7ad3deff 100644 --- a/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/src/main/resources/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1070.004 \ No newline at end of file + - attack.t1070.004 diff --git a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 3ef2e1734..5a5361916 100644 --- a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -24,4 +24,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index c6c92af1f..4a86ef0f6 100644 --- a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -21,7 +21,7 @@ detection: filter_svchost: Image: 'C:\Windows\system32\svchost.exe' filter_office: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' diff --git a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml index c4b5492dd..095596979 100644 --- a/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml +++ b/src/main/resources/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventType: DeleteKey - TargetObject|contains|all: + TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' - 'SD' condition: selection diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml index 36a523e37..2b0840d32 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_reg1: - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' condition: selection_reg1 @@ -31,4 +31,4 @@ tags: - attack.defense_evasion - attack.t1112 - attack.command_and_control - - attack.t1071.004 \ No newline at end of file + - attack.t1071.004 diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml index 26311a8cc..c38885543 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml @@ -17,4 +17,4 @@ detection: level: critical tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index ae48ef5e2..7ae99d471 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection falsepositives: @@ -27,4 +27,4 @@ fields: - ParentCommandLine - Image - User - - TargetObject \ No newline at end of file + - TargetObject diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index 782a2365c..5d3ab56e9 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -26,4 +26,4 @@ tags: - attack.execution - attack.t1218.003 - attack.g0069 - - car.2019-04-001 \ No newline at end of file + - car.2019-04-001 diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml index be96ca227..23bb0e95d 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml @@ -20,4 +20,4 @@ falsepositives: level: medium tags: - attack.t1564 - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml index 08a48fe20..7daca86b1 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml @@ -30,4 +30,4 @@ detection: condition: selection and not filter falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml index ca584c21e..9d178c8c6 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -16,7 +16,7 @@ logsource: product: windows category: registry_event detection: - selection: + selection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: selection falsepositives: @@ -28,4 +28,4 @@ fields: - ParentCommandLine - Image - User - - TargetObject \ No newline at end of file + - TargetObject diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index 0be34ed13..7dc78a7fe 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -1,4 +1,4 @@ -title: Esentutl Volume Shadow Copy Service Keys +title: Esentutl Volume Shadow Copy Service Keys id: 5aad0995-46ab-41bd-a9ff-724f41114971 description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. status: experimental @@ -18,7 +18,7 @@ detection: TargetObject|contains: 'System\CurrentControlSet\Services\VSS' Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter filter: - TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' + TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' condition: selection and not filter falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index 3dbb8e686..7382a751a 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -17,7 +17,7 @@ detection: selection1: TargetObject|contains: '\Services\HybridConnectionManager' selection2: - EventType: SetValue + EventType: SetValue Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' condition: selection1 or selection2 falsepositives: diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml index 6ded1f970..3665eacc1 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -1,4 +1,4 @@ -title: PrinterNightmare Mimimkatz Driver Name +title: PrinterNightmare Mimimkatz Driver Name id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 status: experimental description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 0e70d3dfd..c275f908c 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -16,7 +16,7 @@ logsource: category: registry_event detection: selection: - TargetObject|contains|all: + TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' - '\Control\Lsa' @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 08baeb45e..ff3f398c3 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -33,4 +33,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1546.010 \ No newline at end of file + - attack.t1546.010 diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 1ff0dd3e1..d44d040b0 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -19,7 +19,7 @@ detection: condition: Create_key or Set_key tags: - attack.persistence - - attack.t1547 + - attack.t1547 falsepositives: - Unknown level: high diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index cb73fa4c4..592689d35 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -20,14 +20,14 @@ logsource: product: windows detection: selection1: - EventType: SetValue + EventType: SetValue TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'Classes\ms-settings\shell\open\command\(Default)' - 'Classes\exefile\shell\open\command\(Default)' filter_sel3: diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 18f83195a..df44b42ca 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -14,9 +14,9 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 7a542b20e..a4a48839e 100644 --- a/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/src/main/resources/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -29,4 +29,4 @@ tags: - attack.persistence - attack.t1546.008 - car.2014-11-003 - - car.2014-11-008 \ No newline at end of file + - car.2014-11-008 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml index f6b74bfaa..e052b6aab 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -19,7 +19,7 @@ detection: selection: EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - Details|endswith: + Details|endswith: - .sh - .exe - .dll @@ -41,4 +41,4 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1112 - - attack.t1053 \ No newline at end of file + - attack.t1053 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 0c7940cfd..4452c86e4 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -30,4 +30,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.010 \ No newline at end of file + - attack.t1547.010 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml index a8504a2b4..eebb61cc7 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -14,10 +14,10 @@ logsource: detection: selection: EventType: SetValue - TargetObject: + TargetObject: - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections - - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled + - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled Details: DWORD (0x00000001) condition: selection falsepositives: diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index effa3e7b5..d99836568 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -15,7 +15,7 @@ detection: selection: EventType: SetValue TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)' - filter: + filter: Details: '%SystemRoot%\system32\mmc.exe "%1" %*' condition: selection and not filter falsepositives: diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 4f64f24b9..9831116a8 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -23,4 +23,4 @@ level: high tags: - attack.privilege_escalation - attack.defense_evasion - - attack.t1548.002 \ No newline at end of file + - attack.t1548.002 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index b078a5993..5ea491e52 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -17,7 +17,7 @@ detection: selection: EventType: SetValue TargetObject: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber - filter: + filter: Details: DWORD (0x00000d3d) condition: selection and not filter falsepositives: diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml index 852a13bed..af0c7627a 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_chrome_extension.yml @@ -17,112 +17,112 @@ detection: EventType: SetValue chrome_vpn: TargetObject|contains: - - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN - - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN - - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN - - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN - - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN - - gjknjjomckknofjidppipffbpoekiipm # VPN Free - - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN - - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN - - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN - - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN + - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN + - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN + - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN + - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN + - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN + - gjknjjomckknofjidppipffbpoekiipm # VPN Free + - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN + - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN + - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN + - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro - - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free - - jljopmgdobloagejpohpldgkiellmfnc # PP VPN - - lochiccbgeohimldjooaakjllnafhaid # IP Unblock - - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN - - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN - - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN - - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy - - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN - - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER - - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN - - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy - - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional - - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN - - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN - - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN - - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN - - hipncndjamdcmphkgngojegjblibadbe # RusVPN - - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN - - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN - - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN - - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN - - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy - - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN - - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN - - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker - - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN - - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN - - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome - - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN - - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN - - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access - - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC - - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe - - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN - - kcndmbbelllkmioekdagahekgimemejo # VPN.AC - - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN - - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN - - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn - - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN - - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN - - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy - - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN - - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy - - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN - - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN - - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN - - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master - - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites - - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN - - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN - - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA - - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT - - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn - - apcfdffemoinopelidncddjbhkiblecc # Soul VPN - - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN - - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy - - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN - - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN - - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN - - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN - - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server - - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy - - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN - - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN - - eidnihaadmmancegllknfbliaijfmkgo # Push VPN - - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN - - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN - - chioafkonnhbpajpengbalkececleldf # BullVPN - - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN - - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow - - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN - - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN - - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN - - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet - - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN - - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN - - bnijmipndnicefcdbhgcjoognndbgkep # Veee - - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser - - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN - - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN - - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN - - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic - - almalgbpmcfpdaopimbdchdliminoign # Urban Shield - - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN - - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind - - bniikohfmajhdcffljgfeiklcbgffppl # Upnet - - lejgfmmlngaigdmmikblappdafcmkndb # uVPN - - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN - - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard - - pooljnboifbodgifngpppfklhifechoe # GeoProxy - - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN - - aakchaleigkohafkfjfjbblobjifikek # ProxFlow - - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp - - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega - - bfidboloedlamgdmenmlbipfnccokknp # PureVPN + - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free + - jljopmgdobloagejpohpldgkiellmfnc # PP VPN + - lochiccbgeohimldjooaakjllnafhaid # IP Unblock + - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN + - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN + - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN + - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy + - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN + - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER + - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN + - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy + - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional + - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN + - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN + - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN + - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN + - hipncndjamdcmphkgngojegjblibadbe # RusVPN + - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN + - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN + - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN + - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN + - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy + - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN + - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN + - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker + - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN + - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN + - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome + - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN + - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN + - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access + - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC + - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe + - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN + - kcndmbbelllkmioekdagahekgimemejo # VPN.AC + - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN + - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN + - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn + - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN + - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN + - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy + - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN + - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy + - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN + - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN + - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN + - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master + - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites + - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN + - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN + - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA + - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT + - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn + - apcfdffemoinopelidncddjbhkiblecc # Soul VPN + - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN + - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy + - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN + - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN + - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN + - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN + - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server + - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy + - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN + - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN + - eidnihaadmmancegllknfbliaijfmkgo # Push VPN + - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN + - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN + - chioafkonnhbpajpengbalkececleldf # BullVPN + - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN + - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow + - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN + - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN + - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN + - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet + - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN + - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN + - bnijmipndnicefcdbhgcjoognndbgkep # Veee + - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser + - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN + - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN + - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN + - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic + - almalgbpmcfpdaopimbdchdliminoign # Urban Shield + - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN + - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind + - bniikohfmajhdcffljgfeiklcbgffppl # Upnet + - lejgfmmlngaigdmmikblappdafcmkndb # uVPN + - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN + - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard + - pooljnboifbodgifngpppfklhifechoe # GeoProxy + - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN + - aakchaleigkohafkfjfjbblobjifikek # ProxFlow + - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp + - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega + - bfidboloedlamgdmenmlbipfnccokknp # PureVPN condition: all of chrome_* falsepositives: - Unknown diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index 55e9b6900..41c465024 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -1,6 +1,6 @@ title: CobaltStrike Service Installations in Registry id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 -description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. status: experimental @@ -17,7 +17,7 @@ detection: EventType: SetValue TargetObject|contains: 'HKLM\System\CurrentControlSet\Services' selection2: - Details|contains|all: + Details|contains|all: - 'ADMIN$' - '.exe' selection3: @@ -32,7 +32,7 @@ level: critical tags: - attack.execution - attack.privilege_escalation - - attack.lateral_movement + - attack.lateral_movement - attack.t1021.002 - attack.t1543.003 - - attack.t1569.002 \ No newline at end of file + - attack.t1569.002 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 72aac06dc..5ed032bcd 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -1,6 +1,6 @@ title: Service Binary in Suspicious Folder id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 -description: Detect the creation of a service with a service binary located in a suspicious directory +description: Detect the creation of a service with a service binary located in a suspicious directory status: experimental date: 2022/05/02 author: Florian Roth @@ -14,11 +14,11 @@ detection: EventType: SetValue TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' TargetObject|endswith: '\Start' - Image|contains: + Image|contains: - '\Users\Public\' - '\Perflogs\' - '\ADMIN$\' - Details: + Details: - 'DWORD (0x00000000)' # boot - 'DWORD (0x00000001)' # System - 'DWORD (0x00000002)' # Automatic @@ -37,4 +37,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1112 + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml index 1af6b983d..211ec6d33 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml @@ -1,6 +1,6 @@ title: Service Binary in Temp Folder id: c0abc838-36b0-47c9-b3b3-a90c39455382 -description: Detect the creation of a service with a service binary located in a temporary directory +description: Detect the creation of a service with a service binary located in a temporary directory status: experimental date: 2022/05/01 author: frack113 @@ -15,7 +15,7 @@ detection: TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' TargetObject|endswith: '\Start' Image|contains: '\Temp\' - Details: + Details: - 'DWORD (0x00000000)' # boot - 'DWORD (0x00000001)' # System - 'DWORD (0x00000002)' # Automatic @@ -31,4 +31,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1112 + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index a12c8d8f6..620e21526 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -1,6 +1,6 @@ title: Service Binary in Uncommon Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 -description: Detect the creation of a service with a service binary located in a uncommon directory +description: Detect the creation of a service with a service binary located in a uncommon directory status: experimental date: 2022/05/02 modified: 2022/05/04 @@ -15,10 +15,10 @@ detection: EventType: SetValue TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' TargetObject|endswith: '\Start' - Image|contains: + Image|contains: - '\AppData\Local\' - '\AppData\Roaming\' - Details: + Details: - 'DWORD (0x00000000)' # boot - 'DWORD (0x00000001)' # System - 'DWORD (0x00000002)' # Automatic @@ -31,10 +31,10 @@ detection: - '\AppData\Local\' - '\AppData\Roaming\' filter: - - Image|contains: + - Image|contains: - '\AppData\Roaming\Zoom' - '\AppData\Local\Zoom' - - Details|contains: + - Details|contains: - '\AppData\Roaming\Zoom' - '\AppData\Local\Zoom' condition: 1 of selection_* and not filter @@ -43,4 +43,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1112 + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml index f5310f11e..891ee4c32 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_disabled.yml @@ -18,7 +18,7 @@ logsource: detection: tamper_registry: EventType: SetValue - TargetObject: + TargetObject: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' @@ -35,4 +35,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml index d938019a3..fcaab709d 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml @@ -24,4 +24,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml index 0385570f6..34be0cd84 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_defender_realtime_protection_disabled.yml @@ -6,7 +6,7 @@ modified: 2022/03/26 author: AlertIQ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 + - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 status: experimental logsource: product: windows @@ -14,7 +14,7 @@ logsource: detection: tamper_registry1: EventType: SetValue - TargetObject: + TargetObject: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring' - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection' - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection' @@ -24,7 +24,7 @@ detection: Details: 'DWORD (0x00000001)' tamper_registry2: EventType: SetValue - TargetObject: + TargetObject: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting' - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent' Details: 'DWORD (0x00000000)' @@ -34,4 +34,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 4f8419f9e..f61d1fd13 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -14,7 +14,7 @@ detection: selection: EventType: SetValue TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ - TargetObject|endswith: + TargetObject|endswith: - AutoShareWks - AutoShareServer Details: DWORD (0x00000000) diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml index 6b6ef0791..7e417fdfc 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml @@ -14,10 +14,10 @@ logsource: category: registry_set definition: key must be add to the sysmon configuration to works # Sysmon - # \VBAWarnings + # \VBAWarnings # \DisableInternetFilesInPV - # \DisableUnsafeLocationsInPV - # \DisableAttachementsInPV + # \DisableUnsafeLocationsInPV + # \DisableAttachementsInPV detection: selection: EventType: SetValue @@ -34,4 +34,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index 08cfbfacd..15b657d5f 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,4 +1,4 @@ -title: Registry Disable System Restore +title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 description: Detects the modification of the registry to disable a system restore on the computer author: frack113 @@ -16,7 +16,7 @@ detection: TargetObject|startswith: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' - TargetObject|endswith: + TargetObject|endswith: - DisableConfig - DisableSR Details: 'DWORD (0x00000001)' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index 6650516d9..a909be4db 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -21,4 +21,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 7b61cd8de..662f9fc61 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index 2124509d3..c5ba55814 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 5904adb45..795d40504 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index 032cf6788..51e4a9cbb 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -33,4 +33,4 @@ level: medium tags: - attack.defense_evasion - attack.t1140 - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml index 582540079..8998260f8 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_etw_disabled.yml @@ -20,7 +20,7 @@ logsource: category: registry_set detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' condition: selection diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml index 09fff0992..234f9e934 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml @@ -20,4 +20,4 @@ falsepositives: - Unknown level: high tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml index d50a1a9ac..802c974d4 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventType: Setvalue - TargetObject: + TargetObject: - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden Details: 'DWORD (0x00000000)' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index 1b29771e1..58d584ebe 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -24,4 +24,4 @@ level: high tags: - attack.execution - attack.t1059.005 - - attack.t1059.007 \ No newline at end of file + - attack.t1059.007 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 9931e5066..e60190616 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -24,4 +24,4 @@ level: high tags: - attack.execution - attack.t1112 - - attack.t1047 \ No newline at end of file + - attack.t1047 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml index 6413434c0..1eeafb49b 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml @@ -14,13 +14,13 @@ detection: selection_word: EventType: SetValue TargetObject|endswith: \Word\Security\AllowDDE - Details: + Details: - DWORD (0x00000001) - DWORD (0x00000002) selection_excel: EventType: SetValue TargetObject|endswith: - - \Excel\Security\DisableDDEServerLaunch + - \Excel\Security\DisableDDEServerLaunch - \Excel\Security\DisableDDEServerLookup Details: DWORD (0x00000000) condition: 1 of selection_* diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml index fe5e28dba..99d7d1373 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_security.yml @@ -25,4 +25,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml index d3c9a0508..56529d43a 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml @@ -39,4 +39,4 @@ falsepositives: level: medium tags: - attack.t1137.006 - - attack.persistence \ No newline at end of file + - attack.persistence diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml index b4be180c9..f53c64428 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection_registry: - EventType: SetValue + EventType: SetValue TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry @@ -24,4 +24,4 @@ tags: - attack.command_and_control - attack.t1137 - attack.t1008 - - attack.t1546 \ No newline at end of file + - attack.t1546 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml index 4570449f0..28e73bac8 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml @@ -12,17 +12,17 @@ logsource: category: registry_set detection: selection1: - EventType: SetValue - TargetObject|contains: + EventType: SetValue + TargetObject|contains: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: TargetObject|endswith: Stamp - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) selectionUserDefined: TargetObject|endswith: UserDefinedUrl filter_office: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' @@ -34,4 +34,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml index 3b9382b7a..2259b03b3 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml @@ -13,13 +13,13 @@ logsource: category: registry_set detection: selection_1: - EventType: SetValue - TargetObject|contains: + EventType: SetValue + TargetObject|contains: - '\Software\Microsoft\Office\' - '\Outlook\WebView\' TargetObject|endswith: '\URL' selection_2: - TargetObject|contains: + TargetObject|contains: - '\Calendar\' - '\Inbox\' condition: all of selection_* @@ -30,4 +30,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 6189ac57e..cf29c6049 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -75,4 +75,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1546.015 \ No newline at end of file + - attack.t1546.015 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml index c78cb893c..ee8d5ae3b 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml @@ -12,16 +12,16 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: - 'powershell' - 'pwsh' condition: selection -falsepositives: +falsepositives: - Unknown level: high tags: - attack.execution - - attack.t1569.002 \ No newline at end of file + - attack.t1569.002 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index 7f11c554f..6c846c75f 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection: - EventType: SetValue - TargetObject|endswith: + EventType: SetValue + TargetObject|endswith: - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging - SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml index 3b0815014..56e8fcc17 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml index fa8a24b10..49dd2dc2a 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_reg: - EventType: SetValue + EventType: SetValue TargetObject|contains: - '\services\TermService\Parameters\ServiceDll' - '\Control\Terminal Server\fSingleSessionPerUser' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 83eb3a245..9ec39e727 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -20,7 +20,7 @@ detection: TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE' Details|endswith: '.scr' filter: - Details|contains: + Details|contains: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' condition: selection and registry and not filter @@ -29,4 +29,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1218.011 \ No newline at end of file + - attack.t1218.011 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml index 92260f1e8..d2b5fa074 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml @@ -27,4 +27,4 @@ falsepositives: level: medium tags: - attack.persistence - - attack.t1546.011 \ No newline at end of file + - attack.t1546.011 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml index 2f1f92be5..8766c4a55 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml @@ -12,8 +12,8 @@ logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection @@ -22,4 +22,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1546.012 \ No newline at end of file + - attack.t1546.012 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 0f3f90a4a..9ea9cab65 