diff --git a/config/security_rules.json b/config/security_rules.json index b0ce393f..9414f5d1 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -109,6 +109,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1543" ], @@ -183,6 +184,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1543" ], @@ -285,8 +287,8 @@ "TA0005", "T1059.001", "T1036.003", - "T1059", - "T1036" + "T1036", + "T1059" ], "title": "Renamed Powershell Under Powershell Channel" }, @@ -342,8 +344,8 @@ "T1059.001", "TA0008", "T1021.003", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -843,6 +845,7 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1546.003", "T1546" @@ -1476,8 +1479,8 @@ "T1552.001", "T1555", "T1555.003", - "T1548", - "T1552" + "T1552", + "T1548" ], "title": "HackTool - WinPwn Execution - ScriptBlock" }, @@ -1496,6 +1499,7 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0007", "TA0005", "T1497.001", "T1497" @@ -1517,6 +1521,8 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "T1053" @@ -2182,13 +2188,14 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0005", "TA0006", "T1003", "T1558.003", "TA0008", "T1550.003", - "T1558", - "T1550" + "T1550", + "T1558" ], "title": "HackTool - Rubeus Execution - ScriptBlock" }, @@ -2333,6 +2340,7 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -2601,6 +2609,8 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1574.011", "stp.2a", @@ -2627,8 +2637,8 @@ "T1564.004", "TA0002", "T1059.001", - "T1564", - "T1059" + "T1059", + "T1564" ], "title": "NTFS Alternate Data Stream" }, @@ -2834,6 +2844,7 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0006", "TA0009", "T1056.001", "T1056" @@ -3050,6 +3061,8 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1574.012", "T1574" @@ -3092,6 +3105,8 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0003", + "TA0005", "TA0006", "T1556.002", "T1556" @@ -3792,6 +3807,7 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "T1547.004", "T1547" @@ -4157,6 +4173,9 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0003", + "TA0005", "TA0001", "T1078" ], @@ -4682,6 +4701,7 @@ "tags": [ "TA0006", "TA0005", + "TA0003", "TA0007", "attack.s0075", "T1012", @@ -4712,6 +4732,10 @@ ], "tags": [ "TA0008", + "TA0005", + "TA0001", + "TA0003", + "TA0004", "T1078" ], "title": "Interactive Logon to Server Systems" @@ -4761,6 +4785,7 @@ ], "tags": [ "TA0008", + "TA0005", "T1550.002", "car.2016-04-004", "T1550" @@ -4854,6 +4879,8 @@ "service": "security-mitigations", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -4875,6 +4902,8 @@ "service": "security-mitigations", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -4954,8 +4983,8 @@ "T1552.001", "T1555", "T1555.003", - "T1552", - "T1548" + "T1548", + "T1552" ], "title": "HackTool - WinPwn Execution" }, @@ -4975,6 +5004,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0004", "TA0007", "TA0002", @@ -5220,6 +5251,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0005", "T1218.002", @@ -5520,8 +5552,8 @@ "T1218.007", "TA0002", "T1059.001", - "T1218", "T1059", + "T1218", "T1027" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" @@ -5630,6 +5662,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "T1037.001", "TA0003", "T1037" @@ -5696,6 +5729,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -5916,6 +5951,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548" ], @@ -6164,8 +6200,8 @@ "TA0002", "T1059.007", "cve.2020-1599", - "T1059", - "T1218" + "T1218", + "T1059" ], "title": "MSHTA Execution with Suspicious File Extensions" }, @@ -6697,6 +6733,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "TA0005", @@ -6813,6 +6851,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1053.005", @@ -7206,6 +7245,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1562.002", "T1112", @@ -7303,8 +7343,8 @@ "T1482", "T1069.002", "stp.1u", - "T1069", - "T1087" + "T1087", + "T1069" ], "title": "PUA - AdFind Suspicious Execution" }, @@ -7389,6 +7429,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548.002", "T1548" @@ -7435,6 +7476,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1112", @@ -7458,12 +7501,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Scheduled Task Executing Encoded Payload from Registry" }, @@ -7826,13 +7870,15 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "TA0005", "T1036.004", "T1036.005", - "T1053", - "T1036" + "T1036", + "T1053" ], "title": "Scheduled Task Creation Masquerading as System Processes" }, @@ -7894,6 +7940,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0001", "T1133" ], @@ -8365,6 +8412,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0002", "TA0005", "TA0004", @@ -8411,6 +8459,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1543.003", "T1543" @@ -8525,6 +8574,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1053.005", @@ -8658,6 +8708,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548.002", "T1548" @@ -9006,6 +9057,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0011", "T1105", "T1564.003", @@ -9267,6 +9319,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1548.002", "T1548" @@ -9384,8 +9437,8 @@ "T1564.004", "T1552.001", "T1105", - "T1564", - "T1552" + "T1552", + "T1564" ], "title": "Remote File Download Via Findstr.EXE" }, @@ -9427,6 +9480,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1047", "T1053", @@ -9453,6 +9508,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -9773,6 +9830,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547" ], @@ -9904,6 +9962,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1574.011", "T1574" @@ -9994,8 +10054,8 @@ "T1087.002", "T1069.002", "T1482", - "T1069", - "T1087" + "T1087", + "T1069" ], "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, @@ -10167,6 +10227,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0001", "T1133" ], @@ -10177,7 +10238,7 @@ "channel": [ "sec" ], - "description": "Detects the use of Windows Credential Editor (WCE)", + "description": "Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.