CSEC_PUBLIC/WELA
1
0
Fork 0
mirror of https://github.com/Yamato-Security/WELA.git synced 2026-04-24 21:47:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Sigma Rule Update (2026-03-01 20:19:02) (#268)

Browse Source 
Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2026-03-01 20:19:08 +00:00
committed by GitHub
parent eda06b901e
commit 0fe9ec0e59
1 changed files with 231 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/security_rules.json
+231 -156
View File
@@ -360,8 +360,8 @@
"T1570", "T1570",
"TA0002", "TA0002",
"T1569.002", "T1569.002",
"T1021", "T1569",
"T1569" "T1021"
], ],
"title": "Metasploit Or Impacket Service Installation Via SMB PsExec" "title": "Metasploit Or Impacket Service Installation Via SMB PsExec"
}, },
@@ -1646,8 +1646,8 @@
"T1218.011", "T1218.011",
"car.2013-10-002", "car.2013-10-002",
"detection.emerging-threats", "detection.emerging-threats",
"T1218", "T1059",
"T1059" "T1218"
], ],
"title": "Sofacy Trojan Loader Activity" "title": "Sofacy Trojan Loader Activity"
}, },
@@ -1726,9 +1726,9 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1543", "T1071",
"T1053", "T1053",
"T1071" "T1543"
], ],
"title": "OilRig APT Registry Persistence" "title": "OilRig APT Registry Persistence"
}, },
@@ -1760,9 +1760,9 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1053",
"T1543", "T1543",
"T1071" "T1071",
"T1053"
], ],
"title": "OilRig APT Activity" "title": "OilRig APT Activity"
}, },
@@ -1792,8 +1792,8 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1543",
"T1053", "T1053",
"T1543",
"T1071" "T1071"
], ],
"title": "OilRig APT Schedule Task Persistence - System" "title": "OilRig APT Schedule Task Persistence - System"
@@ -1827,9 +1827,9 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"detection.emerging-threats", "detection.emerging-threats",
"T1053",
"T1543", "T1543",
"T1071", "T1071"
"T1053"
], ],
"title": "OilRig APT Schedule Task Persistence - Security" "title": "OilRig APT Schedule Task Persistence - Security"
}, },
@@ -2993,8 +2993,8 @@
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"detection.emerging-threats", "detection.emerging-threats",
"T1569", "T1543",
"T1543" "T1569"
], ],
"title": "CosmicDuke Service Installation" "title": "CosmicDuke Service Installation"
}, },
@@ -3103,8 +3103,8 @@
"T1566.001", "T1566.001",
"cve.2017-8759", "cve.2017-8759",
"detection.emerging-threats", "detection.emerging-threats",
"T1566", "T1204",
"T1204" "T1566"
], ],
"title": "Exploit for CVE-2017-8759" "title": "Exploit for CVE-2017-8759"
}, },
@@ -3329,8 +3329,8 @@
"T1053.005", "T1053.005",
"T1027", "T1027",
"detection.emerging-threats", "detection.emerging-threats",
"T1053", "T1059",
"T1059" "T1053"
], ],
"title": "Turla Group Commands May 2020" "title": "Turla Group Commands May 2020"
}, },
@@ -3960,8 +3960,8 @@
"T1059.001", "T1059.001",
"T1218.005", "T1218.005",
"detection.emerging-threats", "detection.emerging-threats",
"T1059", "T1218",
"T1218" "T1059"
], ],
"title": "Potential Baby Shark Malware Activity" "title": "Potential Baby Shark Malware Activity"
}, },
@@ -4259,9 +4259,9 @@
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"detection.emerging-threats", "detection.emerging-threats",
"T1053", "T1036",
"T1059", "T1059",
"T1036" "T1053"
], ],
"title": "Operation Wocao Activity - Security" "title": "Operation Wocao Activity - Security"
}, },
@@ -4292,9 +4292,9 @@
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"detection.emerging-threats", "detection.emerging-threats",
"T1059",
"T1036", "T1036",