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 79344ac32..78ee2c84b 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' selection2: - Details|startswith: diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index d27416050..8ba227bf9 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection: - EventType: SetValue - TargetObject|contains: + EventType: SetValue + TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' selection2: @@ -37,4 +37,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 9162c9c78..85ae7d16b 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -33,4 +33,4 @@ level: high tags: - attack.persistence - attack.t1053 - - attack.t1053.005 \ No newline at end of file + - attack.t1053.005 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index 25cfce045..789a3aa28 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -13,7 +13,7 @@ logsource: definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index 721920621..afe535a74 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,7 +1,7 @@ -title: Set TimeProviders DllName +title: Set TimeProviders DllName id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 status: experimental -description: | +description: | Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. author: frack113 date: 2022/06/19 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index a8577c8f6..5e2375aec 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -23,4 +23,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - car.2019-04-001 \ No newline at end of file + - car.2019-04-001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index bb3268bd4..54db03819 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -13,10 +13,10 @@ logsource: product: windows detection: selection1: - EventType: SetValue + EventType: SetValue TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: - EventType: SetValue + EventType: SetValue TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* @@ -27,4 +27,4 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - - car.2019-04-001 \ No newline at end of file + - car.2019-04-001 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml index 120ef0e9b..ce1971cee 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -24,4 +24,4 @@ level: high tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1548.002 \ No newline at end of file + - attack.t1548.002 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml index 3aab4807b..75c9b9cbc 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -22,4 +22,4 @@ level: high tags: - attack.defense_evasion - attack.privilege_escalation - - attack.t1548.002 \ No newline at end of file + - attack.t1548.002 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 049dc3869..d91b013db 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -12,9 +12,9 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' - Details|contains: + Details|contains: - 'vbscript' - 'jscript' - 'mshtml' @@ -23,7 +23,7 @@ detection: - 'CreateObject' - 'RegRead' - 'window.close' - filter: + filter: TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' filter_dotnet: Image|endswith: '\msiexec.exe' diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 01fec3174..836d1b238 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -14,14 +14,14 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' filter: Details: '%CommonProgramFiles%\System\wab32.dll' condition: selection and not filter -falsepositives: +falsepositives: - Unknown level: high tags: - attack.defense_evasion - - attack.t1218 \ No newline at end of file + - attack.t1218 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index b04bafc12..8a185fbcd 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -15,11 +15,11 @@ detection: selection: EventType: SetValue TargetObject|endswith: 'WDigest\UseLogonCredential' - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) condition: selection falsepositives: - Unknown level: high tags: - attack.defense_evasion - - attack.t1112 \ No newline at end of file + - attack.t1112 diff --git a/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml index 5a01a196f..b4e6a8bfc 100644 --- a/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/src/main/resources/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -23,4 +23,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.004 \ No newline at end of file + - attack.t1547.004 diff --git a/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 0eabbe262..6363f977e 100644 --- a/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/src/main/resources/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -21,6 +21,6 @@ detection: SourceImage|endswith: '\powershell.exe' TargetImage|endswith: '\lsass.exe' condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml b/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml index ff88c034d..245de30dc 100644 --- a/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml +++ b/src/main/resources/rules/windows/sysmon/sysmon_config_modification.yml @@ -19,6 +19,6 @@ detection: condition: selection falsepositives: - Legitimate administrative action -level: medium +level: medium tags: - attack.defense_evasion diff --git a/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml b/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml index b04c00a2d..23b8e7ad6 100644 --- a/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml +++ b/src/main/resources/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -22,4 +22,4 @@ detection: condition: selection_stop or selection_conf falsepositives: - Legitimate administrative action -level: high +level: high diff --git a/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml index 9a22b547a..b76473c60 100644 --- a/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml +++ b/src/main/resources/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml @@ -15,15 +15,15 @@ logsource: product: windows service: sysmon detection: - selection_one: + selection_one: EventID: 11 Image: System TargetFilename|endswith: '\Internet Explorer\iertutil.dll' - selection_two: + selection_two: EventID: 7 Image|endswith: '\Internet Explorer\iexplore.exe' ImageLoaded|endswith: '\Internet Explorer\iertutil.dll' condition: selection_one or selection_two falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml b/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml index 768c43705..200c5367f 100644 --- a/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/src/main/resources/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -6,7 +6,7 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S date: 2022/01/25 modified: 2022/02/01 references: - - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 + - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ tags: - attack.process_injection @@ -18,7 +18,7 @@ detection: selection: Type: Image is replaced filters: - Image|contains: + Image|contains: - ':\Program Files\' - ':\Program Files (x86)' Image|endswith: diff --git a/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index cd3dcfc43..005ea8e98 100644 --- a/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/src/main/resources/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -41,4 +41,4 @@ falsepositives: level: high tags: - attack.execution - - attack.t1059.005 \ No newline at end of file + - attack.t1059.005 diff --git a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java index 8e4912f40..ecb64090e 100644 --- a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java +++ b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsClientUtils.java @@ -11,11 +11,11 @@ import org.opensearch.client.Response; import org.opensearch.cluster.ClusterModule; import org.opensearch.cluster.metadata.MappingMetadata; -import org.opensearch.common.xcontent.XContentParserUtils; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.DeprecationHandler; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.index.mapper.MapperService; import org.opensearch.test.rest.OpenSearchRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java index 8dbff6bb4..c47bc148b 100644 --- a/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java +++ b/src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java @@ -35,7 +35,14 @@ import org.opensearch.common.io.PathUtils; import org.opensearch.common.settings.Settings; import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.DeprecationHandler; +import org.opensearch.core.xcontent.MediaType; +import org.opensearch.core.xcontent.MediaTypeRegistry; +import org.opensearch.core.xcontent.NamedXContentRegistry; +import