diff --git a/config/security_rules.json b/config/security_rules.json index bf86e338..b1da3585 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -344,8 +344,8 @@ "T1059.001", "TA0008", "T1021.003", - "T1021", - "T1059" + "T1059", + "T1021" ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -1902,8 +1902,8 @@ "T1059.001", "TA0003", "T1136.001", - "T1059", - "T1136" + "T1136", + "T1059" ], "title": "PowerShell Create Local User" }, @@ -2194,8 +2194,8 @@ "T1558.003", "TA0008", "T1550.003", - "T1558", - "T1550" + "T1550", + "T1558" ], "title": "HackTool - Rubeus Execution - ScriptBlock" }, @@ -2637,8 +2637,8 @@ "T1564.004", "TA0002", "T1059.001", - "T1564", - "T1059" + "T1059", + "T1564" ], "title": "NTFS Alternate Data Stream" }, @@ -4838,8 +4838,8 @@ "T1059.005", "T1059.006", "T1059.007", - "T1204", - "T1059" + "T1059", + "T1204" ], "title": "File Was Not Allowed To Run" }, @@ -5531,9 +5531,9 @@ "T1218.007", "TA0002", "T1059.001", + "T1027", "T1059", - "T1218", - "T1027" + "T1218" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" }, @@ -6179,8 +6179,8 @@ "TA0002", "T1059.007", "cve.2020-1599", - "T1218", - "T1059" + "T1059", + "T1218" ], "title": "MSHTA Execution with Suspicious File Extensions" }, @@ -6514,8 +6514,8 @@ "T1563.002", "T1021.001", "car.2013-07-002", - "T1021", - "T1563" + "T1563", + "T1021" ], "title": "Suspicious RDP Redirect Using TSCON" }, @@ -7322,8 +7322,8 @@ "T1482", "T1069.002", "stp.1u", - "T1069", - "T1087" + "T1087", + "T1069" ], "title": "PUA - AdFind Suspicious Execution" }, @@ -8558,8 +8558,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1053", - "T1059" + "T1059", + "T1053" ], "title": "Suspicious Schtasks Execution AppData Folder" }, @@ -10033,8 +10033,8 @@ "T1087.002", "T1069.002", "T1482", - "T1087", - "T1069" + "T1069", + "T1087" ], "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, @@ -10777,8 +10777,8 @@ "TA0005", "T1548.002", "T1218.003", - "T1548", - "T1218" + "T1218", + "T1548" ], "title": "Bypass UAC via CMSTP" }, @@ -10996,8 +10996,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Suspicious WMIC Execution Via Office Process" }, @@ -11189,8 +11189,8 @@ "TA0011", "T1071.004", "T1132.001", - "T1048", "T1071", + "T1048", "T1132" ], "title": "DNS Exfiltration and Tunneling Tools Execution" @@ -11806,8 +11806,8 @@ "TA0002", "T1059.001", "T1562.001", - "T1562", - "T1059" + "T1059", + "T1562" ], "title": "Obfuscated PowerShell OneLiner Execution" }, @@ -12201,8 +12201,8 @@ "TA0005", "T1059.001", "T1564.003", - "T1564", - "T1059" + "T1059", + "T1564" ], "title": "HackTool - Covenant PowerShell Launcher" }, @@ -13339,8 +13339,8 @@ "T1087.002", "T1482", "T1069.002", - "T1087", - "T1069" + "T1069", + "T1087" ], "title": "Renamed AdFind Execution" }, @@ -15742,8 +15742,8 @@ "T1203", "T1059.003", "attack.g0032", - "T1566", - "T1059" + "T1059", + "T1566" ], "title": "Suspicious HWP Sub Processes" }, @@ -18031,8 +18031,8 @@ "T1218.011", "TA0006", "T1003.001", - "T1003", - "T1218" + "T1218", + "T1003" ], "title": "Process Access via TrolleyExpress Exclusion" }, @@ -18545,6 +18545,27 @@ ], "title": "REGISTER_APP.VBS Proxy Execution" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view.\n", + "event_ids": [ + "4688" + ], + "id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218" + ], + "title": "DeviceCredentialDeployment Execution" + }, { "category": "process_creation", "channel": [ @@ -19410,8 +19431,8 @@ "T1059.001", "T1059.003", "T1564.003", - "T1564", - "T1059" + "T1059", + "T1564" ], "title": "Powershell Executed From Headless ConHost Process" }, @@ -20215,28 +20236,6 @@ ], "title": "Execution via stordiag.exe" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "event_ids": [ - "4688" - ], - "id": "aac97665-0e43-e14b-bc3c-bbefd72790dd", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218", - "TA0002" - ], - "title": "Execute MSDT Via Answer File" - }, { "category": "process_creation", "channel": [ @@ -20992,8 +20991,8 @@ "TA0005", "T1219.002", "T1036.003", - "T1036", - "T1219" + "T1219", + "T1036" ], "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" }, @@ -21419,11 +21418,11 @@ "T1557", "T1082", "T1564", - "T1547", - "T1546", "T1505", + "T1547", + "T1556", "T1574", - "T1556" + "T1546" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -21932,27 +21931,6 @@ ], "title": "Potential Mftrace.EXE Abuse" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", - "event_ids": [ - "4688" - ], - "id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1216" - ], - "title": "Suspicious CustomShellHost Execution" - }, { "category": "process_creation", "channel": [ @@ -22275,8 +22253,8 @@ "TA0008", "T1059.001", "T1021.006", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "Remote PowerShell Session Host Process (WinRM)" }, @@ -22573,9 +22551,9 @@ "TA0005", "T1218.005", "T1027.004", + "T1218", "T1027", - "T1059", - "T1218" + "T1059" ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, @@ -24047,8 +24025,8 @@ "T1558.003", "TA0008", "T1550.003", - "T1550", - "T1558" + "T1558", + "T1550" ], "title": "HackTool - KrbRelayUp Execution" }, @@ -24165,27 +24143,6 @@ ], "title": "Certificate Exported Via Certutil.EXE" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "event_ids": [ - "4688" - ], - "id": "bf39ad4c-8a90-0e00-7076-2436ebb83b41", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "T1218" - ], - "title": "DeviceCredentialDeployment Execution" - }, { "category": "process_creation", "channel": [ @@ -24229,8 +24186,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1053", - "T1059" + "T1059", + "T1053" ], "title": "Scheduled Task Executing Payload from Registry" }, @@ -25554,6 +25511,27 @@ ], "title": "Regsvr32 DLL Execution With Suspicious File Extension" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\\Windows\\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.\n", + "event_ids": [ + "4688" + ], + "id": "5f438a3c-3bd7-d256-61ad-9ae6334543ec", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1216" + ], + "title": "Suspicious CustomShellHost Execution" + }, { "category": "process_creation", "channel": [ @@ -26196,9 +26174,9 @@ "T1069.002", "TA0002", "T1059.001", + "T1087", "T1069", - "T1059", - "T1087" + "T1059" ], "title": "HackTool - Bloodhound/Sharphound Execution" }, @@ -27285,8 +27263,8 @@ "T1106", "T1059.003", "T1218.011", - "T1059", - "T1218" + "T1218", + "T1059" ], "title": "HackTool - RedMimicry Winnti Playbook Execution" }, @@ -27677,8 +27655,8 @@ "T1558.003", "TA0008", "T1550.003", - "T1550", - "T1558" + "T1558", + "T1550" ], "title": "HackTool - Rubeus Execution" }, @@ -28118,8 +28096,8 @@ "TA0003", "T1036.005", "T1053.005", - "T1036", - "T1053" + "T1053", + "T1036" ], "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, @@ -28415,6 +28393,28 @@ ], "title": "Potential Persistence Via Logon Scripts - CommandLine" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab).\n", + "event_ids": [ + "4688" + ], + "id": "aac97665-0e43-e14b-bc3c-bbefd72790dd", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "T1218", + "TA0002" + ], + "title": "MSDT Execution Via Answer File" + }, { "category": "process_creation", "channel": [ @@ -30983,8 +30983,8 @@ "T1059.001", "T1027.010", "detection.threat-hunting", - "T1027", - "T1059" + "T1059", + "T1027" ], "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -31516,9 +31516,9 @@ "T1021.002", "attack.s0039", "detection.threat-hunting", - "T1069", + "T1087", "T1021", - "T1087" + "T1069" ], "title": "Net.EXE Execution" }, @@ -32298,9 +32298,9 @@ "T1027.010", "T1547.001", "detection.threat-hunting", - "T1059", "T1027", - "T1547" + "T1547", + "T1059" ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -32738,27 +32738,6 @@ ], "title": "Suspicious Camera and Microphone Access" }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects Pandemic Windows Implant", - "event_ids": [ - "4657" - ], - "id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0011", - "T1105" - ], - "title": "Pandemic Registry Key" - }, { "category": "registry_event", "channel": [ @@ -32946,29 +32925,6 @@ ], "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, - { - "category": "registry_event", - "channel": [ - "sec" - ], - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "event_ids": [ - "4657" - ], - "id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80", - "level": "critical", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1204", - "cve.2021-1675", - "cve.2021-34527" - ], - "title": "PrinterNightmare Mimikatz Driver Name" - }, { "category": "registry_event", "channel": [ @@ -36411,30 +36367,6 @@ ], "title": "New RUN Key Pointing to Suspicious Folder" }, - { - "category": "registry_set", - "channel": [ - "sec" - ], - "description": "Attempts to detect system changes made by Blue