"T1053", "T1053"
"T1059"
], ],
"title": "Operation Wocao Activity" "title": "Operation Wocao Activity"
}, },
@@ -6856,8 +6856,8 @@
"TA0002", "TA0002",
"T1204.002", "T1204.002",
"T1553.005", "T1553.005",
"T1204", "T1553",
"T1553" "T1204"
], ],
"title": "Windows AppX Deployment Full Trust Package Installation" "title": "Windows AppX Deployment Full Trust Package Installation"
}, },
@@ -7443,8 +7443,8 @@
"T1218.010", "T1218.010",
"TA0002", "TA0002",
"TA0005", "TA0005",
"T1218", "T1204",
"T1204" "T1218"
], ],
"title": "New Lolbin Process by Office Applications" "title": "New Lolbin Process by Office Applications"
}, },
@@ -8023,8 +8023,8 @@
"T1564.004", "T1564.004",
"T1552.001", "T1552.001",
"T1105", "T1105",
"T1552", "T1564",
"T1564" "T1552"
], ],
"title": "Abusing Findstr for Defense Evasion" "title": "Abusing Findstr for Defense Evasion"
}, },
@@ -8153,6 +8153,25 @@
], ],
"title": "Netcat The Powershell Version - PowerShell Module" "title": "Netcat The Powershell Version - PowerShell Module"
}, },
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.",
"event_ids": [
"4104"
],
"id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0010"
],
"title": "Suspicious PowerShell Mailbox SMTP Forward Rule"
},
{ {
"category": "process_creation", "category": "process_creation",
"channel": [ "channel": [
@@ -8714,8 +8733,8 @@
"T1218.010", "T1218.010",
"TA0002", "TA0002",
"TA0005", "TA0005",
"T1204", "T1218",
"T1218" "T1204"
], ],
"title": "Excel Proxy Executing Regsvr32 With Payload" "title": "Excel Proxy Executing Regsvr32 With Payload"
}, },
@@ -10263,8 +10282,8 @@
"TA0004", "TA0004",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1569", "T1543",
"T1543" "T1569"
], ],
"title": "ProcessHacker Privilege Elevation" "title": "ProcessHacker Privilege Elevation"
}, },
@@ -10517,8 +10536,8 @@
"TA0002", "TA0002",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1543", "T1569",
"T1569" "T1543"
], ],
"title": "Remote Access Tool Services Have Been Installed - System" "title": "Remote Access Tool Services Have Been Installed - System"
}, },
@@ -10667,9 +10686,9 @@
"T1021.002", "T1021.002",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1021", "T1543",
"T1569", "T1569",
"T1543" "T1021"
], ],
"title": "CobaltStrike Service Installations - System" "title": "CobaltStrike Service Installations - System"
}, },
@@ -11004,8 +11023,8 @@
"TA0002", "TA0002",
"T1021.002", "T1021.002",
"T1569.002", "T1569.002",
"T1569", "T1021",
"T1021" "T1569"
], ],
"title": "smbexec.py Service Installation" "title": "smbexec.py Service Installation"
}, },
@@ -11910,8 +11929,8 @@
"T1021.002", "T1021.002",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1543",
"T1021", "T1021",
"T1543",
"T1569" "T1569"
], ],
"title": "CobaltStrike Service Installations - Security" "title": "CobaltStrike Service Installations - Security"
@@ -14447,8 +14466,8 @@
"T1087.002", "T1087.002",
"T1069.002", "T1069.002",
"attack.s0039", "attack.s0039",
"T1069", "T1087",
"T1087" "T1069"
], ],
"title": "Reconnaissance Activity" "title": "Reconnaissance Activity"
}, },
@@ -14973,8 +14992,8 @@
"T1059.005", "T1059.005",
"T1059.006", "T1059.006",
"T1059.007", "T1059.007",
"T1059", "T1204",
"T1204" "T1059"
], ],
"title": "AppLocker Prevented Application or Script from Running" "title": "AppLocker Prevented Application or Script from Running"
}, },
@@ -16022,8 +16041,8 @@
"T1059.001", "T1059.001",
"TA0008", "TA0008",
"T1021.003", "T1021.003",
"T1059", "T1021",
"T1021" "T1059"
], ],