org.opensearch.core.xcontent.ToXContent; +import org.opensearch.core.xcontent.XContentBuilder; +import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.common.xcontent.XContentType; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.commons.alerting.model.ScheduledJob; @@ -49,7 +56,7 @@ import org.opensearch.core.xcontent.XContentParser; import org.opensearch.index.IndexSettings; import org.opensearch.index.mapper.MapperService; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.action.AlertDto; import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest; @@ -203,7 +210,7 @@ protected String createTestIndex(String index, String mapping, Settings settings protected String createTestIndex(RestClient client, String index, String mapping, Settings settings) throws IOException { Request request = new Request("PUT", "/" + index); - String entity = "{\"settings\": " + org.opensearch.common.Strings.toString(XContentType.JSON, settings); + String entity = "{\"settings\": " + Strings.toString(XContentType.JSON, settings); if (mapping != null) { entity = entity + ",\"mappings\" : {" + mapping + "}"; } @@ -252,7 +259,7 @@ protected Settings getCorrelationDefaultIndexSettings() { protected String createTestIndexWithMappingJson(RestClient client, String index, String mapping, Settings settings) throws IOException { Request request = new Request("PUT", "/" + index); - String entity = "{\"settings\": " + org.opensearch.common.Strings.toString(XContentType.JSON, settings); + String entity = "{\"settings\": " + Strings.toString(XContentType.JSON, settings); if (mapping != null) { entity = entity + ",\"mappings\" : " + mapping; } @@ -276,7 +283,7 @@ protected void addCorrelationDoc(String index, String docId, List fieldN } builder.endObject(); - request.setJsonEntity(org.opensearch.common.Strings.toString(builder)); + request.setJsonEntity(builder.toString()); Response response = client().performRequest(request); assertEquals(request.getEndpoint() + ": failed", RestStatus.CREATED, RestStatus.fromCode(response.getStatusLine().getStatusCode())); } @@ -297,7 +304,7 @@ protected Response searchCorrelationIndex(String index, CorrelationQueryBuilder request.addParameter("size", Integer.toString(resultSize)); request.addParameter("explain", Boolean.toString(true)); request.addParameter("search_type", "query_then_fetch"); - request.setJsonEntity(org.opensearch.common.Strings.toString(builder)); + request.setJsonEntity(builder.toString()); Response response = client().performRequest(request); Assert.assertEquals("Search failed", RestStatus.OK, restStatus(response)); @@ -1332,7 +1339,7 @@ protected void wipeAllODFEIndices() throws IOException { Response response = client().performRequest(new Request("GET", "/_cat/indices?format=json&expand_wildcards=all")); - XContentType xContentType = XContentType.fromMediaType(response.getEntity().getContentType().getValue()); + MediaType xContentType = MediaTypeRegistry.fromMediaType(response.getEntity().getContentType().getValue()); XContentParser parser = xContentType.xContent().createParser( NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION, response.getEntity().getContent() diff --git a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java index db857eb9c..b8015e05c 100644 --- a/src/test/java/org/opensearch/securityanalytics/TestHelpers.java +++ b/src/test/java/org/opensearch/securityanalytics/TestHelpers.java @@ -6,7 +6,7 @@ import com.carrotsearch.randomizedtesting.generators.RandomNumbers; import org.apache.lucene.tests.util.LuceneTestCase; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.xcontent.LoggingDeprecationHandler; import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.XContentType; diff --git a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java index e2fbbe030..643c5ea95 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsRequestTests.java @@ -6,7 +6,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.test.OpenSearchTestCase; import java.io.IOException; diff --git a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java index 48c441d3b..690555470 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/AckAlertsResponseTests.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.action; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.commons.alerting.model.Alert; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java index a4beab5a4..1376386be 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/CreateIndexMappingsRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java index dbb720cf7..d3baba63c 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/GetDetectorRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.securityanalytics.action.GetDetectorRequest; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java index dc9753a06..a40962376 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.securityanalytics.action.GetIndexMappingsRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java index dfc42b601..a0056652e 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/GetIndexMappingsResponseTests.java @@ -7,7 +7,7 @@ import org.opensearch.cluster.metadata.MappingMetadata; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.index.mapper.MapperService; import org.opensearch.securityanalytics.action.GetIndexMappingsResponse; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java index d1ed34947..10688bf98 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorRequestTests.java @@ -9,7 +9,7 @@ import org.junit.Assert; import org.opensearch.action.support.WriteRequest; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.rest.RestRequest; import org.opensearch.securityanalytics.model.Detector; import org.opensearch.securityanalytics.model.DetectorInput; diff --git a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java index 30df1ed5a..d47650411 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/IndexDetectorResponseTests.java @@ -6,9 +6,9 @@ import org.junit.Assert; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.commons.alerting.model.CronSchedule; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; import org.opensearch.securityanalytics.model.Detector; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java index 80d6ad048..a4255e9a2 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/UpdateIndexMappingsRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java index 02cc9d35c..64c9f38d1 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesRequestTests.java @@ -10,8 +10,8 @@ import org.junit.Assert; import org.opensearch.action.support.WriteRequest; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.common.io.stream.StreamInput; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.rest.RestRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java index 0066c1b70..9e121d183 100644 --- a/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java +++ b/src/test/java/org/opensearch/securityanalytics/action/ValidateRulesResponseTests.java @@ -8,11 +8,11 @@ import java.util.ArrayList; import java.util.List; import org.junit.Assert; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.common.xcontent.XContentParserUtils; +import org.opensearch.core.xcontent.XContentParserUtils; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.core.xcontent.XContentParser; diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java index dacccb685..ae3ecbeda 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java @@ -10,7 +10,7 @@ import java.util.Collections; import java.util.List; import java.util.Map; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.client.Client; import org.opensearch.commons.alerting.model.Alert; import org.opensearch.commons.alerting.model.CronSchedule; @@ -18,7 +18,7 @@ import org.opensearch.commons.alerting.model.DocumentLevelTrigger; import org.opensearch.commons.alerting.model.Monitor; import org.opensearch.commons.alerting.model.Table; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.script.Script; import org.opensearch.securityanalytics.action.AlertDto; import org.opensearch.securityanalytics.action.GetAlertsResponse; diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java index eb6ebd9c8..43b73815b 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertsIT.java @@ -21,7 +21,7 @@ import org.opensearch.client.Response; import org.opensearch.client.ResponseException; import org.opensearch.commons.alerting.model.action.Action; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java index dac0b62ad..cd96f4e8c 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/SecureAlertsRestApiIT.java @@ -18,7 +18,7 @@ import org.opensearch.client.RestClient; import org.opensearch.commons.alerting.model.action.Action; import org.opensearch.commons.rest.SecureRestClientBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java index 1a001311d..83fbb888c 100644 --- a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java @@ -7,7 +7,7 @@ import org.junit.Assert; import org.opensearch.client.Request; import org.opensearch.client.Response; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java b/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java index c411a9329..bec107c15 100644 --- a/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java +++ b/src/test/java/org/opensearch/securityanalytics/correlation/LuceneEngineIT.java @@ -65,7 +65,7 @@ public void testQuery() throws IOException { .endObject() .endObject(); - String mapping = org.opensearch.common.Strings.toString(builder); + String mapping = builder.toString(); createTestIndexWithMappingJson(client(), INDEX_NAME, mapping, getCorrelationDefaultIndexSettings()); for (int idx = 0; idx < TEST_VECTORS.length; ++idx) { diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java index 9a1875fed..28deaaff1 100644 --- a/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java +++ b/src/test/java/org/opensearch/securityanalytics/findings/FindingIT.java @@ -16,7 +16,7 @@ import org.opensearch.client.Request; import org.opensearch.client.Response; import org.opensearch.client.ResponseException; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java index 13231e732..232c9a221 100644 --- a/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/findings/FindingServiceTests.java @@ -12,7 +12,7 @@ import java.util.List; import java.util.Queue; import java.util.stream.Collectors; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.client.Client; import org.opensearch.commons.alerting.model.CronSchedule; import org.opensearch.commons.alerting.model.DocLevelQuery; @@ -20,7 +20,7 @@ import org.opensearch.commons.alerting.model.FindingDocument; import org.opensearch.commons.alerting.model.FindingWithDocs; import org.opensearch.commons.alerting.model.Table; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.securityanalytics.action.FindingDto; import org.opensearch.securityanalytics.action.GetDetectorAction; import org.opensearch.securityanalytics.action.GetDetectorRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java index 26fce0efc..17b186679 100644 --- a/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/findings/SecureFindingRestApiIT.java @@ -15,7 +15,7 @@ import org.opensearch.client.ResponseException; import org.opensearch.client.RestClient; import org.opensearch.commons.rest.SecureRestClientBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java index fc22c258f..847c2aa49 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java @@ -26,9 +26,9 @@ import org.opensearch.client.Response; import org.opensearch.client.ResponseException; import org.opensearch.common.settings.Settings; -import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.DeprecationHandler; +import org.opensearch.core.xcontent.MediaTypeRegistry; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.search.SearchHit; @@ -1402,10 +1402,10 @@ public void testCreateDNSMapping() throws IOException{ try { if (flatProperties.contains(path)) { Request updateRequest = new Request("PUT", SecurityAnalyticsPlugin.MAPPER_BASE_URI); - updateRequest.setJsonEntity(org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of( + updateRequest.setJsonEntity(MediaTypeRegistry.JSON.contentBuilder().map(Map.of( "index_name", INDEX_NAME, "field", path, - "alias", key)))); + "alias", key)).toString()); Response apiResponse = client().performRequest(updateRequest); assertEquals(HttpStatus.SC_OK, apiResponse.getStatusLine().getStatusCode()); } diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java index d04b74d06..92b697220 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/MapperServiceTests.java @@ -6,7 +6,7 @@ package org.opensearch.securityanalytics.mapper; -import org.opensearch.action.ActionListener; +import org.opensearch.core.action.ActionListener; import org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest; import org.opensearch.action.admin.indices.mapping.get.GetMappingsResponse; import org.opensearch.action.support.master.AcknowledgedResponse; diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java index f7cf63195..d07e29ca8 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/CreateIndexMappingsRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.securityanalytics.action.CreateIndexMappingsRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java index 33c678f66..fe2a94423 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.securityanalytics.action.GetIndexMappingsRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java index 5530aa37f..52de24f22 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/GetIndexMappingsResponseTests.java @@ -7,7 +7,7 @@ import org.opensearch.cluster.metadata.MappingMetadata; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.index.mapper.MapperService; import org.opensearch.securityanalytics.action.GetIndexMappingsResponse; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java index 593ae7556..4d228fd0e 100644 --- a/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java +++ b/src/test/java/org/opensearch/securityanalytics/mapper/action/mapping/UpdateIndexMappingsRequestTests.java @@ -7,7 +7,7 @@ import org.opensearch.action.ActionRequestValidationException; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.common.xcontent.json.JsonXContent; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.securityanalytics.action.UpdateIndexMappingsRequest; diff --git a/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java b/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java index 8ba5a991a..e61ff96e3 100644 --- a/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java +++ b/src/test/java/org/opensearch/securityanalytics/model/DetectorInputTests.java @@ -5,7 +5,7 @@ package org.opensearch.securityanalytics.model; import org.junit.Assert; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; import org.opensearch.common.xcontent.XContentType; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.core.xcontent.XContentBuilder; diff --git a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java index 995814953..e82911c1b 100644 --- a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java +++ b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java @@ -6,7 +6,7 @@ import org.junit.Assert; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.commons.authuser.User; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java b/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java index 6300740f7..578b29d45 100644 --- a/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java +++ b/src/test/java/org/opensearch/securityanalytics/model/XContentTests.java @@ -7,7 +7,8 @@ import java.io.IOException; import java.util.List; import org.junit.Assert; -import org.opensearch.common.bytes.BytesReference; +import org.opensearch.core.common.bytes.BytesReference; +import org.opensearch.core.xcontent.ToXContent; import org.opensearch.commons.authuser.User; import org.opensearch.core.xcontent.ToXContent; import org.opensearch.test.OpenSearchTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java index d4f412589..d2316db23 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/CustomLogTypeRestApiIT.java @@ -14,7 +14,7 @@ import org.opensearch.client.Request; import org.opensearch.client.Response; import org.opensearch.client.ResponseException; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java index 10e909b1c..fb110ed50 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorMonitorRestApiIT.java @@ -29,7 +29,7 @@ import org.opensearch.client.Request; import org.opensearch.client.Response; import org.opensearch.commons.alerting.model.Monitor.MonitorType; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java index 2e27d7835..f3aed5f02 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java @@ -17,12 +17,11 @@ import org.opensearch.action.search.SearchResponse; import org.opensearch.client.Request; import org.opensearch.client.Response; -import org.opensearch.core.common.Strings; import org.opensearch.common.settings.Settings; import org.opensearch.client.ResponseException; -import org.opensearch.common.xcontent.XContentFactory; import