Mockingbird", - "event_ids": [ - "4657" - ], - "id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0005", - "TA0002", - "TA0003", - "T1112", - "T1047" - ], - "title": "Blue Mockingbird - Registry" - }, { "category": "registry_set", "channel": [ @@ -36746,8 +36678,8 @@ "T1021.002", "T1543.003", "T1569.002", - "T1543", "T1569", + "T1543", "T1021" ], "title": "Potential CobaltStrike Service Installations - Registry" @@ -37323,8 +37255,8 @@ "TA0003", "T1547.001", "T1546.009", - "T1547", - "T1546" + "T1546", + "T1547" ], "title": "Session Manager Autorun Keys Modification" }, @@ -37549,28 +37481,6 @@ ], "title": "Potential Persistence Via New AMSI Providers - Registry" }, - { - "category": "registry_add", - "channel": [ - "sec" - ], - "description": "Detects registry keys related to NetWire RAT", - "event_ids": [ - "4657" - ], - "id": "61bb2824-c37f-f432-0767-9a80d45583aa", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE921E-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0003", - "TA0005", - "T1112" - ], - "title": "Potential NetWire RAT Activity - Registry" - }, { "category": "registry_add", "channel": [ @@ -38314,9 +38224,9 @@ "T1003.001", "car.2016-04-002", "detection.emerging-threats", - "T1070", "T1218", - "T1003" + "T1003", + "T1070" ], "title": "NotPetya Ransomware Activity" }, @@ -38342,8 +38252,8 @@ "T1543.003", "T1569.002", "detection.emerging-threats", - "T1569", - "T1543" + "T1543", + "T1569" ], "title": "CosmicDuke Service Installation" }, @@ -38515,6 +38425,28 @@ ], "title": "Turla Service Install" }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects Pandemic Windows Implant", + "event_ids": [ + "4657" + ], + "id": "a36fab91-8874-79c8-32cb-b2a0117d5a0b", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0011", + "T1105", + "detection.emerging-threats" + ], + "title": "Pandemic Registry Key" + }, { "category": "process_creation", "channel": [ @@ -38651,9 +38583,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1543", + "T1053", "T1071", - "T1053" + "T1543" ], "title": "OilRig APT Registry Persistence" }, @@ -38685,8 +38617,8 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1053", "T1543", + "T1053", "T1071" ], "title": "OilRig APT Activity" @@ -38717,9 +38649,9 @@ "TA0011", "T1071.004", "detection.emerging-threats", - "T1543", + "T1053", "T1071", - "T1053" + "T1543" ], "title": "OilRig APT Schedule Task Persistence - System" }, @@ -39096,6 +39028,31 @@ ], "title": "Blue Mockingbird" }, + { + "category": "registry_set", + "channel": [ + "sec" + ], + "description": "Attempts to detect system changes made by Blue Mockingbird", + "event_ids": [ + "4657" + ], + "id": "5e4e8480-72ed-5e37-7cfe-93d7cfd37974", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0005", + "TA0002", + "TA0003", + "T1112", + "T1047", + "detection.emerging-threats" + ], + "title": "Blue Mockingbird - Registry" + }, { "category": "process_creation", "channel": [ @@ -39334,8 +39291,8 @@ "TA0005", "T1036.005", "detection.emerging-threats", - "T1059", - "T1036" + "T1036", + "T1059" ], "title": "Greenbug Espionage Group Indicators" }, @@ -39576,6 +39533,47 @@ ], "title": "Suspicious Sysmon as Execution Parent" }, + { + "category": "", + "channel": [ + "Application" + ], + "description": "Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service.\nDuring exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives).\nAdditionally, the directory \\Users\\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.\n", + "event_ids": [ + "1511" + ], + "id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909", + "level": "low", + "service": "application", + "subcategory_guids": [], + "tags": [ + "TA0002", + "detection.emerging-threats", + "cve.2022-21919", + "cve.2021-34484" + ], + "title": "Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "event_ids": [ + "42" + ], + "id": "87515290-bf9f-09a4-af0e-bac22cb017f6", + "level": "high", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0004", + "detection.emerging-threats", + "cve.2022-37966" + ], + "title": "Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966" + }, { "category": "process_creation", "channel": [ @@ -39693,8 +39691,8 @@ "T1053.005", "T1059.006", "detection.emerging-threats", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Serpent Backdoor Payload Execution Via Scheduled Task" }, @@ -39840,8 +39838,8 @@ "T1053.005", "T1027", "detection.emerging-threats", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Turla Group Commands May 2020" }, @@ -39897,8 +39895,8 @@ "attack.s0412", "attack.g0001", "detection.emerging-threats", - "T1059", - "T1218" + "T1218", + "T1059" ], "title": "ZxShell Malware" }, @@ -40138,6 +40136,30 @@ ], "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "event_ids": [ + "5145" + ], + "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", + "level": "critical", + "service": "security", + "subcategory_guids": [ + "0CCE9244-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1569", + "cve.2021-1675", + "cve.2021-34527", + "detection.emerging-threats" + ], + "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" + }, { "category": "antivirus", "channel": [ @@ -40166,34 +40188,12 @@ "TA0005", "TA0004", "T1055", - "detection.emerging-threats" + "detection.emerging-threats", + "cve.2021-34527", + "cve.2021-1675" ], "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "event_ids": [ - "5145" - ], - "id": "52b5923e-1ef2-aaad-5513-3c830f3c5850", - "level": "critical", - "service": "security", - "subcategory_guids": [ - "0CCE9244-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1569", - "cve.2021-1675", - "cve.2021-34527", - "detection.emerging-threats" - ], - "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" - }, { "category": "", "channel": [ @@ -40215,6 +40215,30 @@ ], "title": "Possible CVE-2021-1675 Print Spooler Exploitation" }, + { + "category": "registry_event", + "channel": [ + "sec" + ], + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "event_ids": [ + "4657" + ], + "id": "33feb9a9-afd4-3403-46c9-13a7b4a62b80", + "level": "critical", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1204", + "cve.2021-1675", + "cve.2021-34527", + "detection.emerging-threats" + ], + "title": "PrinterNightmare Mimikatz Driver Name" + }, { "category": "", "channel": [ @@ -40236,6 +40260,29 @@ ], "title": "CVE-2021-1675 Print Spooler Exploitation" }, + { + "category": "", + "channel": [ + "System" + ], + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "event_ids": [ + "16990", + "16991" + ], + "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0006", + "T1558.003", + "detection.emerging-threats", + "cve.2021-42287", + "T1558" + ], + "title": "Potential CVE-2021-42287 Exploitation Attempt" + }, { "category": "", "channel": [ @@ -40418,6 +40465,29 @@ ], "title": "Conti Volume Shadow Listing" }, + { + "category": "registry_add", + "channel": [ + "sec" + ], + "description": "Detects registry keys related to NetWire RAT", + "event_ids": [ + "4657" + ], + "id": "61bb2824-c37f-f432-0767-9a80d45583aa", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE921E-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0003", + "TA0005", + "T1112", + "detection.emerging-threats" + ], + "title": "Potential NetWire RAT Activity - Registry" + }, { "category": "process_creation", "channel": [ @@ -40741,6 +40811,54 @@ ], "title": "Exploiting CVE-2019-1388" }, + { + "category": "", + "channel": [ + "sec" + ], + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "event_ids": [ + "4625" + ], + "id": "232ecd79-c09d-1323-8e7e-14322b766855", + "level": "high", + "service": "security", + "subcategory_guids": [ + "0CCE9215-69AE-11D9-BED3-505054503030", + "0CCE9217-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0008", + "T1210", + "car.2013-07-002", + "detection.emerging-threats", + "cve.2019-0708" + ], + "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + }, + { + "category": "", + "channel": [ + "System" + ], + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "event_ids": [ + "50", + "56" + ], + "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", + "level": "medium", + "service": "system", + "subcategory_guids": [], + "tags": [ + "TA0008", + "T1210", + "car.2013-07-002", + "cve.2019-0708", + "detection.emerging-threats" + ], + "title": "Potential RDP Exploit CVE-2019-0708" + }, { "category": "process_creation", "channel": [ @@ -41097,8 +41215,8 @@ "T1552.001", "T1003.003", "detection.emerging-threats", - "T1003", - "T1552" + "T1552", + "T1003" ], "title": "Potential Russian APT Credential Theft Activity" }, @@ -41158,8 +41276,8 @@ "T1059.001", "detection.emerging-threats", "T1059", - "T1053", - "T1036" + "T1036", + "T1053" ], "title": "Operation Wocao Activity" }, @@ -41190,8 +41308,8 @@ "T1053.005", "T1059.001", "detection.emerging-threats", - "T1059", "T1036", + "T1059", "T1053" ], "title": "Operation Wocao Activity - Security" @@ -44782,9 +44900,9 @@ "T1021.002", "T1543.003", "T1569.002", - "T1569", + "T1543", "T1021", - "T1543" + "T1569" ], "title": "CobaltStrike Service Installations - Security" }, @@ -45288,8 +45406,8 @@ "T1570", "TA0002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -45418,8 +45536,8 @@ "T1003.006", "T1569.002", "attack.s0005", - "T1003", - "T1569" + "T1569", + "T1003" ], "title": "Credential Dumping Tools Service Execution - Security" }, @@ -45656,29 +45774,6 @@ ], "title": "RDP Login from Localhost" }, - { - "category": "", - "channel": [ - "sec" - ], - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "event_ids": [ - "4625" - ], - "id": "232ecd79-c09d-1323-8e7e-14322b766855", - "level": "high", - "service": "security", - "subcategory_guids": [ - "0CCE9215-69AE-11D9-BED3-505054503030", - "0CCE9217-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0008", - "T1210", - "car.2013-07-002" - ], - "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" - }, { "category": "", "channel": [ @@ -46467,8 +46562,8 @@ "T1485", "T1553.002", "attack.s0195", - "T1027", "T1070", + "T1027", "T1553" ], "title": "Potential Secure Deletion with SDelete" @@ -46517,8 +46612,8 @@ "T1087.002", "T1069.002", "attack.s0039", - "T1087", - "T1069" + "T1069", + "T1087" ], "title": "Reconnaissance Activity" }, @@ -47425,8 +47520,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" }, @@ -47585,8 +47680,8 @@ "T1218.010", "TA0002", "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "Office Applications Spawning Wmi Cli Alternate" }, @@ -47769,8 +47864,8 @@ "T1218.010", "TA0002", "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "New Lolbin Process by Office Applications" }, @@ -47989,8 +48084,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "WMI Execution Via Office Process" }, @@ -49256,8 +49351,8 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "TA0011", "T1071.004", + "TA0011", "T1071" ], "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" @@ -49506,27 +49601,6 @@ ], "title": "Certificate Private Key Acquired" }, - { - "category": "", - "channel": [ - "System" - ], - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "event_ids": [ - "16990", - "16991" - ], - "id": "7ef3c84f-fc5f-e0e6-b94d-07dbb0c946eb", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0006", - "T1558.003", - "T1558" - ], - "title": "Potential CVE-2021-42287 Exploitation Attempt" - }, { "category": "", "channel": [ @@ -49979,8 +50053,8 @@ "TA0002", "T1543.003", "T1569.002", - "T1543", - "T1569" + "T1569", + "T1543" ], "title": "Remote Access Tool Services Have Been Installed - System" }, @@ -50260,9 +50334,9 @@ "T1021.002", "T1543.003", "T1569.002", + "T1021", "T1543", - "T1569", - "T1021" + "T1569" ], "title": "CobaltStrike Service Installations - System" }, @@ -50562,27 +50636,6 @@ ], "title": "NTLMv1 Logon Between Client and Server" }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "event_ids": [ - "50", - "56" - ], - "id": "19979e7a-7d1e-a8e3-2a9e-9b3ac0059fa7", - "level": "medium", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0008", - "T1210", - "car.2013-07-002" - ], - "title": "Potential RDP Exploit CVE-2019-0708" - }, { "category": "", "channel": [ @@ -50603,24 +50656,6 @@ ], "title": "NTFS Vulnerability Exploitation" }, - { - "category": "", - "channel": [ - "System" - ], - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "event_ids": [ - "42" - ], - "id": "87515290-bf9f-09a4-af0e-bac22cb017f6", - "level": "high", - "service": "system", - "subcategory_guids": [], - "tags": [ - "TA0004" - ], - "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" - }, { "category": "", "channel": [ @@ -50903,24 +50938,6 @@ ], "title": "DHCP Server Loaded the CallOut DLL" }, - { - "category": "", - "channel": [ - "Application" - ], - "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", - "event_ids": [ - "1511" - ], - "id": "17e91768-3a0f-6d5f-bc0d-7f2d22391909", - "level": "low", - "service": "application", - "subcategory_guids": [], - "tags": [ - "TA0002" - ], - "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" - }, { "category": "", "channel": [ @@ -53684,8 +53701,8 @@ "T1021.002", "T1569.002", "T1543", - "T1569", "T1021", + "T1569", "T1136" ], "title": "PSExec Lateral Movement"