"title": "Suspicious Non PowerShell WSMAN COM Provider" "title": "Suspicious Non PowerShell WSMAN COM Provider"
}, },
@@ -16180,8 +16199,8 @@
"TA0005", "TA0005",
"T1059.001", "T1059.001",
"T1036.003", "T1036.003",
"T1059", "T1036",
"T1036" "T1059"
], ],
"title": "Renamed Powershell Under Powershell Channel" "title": "Renamed Powershell Under Powershell Channel"
}, },
@@ -18077,25 +18096,6 @@
], ],
"title": "Disable Powershell Command History" "title": "Disable Powershell Command History"
}, },
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.",
"event_ids": [
"4104"
],
"id": "516b2199-36c5-1a0d-13f4-87bcb22bc2bf",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0010"
],
"title": "Suspicious PowerShell Mailbox SMTP Forward Rule"
},
{ {
"category": "ps_script", "category": "ps_script",
"channel": [ "channel": [
@@ -18936,8 +18936,8 @@
"T1558.003", "T1558.003",
"TA0008", "TA0008",
"T1550.003", "T1550.003",
"T1550", "T1558",
"T1558" "T1550"
], ],
"title": "HackTool - Rubeus Execution - ScriptBlock" "title": "HackTool - Rubeus Execution - ScriptBlock"
}, },
@@ -19107,8 +19107,8 @@
"T1059.001", "T1059.001",
"TA0003", "TA0003",
"T1136.001", "T1136.001",
"T1059", "T1136",
"T1136" "T1059"
], ],
"title": "PowerShell Create Local User" "title": "PowerShell Create Local User"
}, },
@@ -20679,8 +20679,8 @@
"T1070.001", "T1070.001",
"T1562.002", "T1562.002",
"car.2016-04-002", "car.2016-04-002",
"T1562", "T1070",
"T1070" "T1562"
], ],
"title": "Suspicious Eventlog Clearing or Configuration Change Activity" "title": "Suspicious Eventlog Clearing or Configuration Change Activity"
}, },
@@ -21152,8 +21152,8 @@
"TA0005", "TA0005",
"T1218.005", "T1218.005",
"T1027.004", "T1027.004",
"T1218",
"T1027", "T1027",
"T1218",
"T1059" "T1059"
], ],
"title": "Csc.EXE Execution Form Potentially Suspicious Parent" "title": "Csc.EXE Execution Form Potentially Suspicious Parent"
@@ -22467,9 +22467,9 @@
"TA0011", "TA0011",
"T1071.004", "T1071.004",
"T1132.001", "T1132.001",
"T1132",
"T1048", "T1048",
"T1071", "T1071"
"T1132"
], ],
"title": "DNS Exfiltration and Tunneling Tools Execution" "title": "DNS Exfiltration and Tunneling Tools Execution"
}, },
@@ -22700,12 +22700,12 @@
"T1547.002", "T1547.002",
"T1557", "T1557",
"T1082", "T1082",
"T1505",
"T1564",
"T1547", "T1547",
"T1564",
"T1505",
"T1546", "T1546",
"T1574", "T1556",
"T1556" "T1574"
], ],
"title": "Potential Suspicious Activity Using SeCEdit" "title": "Potential Suspicious Activity Using SeCEdit"
}, },
@@ -22819,8 +22819,8 @@
"T1087.002", "T1087.002",
"T1482", "T1482",
"T1069.002", "T1069.002",
"T1087", "T1069",
"T1069" "T1087"
], ],
"title": "Renamed AdFind Execution" "title": "Renamed AdFind Execution"
}, },
@@ -23782,8 +23782,8 @@
"T1204.004", "T1204.004",
"TA0005", "TA0005",
"T1027.010", "T1027.010",
"T1027", "T1204",
"T1204" "T1027"
], ],
"title": "Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix" "title": "Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix"
}, },
@@ -25294,8 +25294,8 @@
"T1615", "T1615",
"T1569.002", "T1569.002",
"T1574.005", "T1574.005",
"T1574", "T1569",
"T1569" "T1574"
], ],
"title": "HackTool - SharpUp PrivEsc Tool Execution" "title": "HackTool - SharpUp PrivEsc Tool Execution"
}, },
@@ -26661,8 +26661,8 @@
"T1563.002", "T1563.002",
"T1021.001", "T1021.001",
"car.2013-07-002", "car.2013-07-002",
"T1563", "T1021",
"T1021" "T1563"
], ],
"title": "Suspicious RDP Redirect Using TSCON" "title": "Suspicious RDP Redirect Using TSCON"
}, },
@@ -28324,8 +28324,8 @@
"T1548.002", "T1548.002",
"T1546.001", "T1546.001",
"T1112", "T1112",