org.opensearch.commons.alerting.model.Monitor.MonitorType; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; +import org.opensearch.core.xcontent.MediaTypeRegistry; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; @@ -895,10 +894,10 @@ public void testCreatingADetectorWithTimestampFieldAliasMapping() throws IOExcep assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); Request updateRequest = new Request("PUT", SecurityAnalyticsPlugin.MAPPER_BASE_URI); - updateRequest.setJsonEntity(org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of( + updateRequest.setJsonEntity(MediaTypeRegistry.JSON.contentBuilder().map(Map.of( "index_name", index, "field", "time", - "alias", "timestamp")))); + "alias", "timestamp")).toString()); Response apiResponse = client().performRequest(updateRequest); assertEquals(HttpStatus.SC_OK, apiResponse.getStatusLine().getStatusCode()); @@ -998,10 +997,11 @@ public void testCreatingADetectorWithTimestampFieldAliasMapping_verifyTimeRangeI assertEquals(HttpStatus.SC_OK, response.getStatusLine().getStatusCode()); Request updateRequest = new Request("PUT", SecurityAnalyticsPlugin.MAPPER_BASE_URI); - updateRequest.setJsonEntity(org.opensearch.common.Strings.toString(XContentFactory.jsonBuilder().map(Map.of( + updateRequest.setJsonEntity(MediaTypeRegistry.JSON.contentBuilder().map(Map.of( "index_name", index, "field", "time", - "alias", "timestamp")))); + "alias", "timestamp")) + .toString()); Response apiResponse = client().performRequest(updateRequest); assertEquals(HttpStatus.SC_OK, apiResponse.getStatusLine().getStatusCode()); diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java index 62e4287c3..248bb8798 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java @@ -10,7 +10,7 @@ import org.junit.Assert; import org.opensearch.client.Request; import org.opensearch.client.Response; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java index cfca3800a..a230d54c5 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/RuleRestApiIT.java @@ -13,16 +13,11 @@ import org.opensearch.client.Response; import org.opensearch.client.ResponseException; import org.opensearch.common.xcontent.LoggingDeprecationHandler; -import org.opensearch.common.xcontent.XContentFactory; -import org.opensearch.common.xcontent.XContentParserUtils; import org.opensearch.common.xcontent.XContentType; -import org.opensearch.commons.alerting.aggregation.bucketselectorext.BucketSelectorExtAggregationBuilder; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.core.xcontent.XContentParser; -import org.opensearch.core.xcontent.XContentParser.Token; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; -import org.opensearch.search.aggregations.AggregatorFactories; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig; @@ -32,13 +27,11 @@ import org.opensearch.securityanalytics.model.Rule; import java.io.IOException; -import java.io.UnsupportedEncodingException; import java.util.Collections; import java.util.List; import java.util.Locale; import java.util.Map; import java.util.stream.Collectors; -import org.opensearch.securityanalytics.rules.backend.OSQueryBackend.AggregationQueries; import org.opensearch.securityanalytics.rules.exceptions.SigmaError; import static org.opensearch.securityanalytics.TestHelpers.randomDetectorType; @@ -150,7 +143,7 @@ public void testCreatingAggregationRule() throws SigmaError, IOException { List hits = executeSearch(index, request); - XContentParser xcp = XContentFactory.xContent(XContentType.JSON) + XContentParser xcp = XContentType.JSON.xContent() .createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, hits.get(0).getSourceAsString()); Rule result = Rule.docParse(xcp, null, null); diff --git a/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java index 1fba8adc0..b1f8fbfdf 100644 --- a/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java +++ b/src/test/java/org/opensearch/securityanalytics/resthandler/SecureDetectorRestApiIT.java @@ -17,7 +17,7 @@ import org.opensearch.client.RestClient; import org.opensearch.common.settings.Settings; import org.opensearch.commons.rest.SecureRestClientBuilder; -import org.opensearch.rest.RestStatus; +import org.opensearch.core.rest.RestStatus; import org.opensearch.search.SearchHit; import org.opensearch.securityanalytics.SecurityAnalyticsPlugin; import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase; diff --git a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java index 2013fdc29..4ede7891b 100644 --- a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java +++ b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java @@ -9,7 +9,7 @@ import java.util.List; import org.junit.Test; import org.opensearch.common.io.stream.BytesStreamOutput; -import org.opensearch.common.io.stream.StreamInput; +import org.opensearch.core.common.io.stream.StreamInput; import org.opensearch.securityanalytics.model.LogType; import static org.opensearch.test.OpenSearchTestCase.assertEquals; diff --git a/src/test/resources/OSMapping/windows/mappings.json b/src/test/resources/OSMapping/windows/mappings.json index 89c8035e6..eb841bdf3 100644 --- a/src/test/resources/OSMapping/windows/mappings.json +++ b/src/test/resources/OSMapping/windows/mappings.json @@ -5,4 +5,4 @@ "path": "CommandLine" } } -} \ No newline at end of file +} diff --git a/src/test/resources/ad_ldap-sample.json b/src/test/resources/ad_ldap-sample.json index 862522e99..3b89ca581 100644 --- a/src/test/resources/ad_ldap-sample.json +++ b/src/test/resources/ad_ldap-sample.json @@ -19,4 +19,4 @@ "azure.signinlogs.properties.network_location_details": "1234", "azure.auditlogs.properties.activity_display_name": "1234", "creationTime": "2022-12-27T20:29:31.734Z" -} \ No newline at end of file +} diff --git a/src/test/resources/azure-sample.json b/src/test/resources/azure-sample.json index ab69da0b4..bccf2cf40 100644 --- a/src/test/resources/azure-sample.json +++ b/src/test/resources/azure-sample.json @@ -24,4 +24,4 @@ "azure.auditlogs.props.logged_by_service": "111", "properties_message": "111", "creationTime": "2022-12-27T20:29:31.734Z" -} \ No newline at end of file +} diff --git a/src/test/resources/dns-sample.json b/src/test/resources/dns-sample.json index 84fd0d88f..4d37107c1 100644 --- a/src/test/resources/dns-sample.json +++ b/src/test/resources/dns-sample.json @@ -23,4 +23,4 @@ "firewall_rule_action": "ALERT", "firewall_rule_group_id": "rslvr-frg-000000000000000", "firewall_domain_list_id": "rslvr-fdl-0000000000000" -} \ No newline at end of file +} diff --git a/src/test/resources/s3-sample.json b/src/test/resources/s3-sample.json index 49669477b..440dcf184 100644 --- a/src/test/resources/s3-sample.json +++ b/src/test/resources/s3-sample.json @@ -11,4 +11,4 @@ "aws-cloudtrail-event_source": "123", "aws-cloudtrail-event_name": "123", "eventTime": "123" -} \ No newline at end of file +} diff --git a/src/test/resources/testMissingPath.json b/src/test/resources/testMissingPath.json index c7e7cb51c..2149638cd 100644 --- a/src/test/resources/testMissingPath.json +++ b/src/test/resources/testMissingPath.json @@ -8,4 +8,4 @@ "type": "alias" } } -} \ No newline at end of file +} diff --git a/src/test/resources/testMultipleAliasesWithSameName.json b/src/test/resources/testMultipleAliasesWithSameName.json index b5f6a0f11..d24cfee4b 100644 --- a/src/test/resources/testMultipleAliasesWithSameName.json +++ b/src/test/resources/testMultipleAliasesWithSameName.json @@ -9,4 +9,4 @@ "path": "netflow.event_data.DestinationPort" } } -} \ No newline at end of file +} diff --git a/src/test/resources/testValidAliasMappings.json b/src/test/resources/testValidAliasMappings.json index 20aa70443..6f88c4d8b 100644 --- a/src/test/resources/testValidAliasMappings.json +++ b/src/test/resources/testValidAliasMappings.json @@ -17,4 +17,4 @@ "path": "netflow.event_data.DestinationPort" } } -} \ No newline at end of file +} diff --git a/src/test/resources/testValidAliasMappingsSimple.json b/src/test/resources/testValidAliasMappingsSimple.json index 0995ef54d..898a0094f 100644 --- a/src/test/resources/testValidAliasMappingsSimple.json +++ b/src/test/resources/testValidAliasMappingsSimple.json @@ -5,4 +5,4 @@ "path": "netflow.event_data.SourceAddress" } } -} \ No newline at end of file +} diff --git a/src/test/resources/testValidAliasMappingsWithNestedType.json b/src/test/resources/testValidAliasMappingsWithNestedType.json index efd159e60..d5c37276f 100644 --- a/src/test/resources/testValidAliasMappingsWithNestedType.json +++ b/src/test/resources/testValidAliasMappingsWithNestedType.json @@ -26,4 +26,4 @@ } } } -} \ No newline at end of file +}