\nIt is often used by threat actors for credential dumping and lateral movement within compromised networks.\n", "event_ids": [ "4688" ], @@ -10340,6 +10401,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -10450,6 +10513,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548.002", "T1548" @@ -10734,8 +10798,8 @@ "TA0005", "T1548.002", "T1218.003", - "T1218", - "T1548" + "T1548", + "T1218" ], "title": "Bypass UAC via CMSTP" }, @@ -10860,6 +10924,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -10952,8 +11017,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Suspicious WMIC Execution Via Office Process" }, @@ -11025,6 +11090,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547" ], @@ -11114,6 +11180,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "TA0003", "TA0002", @@ -11143,9 +11210,9 @@ "TA0011", "T1071.004", "T1132.001", - "T1132", + "T1071", "T1048", - "T1071" + "T1132" ], "title": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -11165,6 +11232,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -11342,6 +11411,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112", "T1562.001", @@ -11688,8 +11758,8 @@ "T1047", "T1204.002", "T1218.010", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "Suspicious WmiPrvSE Child Process" }, @@ -11757,8 +11827,8 @@ "TA0002", "T1059.001", "T1562.001", - "T1562", - "T1059" + "T1059", + "T1562" ], "title": "Obfuscated PowerShell OneLiner Execution" }, @@ -11864,6 +11934,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.003", "T1546" @@ -11973,6 +12044,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0001", "T1133" ], @@ -12708,6 +12780,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0006", "T1556.002", "T1556" @@ -12905,6 +12979,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1548.002", "T1548" @@ -12927,6 +13003,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0008", "TA0002", "T1072", "TA0005", @@ -13211,6 +13288,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -13349,6 +13427,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1547.001", @@ -13578,8 +13657,8 @@ "T1587.001", "TA0002", "T1569.002", - "T1569", - "T1587" + "T1587", + "T1569" ], "title": "PUA - CsExec Execution" }, @@ -13901,6 +13980,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0011", "TA0003", "TA0005", "T1219" @@ -13923,6 +14003,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -13989,6 +14071,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1112", "TA0005" ], @@ -14141,6 +14224,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -14384,6 +14468,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1112", "TA0005" ], @@ -14469,6 +14554,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0006", "T1557.001", "T1557" @@ -14624,6 +14710,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0006", "TA0003", "TA0004", @@ -14715,6 +14802,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548" ], @@ -14778,6 +14866,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "TA0002", "T1053.005", @@ -15437,6 +15526,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -15692,6 +15783,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -15997,6 +16089,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1548.002", "T1548" @@ -16296,6 +16389,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055.001", "T1055" @@ -16559,6 +16653,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0002", "TA0006", "T1557.001", @@ -16691,6 +16786,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548.002", "T1548" @@ -17462,6 +17558,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -17527,6 +17625,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -17636,6 +17735,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1112", "TA0005" ], @@ -17788,6 +17888,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055" ], @@ -18108,6 +18209,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1543.003", "T1574.011", @@ -18348,6 +18451,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1197" ], @@ -18568,6 +18672,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1546.008", "TA0004", "T1546" @@ -18590,6 +18695,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0006", "TA0009", "T1185", @@ -19016,6 +19122,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1543.003", "T1543" @@ -19388,6 +19495,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "TA0008", "T1021.001", @@ -19412,6 +19520,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.003", "T1546" @@ -19629,6 +19738,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1047", @@ -19724,8 +19834,8 @@ "TA0008", "T1021.002", "T1218.011", - "T1218", - "T1021" + "T1021", + "T1218" ], "title": "Rundll32 