"T1546", "T1548",
"T1548" "T1546"
], ],
"title": "Registry Modification of MS-settings Protocol Handler" "title": "Registry Modification of MS-settings Protocol Handler"
}, },
@@ -29039,8 +29039,8 @@
"TA0008", "TA0008",
"T1059.001", "T1059.001",
"T1021.006", "T1021.006",
"T1021", "T1059",
"T1059" "T1021"
], ],
"title": "Remote PowerShell Session Host Process (WinRM)" "title": "Remote PowerShell Session Host Process (WinRM)"
}, },
@@ -30026,8 +30026,8 @@
"T1087.002", "T1087.002",
"T1069.002", "T1069.002",
"T1482", "T1482",
"T1087", "T1069",
"T1069" "T1087"
], ],
"title": "Suspicious Active Directory Database Snapshot Via ADExplorer" "title": "Suspicious Active Directory Database Snapshot Via ADExplorer"
}, },
@@ -30331,8 +30331,8 @@
"T1059.003", "T1059.003",
"TA0005", "TA0005",
"T1027.010", "T1027.010",
"T1027", "T1059",
"T1059" "T1027"
], ],
"title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD" "title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD"
}, },
@@ -32110,8 +32110,8 @@
"T1047", "T1047",
"T1204.002", "T1204.002",
"T1218.010", "T1218.010",
"T1204", "T1218",
"T1218" "T1204"
], ],
"title": "Suspicious Microsoft Office Child Process" "title": "Suspicious Microsoft Office Child Process"
}, },
@@ -32135,8 +32135,8 @@
"T1587.001", "T1587.001",
"TA0002", "TA0002",
"T1569.002", "T1569.002",
"T1569", "T1587",
"T1587" "T1569"
], ],
"title": "PUA - CsExec Execution" "title": "PUA - CsExec Execution"
}, },
@@ -32801,6 +32801,28 @@
], ],
"title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE"
}, },
{
"category": "process_creation",
"channel": [
"sec"
],
"description": "Detects the usage of Reg.Exe to query system language settings.\nAttackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,\nor avoid targeting certain locales to evade detection.\n",
"event_ids": [
"4688"
],
"id": "3cc0755e-7a33-d5c1-d1cc-53a49707ca49",
"level": "medium",
"service": "",
"subcategory_guids": [
"0CCE922B-69AE-11D9-BED3-505054503030"
],
"tags": [
"TA0007",
"T1614.001",
"T1614"
],
"title": "System Language Discovery via Reg.Exe"
},
{ {
"category": "process_creation", "category": "process_creation",
"channel": [ "channel": [
@@ -35101,9 +35123,9 @@
"T1069.002", "T1069.002",
"TA0002", "TA0002",
"T1059.001", "T1059.001",
"T1059",
"T1087", "T1087",
"T1069" "T1069",
"T1059"
], ],
"title": "HackTool - Bloodhound/Sharphound Execution" "title": "HackTool - Bloodhound/Sharphound Execution"
}, },
@@ -36207,8 +36229,8 @@
"TA0005", "TA0005",
"T1059.001", "T1059.001",
"T1564.003", "T1564.003",
"T1564", "T1059",
"T1059" "T1564"
], ],
"title": "HackTool - Covenant PowerShell Launcher" "title": "HackTool - Covenant PowerShell Launcher"
}, },
@@ -36360,8 +36382,8 @@
"TA0005", "TA0005",
"T1548.002", "T1548.002",
"T1218.003", "T1218.003",
"T1548", "T1218",
"T1218" "T1548"
], ],
"title": "Bypass UAC via CMSTP" "title": "Bypass UAC via CMSTP"
}, },
@@ -36408,8 +36430,8 @@
"T1570", "T1570",
"TA0002", "TA0002",
"T1569.002", "T1569.002",
"T1021", "T1569",
"T1569" "T1021"
], ],
"title": "Rundll32 Execution Without Parameters" "title": "Rundll32 Execution Without Parameters"
}, },
@@ -36924,8 +36946,8 @@
"TA0002", "TA0002",
"T1059.001", "T1059.001",
"T1562.001", "T1562.001",
"T1059", "T1562",
"T1562" "T1059"
], ],
"title": "Obfuscated PowerShell OneLiner Execution" "title": "Obfuscated PowerShell OneLiner Execution"
}, },
@@ -37195,8 +37217,8 @@
"TA0004", "TA0004",
"T1543.003", "T1543.003",
"T1562.001", "T1562.001",
"T1543", "T1562",
"T1562" "T1543"
], ],
"title": "Devcon Execution Disabling VMware VMCI Device" "title": "Devcon Execution Disabling VMware VMCI Device"
}, },
@@ -37358,8 +37380,8 @@
"TA0005", "TA0005",
"T1036.004", "T1036.004",
"T1036.005", "T1036.005",
"T1053", "T1036",
"T1036" "T1053"
], ],
"title": "Scheduled Task Creation Masquerading as System Processes" "title": "Scheduled Task Creation Masquerading as System Processes"
}, },
@@ -38137,8 +38159,8 @@
"car.2013-08-001", "car.2013-08-001",
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"T1059", "T1053",
"T1053" "T1059"
], ],
"title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation"
}, },
@@ -38856,8 +38878,8 @@
"TA0005", "TA0005",
"T1562.001", "T1562.001",
"T1070.001", "T1070.001",
"T1562", "T1070",
"T1070" "T1562"
], ],
"title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE"
}, },
@@ -39170,8 +39192,8 @@
"TA0004", "TA0004",
"T1036.003", "T1036.003",
"T1053.005", "T1053.005",
"T1036", "T1053",
"T1053" "T1036"
], ],
"title": "Renamed Schtasks Execution" "title": "Renamed Schtasks Execution"
}, },
@@ -39766,8 +39788,8 @@
"T1106", "T1106",
"T1059.003", "T1059.003",
"T1218.011", "T1218.011",
"T1059", "T1218",
"T1218" "T1059"
], ],
"title": "HackTool - RedMimicry Winnti Playbook Execution" "title": "HackTool - RedMimicry Winnti Playbook Execution"
}, },
@@ -39905,8 +39927,8 @@
"T1218.014", "T1218.014",
"T1036.002", "T1036.002",
"T1218", "T1218",
"T1036", "T1204",
"T1204" "T1036"
], ],
"title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse"
}, },
@@ -41356,8 +41378,8 @@
"T1218.011", "T1218.011",
"TA0006", "TA0006",
"T1003.001", "T1003.001",
"T1218", "T1003",
"T1003" "T1218"
], ],
"title": "Process Access via TrolleyExpress Exclusion" "title": "Process Access via TrolleyExpress Exclusion"
}, },
@@ -42317,8 +42339,8 @@
"T1558.003", "T1558.003",
"TA0008", "TA0008",
"T1550.003", "T1550.003",
"T1558", "T1550",
"T1550" "T1558"
], ],
"title": "HackTool - Rubeus Execution" "title": "HackTool - Rubeus Execution"
}, },
@@ -42451,8 +42473,8 @@
"T1218.007", "T1218.007",
"TA0002", "TA0002",
"T1059.001", "T1059.001",
"T1059",
"T1027", "T1027",
"T1059",
"T1218" "T1218"
], ],
"title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM"
@@ -42866,8 +42888,8 @@
"T1203", "T1203",
"T1059.003", "T1059.003",
"attack.g0032", "attack.g0032",
"T1566", "T1059",
"T1059" "T1566"
], ],
"title": "Suspicious HWP Sub Processes" "title": "Suspicious HWP Sub Processes"
}, },
@@ -43655,8 +43677,8 @@
"T1558.003", "T1558.003",
"TA0008", "TA0008",
"T1550.003", "T1550.003",
"T1550", "T1558",
"T1558" "T1550"
], ],
"title": "HackTool - KrbRelayUp Execution" "title": "HackTool - KrbRelayUp Execution"
}, },
@@ -43767,8 +43789,8 @@
"TA0003", "TA0003",
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"T1053", "T1059",
"T1059" "T1053"
], ],
"title": "Scheduled Task Executing Encoded Payload from Registry" "title": "Scheduled Task Executing Encoded Payload from Registry"
}, },
@@ -43877,8 +43899,8 @@
"T1059.001", "T1059.001",
"T1059.003", "T1059.003",
"T1564.003", "T1564.003",
"T1059", "T1564",
"T1564" "T1059"
], ],
"title": "Powershell Executed From Headless ConHost Process" "title": "Powershell Executed From Headless ConHost Process"
}, },
@@ -44925,8 +44947,8 @@
"TA0003", "TA0003",
"T1053.005", "T1053.005",
"T1059.001", "T1059.001",
"T1053", "T1059",
"T1059" "T1053"
], ],
"title": "Suspicious Schtasks Execution AppData Folder" "title": "Suspicious Schtasks Execution AppData Folder"
}, },
@@ -45044,8 +45066,8 @@
"TA0004", "TA0004",
"T1548.002", "T1548.002",
"T1546.001", "T1546.001",