UNC Path Execution" }, @@ -19790,6 +19900,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0007", "TA0003", "T1543.003", @@ -19835,6 +19946,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053" ], @@ -20160,6 +20273,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0002", "TA0005", "TA0007", @@ -20207,6 +20321,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0004", "T1574.011", "T1574" @@ -20468,6 +20584,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055.001", "T1055" @@ -20628,6 +20745,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055.012", "T1055" @@ -20741,9 +20859,9 @@ "TA0005", "T1218.014", "T1036.002", - "T1218", "T1036", - "T1204" + "T1204", + "T1218" ], "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" }, @@ -20872,8 +20990,8 @@ "TA0005", "T1219.002", "T1036.003", - "T1219", - "T1036" + "T1036", + "T1219" ], "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" }, @@ -21256,6 +21374,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0007", "TA0003", "TA0005", @@ -21276,11 +21395,11 @@ "T1557", "T1082", "T1556", + "T1574", "T1505", - "T1547", "T1564", "T1546", - "T1574" + "T1547" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -21413,6 +21532,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -21434,6 +21554,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -21566,6 +21687,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055" ], @@ -22105,8 +22227,8 @@ "TA0008", "T1059.001", "T1021.006", - "T1021", - "T1059" + "T1059", + "T1021" ], "title": "Remote PowerShell Session Host Process (WinRM)" }, @@ -22403,9 +22525,9 @@ "TA0005", "T1218.005", "T1027.004", - "T1218", + "T1059", "T1027", - "T1059" + "T1218" ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, @@ -22446,6 +22568,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1543.003", "T1543" @@ -22777,6 +22900,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.001", "T1546" @@ -22820,6 +22944,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055" ], @@ -23073,6 +23198,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0002", "TA0006", "T1557.001", @@ -23117,6 +23243,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -23356,6 +23484,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0002", "TA0004", "T1053.002", "T1053" @@ -23378,6 +23508,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1112", "TA0005" ], @@ -23682,6 +23813,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1053.005", @@ -23837,6 +23969,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0006", "T1558.003", "TA0008", @@ -23930,6 +24063,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -24016,6 +24151,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1053.005", @@ -24370,13 +24506,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0001", "TA0003", "TA0008", "T1133", "T1136.001", "T1021.001", - "T1136", - "T1021" + "T1021", + "T1136" ], "title": "User Added to Remote Desktop Users Group" }, @@ -24442,6 +24579,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1112", "TA0005" ], @@ -24895,6 +25033,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -25375,6 +25515,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0007", "TA0006", "T1040" ], @@ -25438,6 +25579,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -25658,6 +25801,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -25901,6 +26045,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "TA0040", "T1112", @@ -26282,6 +26427,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055" ], @@ -26323,6 +26469,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "T1053" @@ -26374,6 +26522,27 @@ ], "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).\nAttackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.\n", + "event_ids": [ + "4688" + ], + "id": "3de98820-2d36-1706-4ba6-1dcac6f0a2db", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059" + ], + "title": "Installation of WSL Kali-Linux" + }, { "category": "process_creation", "channel": [ @@ -26524,6 +26693,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574", "TA0002" @@ -26589,6 +26760,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0007", "TA0003", "T1543.003", @@ -26678,6 +26850,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0011", "T1105", "T1564.003", @@ -26856,8 +27029,8 @@ "T1070.001", "T1562.002", "car.2016-04-002", - "T1070", - "T1562" + "T1562", + "T1070" ], "title": "Suspicious Eventlog Clearing or Configuration Change Activity" }, @@ -27377,6 +27550,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0002", "T1053.005", "T1053" @@ -27399,13 +27574,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0006", "T1003", "T1558.003", "TA0008", "T1550.003", - "T1558", - "T1550" + "T1550", + "T1558" ], "title": "HackTool - Rubeus Execution" }, @@ -27495,6 +27671,27 @@ ], "title": "Suspicious ZipExec Execution" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the use of Kali Linux through Windows Subsystem for Linux", + "event_ids": [ + "4688" + ], + "id": "d63e46b7-e8e4-0adf-ae74-e7e8d30f7d79", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1202" + ], + "title": "WSL Kali-Linux Usage" + }, { "category": "process_creation", "channel": [ @@ -27511,6 +27708,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0004", "T1546.002", "T1546" @@ -27817,6 +28015,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0005", "TA0003", "T1036.005", @@ -27863,6 +28063,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1134.004", "T1134" @@ -28016,6 +28217,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -28061,6 +28263,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -28108,6 +28311,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1037.001", "T1037" @@ -28216,6 +28420,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1134.001", "T1134.002", @@ -28461,6 +28666,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.001", "T1546" @@ -28483,6 +28689,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574" ], @@ -29113,6 +29321,8 @@ "service": "application", "subcategory_guids": [], "tags": [ + "TA0008", + "TA0002", "TA0005", "T1072" ], @@ -29984,6 +30194,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0006", "T1558", "TA0008", @@ -30072,6 +30283,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "T1055", "T1218", "TA0002", @@ -30095,6 +30307,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0011", "TA0002", "TA0005", @@ -30137,6 +30350,8 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "T1053" @@ -30157,6 +30372,8 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "T1053" @@ -30373,6 +30590,7 @@ "subcategory_guids": [], "tags": [ "TA0010", + "TA0009", "T1560", "detection.threat-hunting" ], @@ -30642,11 +30860,12 @@ ], "tags": [ "TA0005", + "TA0002", "T1059.001", "T1027.010", "detection.threat-hunting", - "T1059", - "T1027" + "T1027", + "T1059" ], "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -30799,6 +31018,8 @@ ], "tags": [ "TA0002", + "TA0003", + "TA0004", "T1053.005", "detection.threat-hunting", "T1053" @@ -31024,6 +31245,7 @@ ], "tags": [ "TA0010", + "TA0011", "T1567", "T1105", "detection.threat-hunting" @@ -31175,8 +31397,8 @@ "T1021.002", "attack.s0039", "detection.threat-hunting", - "T1087", "T1069", + "T1087", "T1021" ], "title": "Net.EXE Execution" @@ -31404,6 +31626,7 @@ ], "tags": [ "TA0002", + "TA0011", "TA0008", "T1105", "detection.threat-hunting" @@ -31538,6 +31761,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "T1562.004", "detection.threat-hunting", "T1562" @@ -31879,6 +32103,7 @@ ], "tags": [ "TA0005", + "TA0003", "T1112", "detection.threat-hunting" ], @@ -31901,6 +32126,7 @@ ], "tags": [ "TA0005", + "TA0003", "T1112", "detection.threat-hunting" ], @@ -31923,13 +32149,16 @@ ], "tags": [ "TA0005", + "TA0002", + "TA0003", + "TA0004", "T1059.001", "T1027.010", "T1547.001", "detection.threat-hunting", - "T1059", + "T1547", "T1027", - "T1547" + "T1059" ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -31973,6 +32202,7 @@ "tags": [ "TA0002", "TA0004", + "TA0003", "car.2013-08-001", "T1053.005", "detection.threat-hunting", @@ -32135,6 +32365,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0003", "TA0002", "T1112" @@ -32179,6 +32410,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -32201,6 +32433,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.009", "T1546" @@ -32268,6 +32501,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547" ], @@ -32311,6 +32545,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -32332,6 +32567,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -32420,6 +32656,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.005", "T1547" @@ -32442,12 +32679,13 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "TA0004", "T1548.002", "T1546.001", - "T1546", - "T1548" + "T1548", + "T1546" ], "title": "Shell Open Registry Keys Manipulation" }, @@ -32467,6 +32705,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -32488,6 +32727,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -32509,6 +32749,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1562.001", "T1112", @@ -32532,6 +32773,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1562.002", "T1112", @@ -32667,6 +32909,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547" ], @@ -32688,6 +32931,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1547.008", @@ -32711,6 +32955,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.010", "T1546" @@ -32755,6 +33000,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1218", "TA0003", @@ -32801,6 +33047,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -33104,6 +33351,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -33170,6 +33418,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -33237,6 +33486,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.011", "T1546" @@ -33279,6 +33529,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.015", "T1546" @@ -33388,6 +33639,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -33429,6 +33681,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112", "T1562" @@ -33493,6 +33746,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "T1053" @@ -33515,6 +33770,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.015", "T1546" @@ -33537,6 +33793,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112", "T1562" @@ -33559,6 +33816,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -33602,6 +33860,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -33624,6 +33883,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "TA0011", "T1137", @@ -33648,6 +33908,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", + "TA0006", "TA0003", "T1556" ], @@ -33712,6 +33974,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -33755,6 +34018,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -33799,6 +34063,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -33820,6 +34085,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.011", "T1546" @@ -33974,6 +34240,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.015", "T1546" @@ -33996,6 +34263,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34017,6 +34285,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1574" ], @@ -34038,6 +34308,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34059,6 +34330,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.015", "T1546" @@ -34144,6 +34416,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -34210,6 +34483,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34359,6 +34633,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112", "T1562" @@ -34403,6 +34678,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -34425,6 +34701,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -34641,6 +34918,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34704,6 +34982,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34749,6 +35028,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053", "T1053.005" @@ -34771,6 +35052,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34792,6 +35074,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.010", "T1547" @@ -34814,6 +35097,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.004", "T1547" @@ -34858,6 +35142,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "TA0040", "T1112", @@ -34882,6 +35167,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -34904,6 +35190,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34946,6 +35233,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -34967,6 +35255,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.007", "T1546" @@ -35011,6 +35300,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "TA0011", "T1137", @@ -35035,6 +35325,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35121,6 +35412,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1564", "T1112" @@ -35143,6 +35435,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.015", "T1546" @@ -35228,6 +35521,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35271,6 +35565,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35292,6 +35587,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1547.001", "T1112", @@ -35315,6 +35612,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35399,6 +35697,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1112", @@ -35422,6 +35722,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35443,6 +35744,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.010", "T1547" @@ -35485,6 +35787,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1562.002", "T1112", @@ -35509,6 +35812,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.007", "T1546" @@ -35531,6 +35835,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35574,6 +35879,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -35596,6 +35902,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -35618,6 +35925,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35706,6 +36014,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -35749,6 +36058,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0003", "T1112" ], @@ -35770,6 +36080,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0004", "T1546", "T1548" @@ -35792,6 +36104,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -35875,6 +36188,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -35897,6 +36211,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0002", "TA0003", "T1112", @@ -35942,6 +36257,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0003", "T1112" ], @@ -35963,6 +36279,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -35985,6 +36302,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36028,6 +36346,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36160,6 +36479,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.011", "T1546" @@ -36203,6 +36523,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0002", "TA0004", "TA0008", @@ -36272,6 +36593,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1112", @@ -36315,6 +36638,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36358,6 +36682,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36469,6 +36794,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36512,6 +36838,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.011", "T1546" @@ -36578,6 +36905,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36599,6 +36927,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0001", "TA0003", "T1133" ], @@ -36620,6 +36949,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1140", "T1112" @@ -36648,27 +36978,6 @@ ], "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "event_ids": [ - "4657" - ], - "id": "9651c944-f6ad-6a83-4ff8-76f682bce13e", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1112" - ], - "title": "Blackbyte Ransomware Registry" - }, { "category": "registry_set", "channel": [ @@ -36749,6 +37058,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -36770,6 +37080,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.010", "T1547" @@ -36792,6 +37103,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1546.009", @@ -36839,6 +37151,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.012", "T1546" @@ -36904,6 +37217,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0004", "T1574", "cve.2021-1675" @@ -36948,6 +37263,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "T1547" @@ -36990,6 +37306,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1546.015", "T1546" @@ -37032,6 +37349,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -37097,6 +37415,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "T1037.001", "TA0003", "TA0008", @@ -37305,6 +37624,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055", "detection.emerging-threats" @@ -37351,6 +37671,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "T1112", "TA0005", "detection.emerging-threats" @@ -37373,6 +37694,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -37396,6 +37718,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "detection.emerging-threats", @@ -37535,6 +37859,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -37558,6 +37883,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -37581,6 +37907,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -37685,8 +38012,8 @@ "T1566.001", "cve.2017-11882", "detection.emerging-threats", - "T1204", - "T1566" + "T1566", + "T1204" ], "title": "Droppers Exploiting CVE-2017-11882" }, @@ -37713,8 +38040,8 @@ "T1566.001", "cve.2017-0261", "detection.emerging-threats", - "T1566", - "T1204" + "T1204", + "T1566" ], "title": "Exploit for CVE-2017-0261" }, @@ -37771,8 +38098,8 @@ "T1003.001", "car.2016-04-002", "detection.emerging-threats", - "T1218", "T1003", + "T1218", "T1070" ], "title": "NotPetya Ransomware Activity" @@ -37793,6 +38120,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1543.003", "T1569.002", @@ -37864,6 +38193,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "attack.g0064", "T1543.003", @@ -37888,6 +38218,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "attack.s0013", "TA0005", "T1574.001", @@ -37935,6 +38267,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "attack.g0010", "T1543.003", @@ -37957,6 +38290,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "attack.g0010", "T1543.003", @@ -38055,6 +38389,8 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "attack.g0049", "T1053.005", @@ -38087,6 +38423,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "attack.g0049", "T1053.005", @@ -38097,9 +38435,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1071", "T1053", - "T1543" + "T1543", + "T1071" ], "title": "OilRig APT Registry Persistence" }, @@ -38119,6 +38457,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "attack.g0049", "T1053.005", @@ -38129,8 +38469,8 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1543", "T1053", + "T1543", "T1071" ], "title": "OilRig APT Activity" @@ -38149,6 +38489,8 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0002", "TA0003", "attack.g0049", "T1053.005", @@ -38159,9 +38501,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1543", "T1053", - "T1071" + "T1071", + "T1543" ], "title": "OilRig APT Schedule Task Persistence - System" }, @@ -38205,6 +38547,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112", "detection.emerging-threats" @@ -38228,6 +38571,8 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053", "attack.s0111", @@ -38251,6 +38596,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053.005", "attack.s0111", @@ -38326,6 +38673,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "attack.g0027", @@ -38522,6 +38871,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0002", "T1112", "T1047", @@ -38569,6 +38920,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0003", "T1112", "detection.emerging-threats" @@ -38687,6 +39039,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -38733,6 +39086,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -38764,8 +39118,8 @@ "TA0005", "T1036.005", "detection.emerging-threats", - "T1036", - "T1059" + "T1059", + "T1036" ], "title": "Greenbug Espionage Group Indicators" }, @@ -38808,6 +39162,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "attack.g0044", @@ -38832,6 +39188,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "attack.g0044", @@ -38856,6 +39214,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0002", "T1055.001", "detection.emerging-threats", @@ -39111,6 +39471,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0002", "TA0003", "T1053.005", @@ -39182,6 +39543,7 @@ "service": "application", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "T1546", "detection.emerging-threats" @@ -39204,6 +39566,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1053", "T1053.005", @@ -39251,14 +39615,17 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", + "TA0005", "attack.g0010", "TA0002", "T1059.001", "T1053.005", "T1027", "detection.emerging-threats", - "T1053", - "T1059" + "T1059", + "T1053" ], "title": "Turla Group Commands May 2020" }, @@ -39406,6 +39773,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0001", + "TA0002", "TA0006", "T1566", "T1203", @@ -39500,6 +39869,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1553", "detection.emerging-threats" @@ -39577,6 +39947,7 @@ "service": "windefend", "subcategory_guids": [], "tags": [ + "TA0005", "TA0004", "T1055", "detection.emerging-threats" @@ -39665,6 +40036,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "TA0003", "T1036", @@ -39852,6 +40224,29 @@ ], "title": "Potential Devil Bait Malware Reconnaissance" }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Detects specific windows registry modifications made by BlackByte ransomware variants.\nBlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.\nThis rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.\n", + "event_ids": [ + "4657" + ], + "id": "9651c944-f6ad-6a83-4ff8-76f682bce13e", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1112", + "detection.emerging-threats" + ], + "title": "Blackbyte Ransomware Registry" + }, { "category": "process_creation", "channel": [ @@ -39918,6 +40313,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1574.001", "detection.emerging-threats", @@ -40023,6 +40420,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0003", "T1574.001", "detection.emerging-threats", @@ -40046,6 +40445,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "T1546", "T1053", @@ -40140,6 +40541,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0002", "TA0004", "T1053.005", "car.2013-08-001", @@ -40172,8 +40575,8 @@ "T1059.001", "T1218.005", "detection.emerging-threats", - "T1059", - "T1218" + "T1218", + "T1059" ], "title": "Potential Baby Shark Malware Activity" }, @@ -40309,6 +40712,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0002", "T1112", "detection.emerging-threats" @@ -40378,6 +40783,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.001", "detection.emerging-threats", @@ -40496,6 +40902,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0008", "TA0006", "attack.g0128", @@ -40523,6 +40930,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0007", "T1012", "TA0005", @@ -40532,9 +40941,9 @@ "T1053.005", "T1059.001", "detection.emerging-threats", - "T1059", "T1053", - "T1036" + "T1036", + "T1059" ], "title": "Operation Wocao Activity" }, @@ -40554,6 +40963,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", "TA0007", "T1012", "TA0005", @@ -40563,9 +40974,9 @@ "T1053.005", "T1059.001", "detection.emerging-threats", - "T1059", + "T1036", "T1053", - "T1036" + "T1059" ], "title": "Operation Wocao Activity - Security" }, @@ -40678,6 +41089,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0011", "TA0002", "TA0005", "T1218", @@ -40731,6 +41143,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0001", "TA0002", "T1059.001", @@ -40759,6 +41172,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0004", "TA0005", "T1574.008", @@ -40812,6 +41226,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", + "TA0005", "TA0001", "T1078.001", "detection.emerging-threats", @@ -40836,6 +41253,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0002", "TA0011", "T1090", "T1573", @@ -41094,6 +41512,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055.012", "detection.emerging-threats", @@ -41163,6 +41582,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", + "TA0011", "TA0002", "T1059.003", "T1105", @@ -41188,6 +41609,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0005", "T1055", "detection.emerging-threats" @@ -41954,6 +42376,7 @@ "tags": [ "TA0011", "TA0002", + "TA0005", "T1218", "detection.emerging-threats" ], @@ -42638,6 +43061,7 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1484.001", "T1484" @@ -42686,6 +43110,7 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0007", "TA0002", "TA0009", @@ -42785,6 +43210,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1134.001", "T1134.002", @@ -42855,6 +43281,7 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -42968,6 +43395,10 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", + "TA0001", + "TA0005", "T1078", "TA0008" ], @@ -42985,6 +43416,8 @@ "service": "security", "subcategory_guids": [], "tags": [ + "TA0001", + "TA0005", "cve.2021-42278", "cve.2021-42287", "TA0003", @@ -43009,6 +43442,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -43078,6 +43512,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0004", "T1484.001", "T1547", @@ -43104,6 +43540,7 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0006", "T1557.003", "TA0003", @@ -43402,6 +43839,7 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1548" ], @@ -43655,6 +44093,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0001", + "TA0005", "TA0004", "T1078", "TA0003", @@ -43768,6 +44208,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0004", "T1543" ], @@ -43879,6 +44320,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "TA0002", "T1543.003", @@ -43952,6 +44394,7 @@ "0CCE9230-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -44044,15 +44487,16 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0002", "TA0004", "TA0008", "T1021.002", "T1543.003", "T1569.002", + "T1543", "T1569", - "T1021", - "T1543" + "T1021" ], "title": "CobaltStrike Service Installations - Security" }, @@ -44134,6 +44578,7 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1547.009", "T1547" @@ -44158,6 +44603,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0003", "TA0008", "T1053.005", @@ -44408,6 +44855,7 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0006", "TA0008", "TA0004", "T1558.003", @@ -44500,6 +44948,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112", "T1562" @@ -44522,6 +44971,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1562.001", "T1112", @@ -44680,8 +45130,8 @@ "T1003.006", "T1569.002", "attack.s0005", - "T1569", - "T1003" + "T1003", + "T1569" ], "title": "Credential Dumping Tools Service Execution - Security" }, @@ -44798,6 +45248,7 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -44840,6 +45291,8 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0005", "TA0001", "TA0003", "T1078", @@ -44865,6 +45318,7 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -44977,6 +45431,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0008", "attack.s0002", "T1550.002", @@ -45000,6 +45455,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", + "TA0005", "TA0001", "TA0006", "T1133", @@ -45025,6 +45483,7 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -45046,6 +45505,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0008", "T1550.002", "T1550" @@ -45068,6 +45528,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "TA0006", "T1548" @@ -45112,6 +45573,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", + "TA0005", "TA0001", "TA0006", "T1133", @@ -45136,6 +45600,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0003", + "TA0005", "TA0008", "TA0001", "T1078.001", @@ -45162,6 +45629,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0009", "TA0004", "TA0006", "T1557.001", @@ -45253,6 +45721,7 @@ "0CCE9234-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0004", "T1134", "T1134.001" @@ -45457,6 +45926,7 @@ "0CCE9231-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "TA0003", "T1098" ], @@ -45528,6 +45998,7 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", "TA0005", "T1112" ], @@ -45617,6 +46088,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", + "TA0002", "TA0008", "TA0003", "car.2013-05-004", @@ -45706,9 +46179,9 @@ "T1485", "T1553.002", "attack.s0195", - "T1070", + "T1027", "T1553", - "T1027" + "T1070" ], "title": "Potential Secure Deletion with SDelete" }, @@ -45728,6 +46201,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0003", + "TA0005", "TA0006", "T1556" ], @@ -45754,8 +46229,8 @@ "T1087.002", "T1069.002", "attack.s0039", - "T1069", - "T1087" + "T1087", + "T1069" ], "title": "Reconnaissance Activity" }, @@ -45868,6 +46343,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0005", "TA0003", "TA0004", "T1134.005", @@ -45917,6 +46393,7 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ + "TA0004", "T1098", "TA0003" ], @@ -45983,6 +46460,7 @@ "service": "ntlm", "subcategory_guids": [], "tags": [ + "TA0005", "TA0008", "T1550.002", "T1550" @@ -46246,8 +46724,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Excel Proxy Executing Regsvr32 With Payload" }, @@ -46819,8 +47297,8 @@ "T1218.010", "TA0002", "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "Office Applications Spawning Wmi Cli Alternate" }, @@ -48425,6 +48903,8 @@ "service": "dns-server", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -48465,6 +48945,7 @@ "service": "", "subcategory_guids": [], "tags": [ + "TA0004", "TA0002", "T1047", "TA0003", @@ -48812,6 +49293,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0005", "TA0004", "T1548" ], @@ -48915,6 +49397,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0002", "TA0004", "T1543.003", @@ -49144,6 +49627,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1543" ], @@ -49202,12 +49686,13 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", "TA0003", "TA0002", "T1543.003", "T1569.002", - "T1569", - "T1543" + "T1543", + "T1569" ], "title": "Remote Access Tool Services Have Been Installed - System" }, @@ -49243,6 +49728,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1543.003", "T1543" @@ -49421,8 +49907,8 @@ "T1003.006", "T1569.002", "attack.s0005", - "T1003", - "T1569" + "T1569", + "T1003" ], "title": "Credential Dumping Tools Service Execution - System" }, @@ -49479,15 +49965,16 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0002", "TA0004", "TA0008", "T1021.002", "T1543.003", "T1569.002", + "T1569", "T1021", - "T1543", - "T1569" + "T1543" ], "title": "CobaltStrike Service Installations - System" }, @@ -49567,6 +50054,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0002", "TA0004", "T1543.003", @@ -49590,6 +50078,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1543.003", "T1543" @@ -49735,6 +50224,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0005", "TA0004", "T1134.001", "T1134.002", @@ -49756,6 +50246,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0003", "TA0004", "T1543" ], @@ -49938,6 +50429,9 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0040", + "TA0006", + "TA0009", "TA0001", "TA0004", "TA0002", @@ -49983,6 +50477,7 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0009", "TA0002", "TA0006", "T1557.001", @@ -50090,6 +50585,8 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -50110,6 +50607,8 @@ "service": "system", "subcategory_guids": [], "tags": [ + "TA0004", + "TA0003", "TA0005", "T1574.001", "T1574" @@ -50619,8 +51118,8 @@ "T1570", "TA0002", "T1569.002", - "T1021", - "T1569" + "T1569", + "T1021" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -51338,8 +51837,8 @@ "TA0008", "T1563.002", "T1021.001", - "T1563", - "T1021" + "T1021", + "T1563" ], "title": "Possible RDP Hijacking" }, @@ -52896,9 +53395,9 @@ "T1570", "T1021.002", "T1569.002", - "T1569", "T1136", "T1543", + "T1569", "T1021" ], "title": "PSExec Lateral Movement"