"T1548", "T1546",
"T1546" "T1548"
], ],
"title": "Shell Open Registry Keys Manipulation" "title": "Shell Open Registry Keys Manipulation"
}, },
@@ -46020,8 +46042,8 @@
"TA0003", "TA0003",
"T1547.001", "T1547.001",
"T1546.009", "T1546.009",
"T1546", "T1547",
"T1547" "T1546"
], ],
"title": "Session Manager Autorun Keys Modification" "title": "Session Manager Autorun Keys Modification"
}, },
@@ -47409,9 +47431,9 @@
"T1021.002", "T1021.002",
"T1543.003", "T1543.003",
"T1569.002", "T1569.002",
"T1021",
"T1543", "T1543",
"T1569", "T1569"
"T1021"
], ],
"title": "Potential CobaltStrike Service Installations - Registry" "title": "Potential CobaltStrike Service Installations - Registry"
}, },
@@ -48787,8 +48809,8 @@
"T1204.004", "T1204.004",
"TA0005", "TA0005",
"T1027.010", "T1027.010",
"T1204", "T1027",
"T1027" "T1204"
], ],
"title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix" "title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix"
}, },
@@ -49296,8 +49318,8 @@
"T1204.004", "T1204.004",
"TA0005", "TA0005",
"T1027.010", "T1027.010",
"T1027", "T1204",
"T1204" "T1027"
], ],
"title": "Suspicious Space Characters in TypedPaths Registry Path - FileFix" "title": "Suspicious Space Characters in TypedPaths Registry Path - FileFix"
}, },
@@ -50614,6 +50636,32 @@
], ],
"title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet"
}, },
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.\nThe usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.\nAnalysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.\n",
"event_ids": [
"4104"
],
"id": "e95a1630-e48b-41c3-b2ca-2bd6f33e1bce",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0005",
"T1564.008",
"TA0010",
"TA0009",
"T1114.003",
"detection.threat-hunting",
"T1564",
"T1114"
],
"title": "Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet"
},
{ {
"category": "ps_script", "category": "ps_script",
"channel": [ "channel": [
@@ -50726,6 +50774,33 @@
], ],
"title": "Powershell Token Obfuscation - Powershell" "title": "Powershell Token Obfuscation - Powershell"
}, },
{
"category": "ps_script",
"channel": [
"pwsh",
"pwsh"
],
"description": "Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet",
"event_ids": [
"4104"
],
"id": "cdb585a5-4a75-4c21-26d3-0bab43ffbde1",
"level": "medium",
"service": "",
"subcategory_guids": [],
"tags": [
"TA0009",
"T1114.003",
"TA0005",
"T1564.008",
"TA0010",
"T1020",
"detection.threat-hunting",
"T1564",
"T1114"
],
"title": "Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet"
},
{ {
"category": "ps_script", "category": "ps_script",
"channel": [ "channel": [
@@ -51343,8 +51418,8 @@
"attack.s0039", "attack.s0039",
"detection.threat-hunting", "detection.threat-hunting",
"T1069", "T1069",
"T1021", "T1087",
"T1087" "T1021"
], ],
"title": "Net.EXE Execution" "title": "Net.EXE Execution"
}, },
@@ -52130,8 +52205,8 @@
"T1547.001", "T1547.001",
"detection.threat-hunting", "detection.threat-hunting",
"T1059", "T1059",
"T1547", "T1027",
"T1027" "T1547"
], ],
"title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace"
}, },
@@ -53136,8 +53211,8 @@
"TA0008", "TA0008",
"T1563.002", "T1563.002",
"T1021.001", "T1021.001",
"T1021", "T1563",
"T1563" "T1021"
], ],
"title": "Possible RDP Hijacking" "title": "Possible RDP Hijacking"
}, },
@@ -54831,9 +54906,9 @@
"T1570", "T1570",
"T1021.002", "T1021.002",
"T1569.002", "T1569.002",
"T1021",
"T1136", "T1136",
"T1543", "T1543",
"T1021",
"T1569" "T1569"
], ],
"title": "PSExec Lateral Movement" "title": "PSExec Lateral Movement"