From f6eaa21408a857eaa78f1a524b4a7ee447db2912 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 20:56:37 +0000 Subject: [PATCH] Sigma Rule Update (2026-04-29 20:56:29) (#327) Co-authored-by: YamatoSecurity --- config/security_rules.json | 3255 ++++++++++++++++++------------------ 1 file changed, 1652 insertions(+), 1603 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index 87cfe620..0826914b 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -503,8 +503,8 @@ "T1570", "TA0002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -682,7 +682,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -704,9 +704,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Disable Windows IIS HTTP Logging" }, @@ -726,7 +726,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Remote Code Execute via Winrm.vbs" @@ -747,7 +747,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Indirect Inline Command Execution Via Bash.EXE" @@ -768,7 +768,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" @@ -789,7 +789,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "File Download Via InstallUtil.EXE" @@ -832,7 +832,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.001", "T1564" ], @@ -917,11 +917,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1070.001", - "T1562", - "T1070" + "attack.defense-impairment", + "T1685", + "T1685.005" ], "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, @@ -945,27 +943,6 @@ ], "title": "Obfuscated IP Download Activity" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects a suspicious script executions from temporary folder", - "event_ids": [ - "4688" - ], - "id": "18f506e1-2726-f3fa-8429-f7b06ce69825", - "level": "high", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059" - ], - "title": "Suspicious Script Execution From Temp Folder" - }, { "category": "process_creation", "channel": [ @@ -983,8 +960,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1204.002", - "TA0005", "T1218.014", "T1036.002", "T1204", @@ -1009,9 +986,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Add SafeBoot Keys Via Reg Utility" }, @@ -1054,7 +1030,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -1078,7 +1054,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "DeviceCredentialDeployment Execution" @@ -1143,8 +1119,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1027", - "TA0005", "TA0002", "T1140", "T1059.001", @@ -1168,7 +1144,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Firewall Rule Update Via Netsh.EXE" }, @@ -1188,7 +1164,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1140", "T1027" ], @@ -1210,11 +1186,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1070", - "T1562.006", - "car.2016-04-002", - "T1562" + "T1685", + "car.2016-04-002" ], "title": "ETW Trace Evasion Activity" }, @@ -1234,7 +1210,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, @@ -1320,7 +1296,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002" ], @@ -1342,7 +1318,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Execution of InstallUtil Without Log" }, @@ -1383,7 +1359,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Use of Remote.exe" @@ -1404,9 +1381,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Suspicious Uninstall of Windows Defender Feature via PowerShell" }, @@ -1426,9 +1402,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "TA0011", + "attack.stealth", "T1218", "T1564.004", "T1552.001", @@ -1455,8 +1431,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1027", "T1620", "T1059" @@ -1501,7 +1477,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -1567,7 +1542,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.005", "T1070" ], @@ -1589,7 +1564,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" @@ -1657,8 +1633,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0040", + "attack.stealth", "T1070", "T1490" ], @@ -1735,7 +1711,7 @@ "channel": [ "sec" ], - "description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables", + "description": "Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.\nScript interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.\n", "event_ids": [ "4688" ], @@ -1767,7 +1743,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "CodePage Modification Via MODE.COM To Russian Language" @@ -1788,7 +1764,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potentially Suspicious Windows App Activity" }, @@ -1809,7 +1785,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218" ], "title": "Arbitrary MSI Download Via Devinit.EXE" @@ -1830,13 +1806,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1204.002", "T1047", "T1218.010", "TA0002", - "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "Suspicious WMIC Execution Via Office Process" }, @@ -1856,7 +1832,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" @@ -1922,7 +1898,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055.001", "T1055" ], @@ -1944,7 +1920,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216.001", "T1216" ], @@ -1966,7 +1942,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "PowerShell Script Change Permission Via Set-Acl" }, @@ -2009,7 +1985,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -2032,8 +2007,8 @@ ], "tags": [ "TA0002", + "attack.defense-impairment", "T1059", - "TA0005", "T1222.001", "T1222" ], @@ -2097,7 +2072,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "BitLockerTogo.EXE Execution" @@ -2139,7 +2114,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" @@ -2183,7 +2158,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -2206,7 +2180,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0006", "T1003.001", @@ -2252,7 +2225,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -2275,8 +2247,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0008", + "attack.stealth", "T1021.003", "T1218", "T1021" @@ -2299,7 +2271,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Potential Fake Instance Of Hxtsr.EXE Executed" @@ -2321,7 +2293,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218", "T1202" ], @@ -2343,9 +2315,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Powershell Base64 Encoded MpPreference Cmdlet" }, @@ -2408,9 +2379,8 @@ ], "tags": [ "TA0002", - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Service StartupType Change Via Sc.EXE" }, @@ -2454,8 +2424,8 @@ ], "tags": [ "TA0003", - "T1112", - "TA0005" + "attack.defense-impairment", + "T1112" ], "title": "Registry Modification Via Regini.EXE" }, @@ -2475,7 +2445,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "T1070" ], @@ -2497,8 +2467,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1127", "T1059.007", "T1059" @@ -2569,8 +2539,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" @@ -2591,9 +2561,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0008", + "attack.stealth", "T1021.002", "T1218.011", "T1021", @@ -2617,7 +2587,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -2660,14 +2629,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1140", "T1218.005", "TA0002", "T1059.007", "cve.2020-1599", - "T1218", - "T1059" + "T1059", + "T1218" ], "title": "MSHTA Execution with Suspicious File Extensions" }, @@ -2687,7 +2656,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Assembly Loading Via CL_LoadAssembly.ps1" @@ -2708,7 +2677,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Malicious Windows Script Components File Execution by TAEF Detection" @@ -2816,7 +2785,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -2839,7 +2808,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -2861,7 +2829,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" @@ -2926,7 +2894,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -2949,7 +2917,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.stealth", "T1542.001", "T1542" ], @@ -2971,7 +2939,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -2993,7 +2961,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1218" ], @@ -3015,8 +2983,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0004" + "TA0004", + "attack.stealth" ], "title": "UAC Bypass Using Event Viewer RecentViews" }, @@ -3036,7 +3004,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Obfuscated PowerShell Code" }, @@ -3148,7 +3116,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Password Spraying Attempt Using Dsacls.EXE" @@ -3191,7 +3159,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.005", "T1036" ], @@ -3237,9 +3205,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine" }, @@ -3285,8 +3252,8 @@ "tags": [ "TA0008", "TA0002", + "attack.stealth", "T1072", - "TA0005", "T1218" ], "title": "Suspicious Csi.exe Usage" @@ -3397,8 +3364,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -3511,9 +3479,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Firewall Rule Deleted Via Netsh.EXE" }, @@ -3533,11 +3501,32 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "New Process Created Via Taskmgr.EXE" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.\n", + "event_ids": [ + "4688" + ], + "id": "1c46443a-7a5b-7da5-7af3-427a3568a5dc", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0040", + "T1490" + ], + "title": "System Restore Registry Modification via CommandLine" + }, { "category": "process_creation", "channel": [ @@ -3556,7 +3545,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -3579,7 +3569,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055" ], "title": "Dllhost.EXE Execution Anomaly" @@ -3623,8 +3613,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -3668,7 +3659,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1220" ], "title": "Msxsl.EXE Execution" @@ -3689,7 +3680,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0008", "T1021.003", @@ -3713,7 +3704,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" @@ -3797,7 +3788,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -3864,9 +3855,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Audit Policy Tampering Via Auditpol" }, @@ -3992,8 +3983,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055.001", "T1218.013", "T1218", @@ -4019,7 +4010,7 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "attack.stealth", "T1574", "TA0002" ], @@ -4041,9 +4032,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Dism Remove Online Package" }, @@ -4064,7 +4054,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1134.001", "T1134.003", "T1134" @@ -4087,8 +4077,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "Wab Execution From Non Default Location" }, @@ -4129,7 +4119,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Potential Arbitrary File Download Using Office Application" @@ -4195,8 +4185,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" }, @@ -4216,10 +4206,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562.006", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows AMSI Related Registry Tampering Via CommandLine" }, @@ -4239,7 +4227,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Lolbin Unregmp2.exe Use As Proxy" @@ -4280,7 +4268,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -4349,7 +4337,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -4373,7 +4361,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -4397,8 +4386,8 @@ "tags": [ "TA0004", "TA0002", - "TA0005", "TA0003", + "attack.stealth", "T1036.005", "T1053.005", "T1036", @@ -4511,8 +4500,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "ETW Logging Tamper In .NET Processes Via CommandLine" }, @@ -4532,7 +4521,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -4578,7 +4567,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1047", "T1204.002", "T1218.010", @@ -4624,7 +4613,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.005", "T1027" ], @@ -4734,7 +4723,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1059", "T1202" ], @@ -4776,8 +4765,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055" ], "title": "Process Creation Using Sysnative Folder" @@ -4840,7 +4829,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, @@ -4860,7 +4849,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.005", "car.2013-02-003", "car.2013-03-001", @@ -4929,7 +4918,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216.001", "T1216" ], @@ -4973,7 +4962,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "New Capture Session Launched Via DXCap.EXE" @@ -4994,7 +4983,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548" ], @@ -5081,8 +5069,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059", - "TA0005", "T1202" ], "title": "Potential Arbitrary Command Execution Via FTP.EXE" @@ -5187,7 +5175,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Taskmgr as LOCAL_SYSTEM" @@ -5232,7 +5220,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -5254,7 +5242,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.001", "T1218" ], @@ -5276,8 +5264,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197", "attack.s0190", "T1036.003", @@ -5302,8 +5291,8 @@ ], "tags": [ "TA0003", - "T1112", - "TA0005" + "attack.defense-impairment", + "T1112" ], "title": "Imports Registry Key From a File" }, @@ -5323,8 +5312,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1202", - "TA0005", "T1218" ], "title": "Potentially Suspicious Child Processes Spawned by ConHost" @@ -5448,7 +5437,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -5472,8 +5461,8 @@ "tags": [ "TA0004", "TA0001", - "TA0005", "TA0003", + "attack.stealth", "T1078.002", "T1098", "T1078" @@ -5500,8 +5489,8 @@ "T1563.002", "T1021.001", "car.2013-07-002", - "T1021", - "T1563" + "T1563", + "T1021" ], "title": "Suspicious RDP Redirect Using TSCON" }, @@ -5521,7 +5510,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -5544,7 +5532,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Uncommon FileSystem Load Attempt By Format.com" }, @@ -5584,7 +5572,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1220" ], "title": "Remote XSL Execution Via Msxsl.EXE" @@ -5605,7 +5593,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1003.001", "TA0006", @@ -5712,8 +5700,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "Weak or Abused Passwords In CLI" }, @@ -5782,7 +5770,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.009", "T1218" ], @@ -5826,7 +5814,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -5849,7 +5836,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.001", "T1218" ], @@ -5872,7 +5859,6 @@ ], "tags": [ "TA0008", - "TA0005", "TA0011", "T1090" ], @@ -5895,7 +5881,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Non-privileged Usage of Reg or Powershell" @@ -5916,8 +5902,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Process Proxy Execution Via Squirrel.EXE" @@ -6004,7 +5990,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Kernel Memory Dump Via LiveKD" }, @@ -6024,7 +6010,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.009", "T1218" ], @@ -6046,7 +6032,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0011", "T1105" @@ -6135,7 +6121,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.005", "T1036" ], @@ -6157,7 +6143,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1222.001", "T1222" ], @@ -6179,7 +6165,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" @@ -6200,7 +6186,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Uncommon AddinUtil.EXE CommandLine Execution" @@ -6221,7 +6207,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" }, @@ -6241,7 +6227,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002" ], @@ -6263,7 +6249,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1003.001", "TA0006", @@ -6288,8 +6274,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0040", + "attack.defense-impairment", "T1112", "T1491.001", "T1491" @@ -6333,9 +6319,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Credential Guard Registry Tampering Via CommandLine" }, @@ -6356,8 +6341,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -6465,7 +6451,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -6488,7 +6474,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Run Once Task Execution as Configured in Registry" @@ -6509,7 +6495,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.001", "T1564" ], @@ -6575,7 +6561,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "C# IL Code Compilation Via Ilasm.EXE" @@ -6596,9 +6583,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.010", - "T1562" + "attack.defense-impairment", + "T1689" ], "title": "LSA PPL Protection Setting Modification via CommandLine" }, @@ -6663,10 +6649,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.defense-impairment", "T1047", - "T1562" + "T1685" ], "title": "Potential Windows Defender Tampering Via Wmic.EXE" }, @@ -6686,8 +6672,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218.011", "T1218" ], @@ -6777,7 +6763,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "ShimCache Flush" @@ -6798,11 +6784,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", + "attack.defense-impairment", + "T1685", "TA0006", "T1003.001", - "T1562", "T1003" ], "title": "PPL Tampering Via WerFaultSecure" @@ -6871,7 +6856,7 @@ ], "tags": [ "TA0002", - "TA0005" + "attack.stealth" ], "title": "Potentially Suspicious Child Process Of ClickOnce Application" }, @@ -6891,7 +6876,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0011", "T1105" @@ -6938,8 +6923,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1204.004", - "TA0005", "T1027.010", "T1204", "T1027" @@ -6962,9 +6947,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, @@ -7005,7 +6990,6 @@ ], "tags": [ "TA0008", - "TA0005", "TA0011", "T1090" ], @@ -7027,8 +7011,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0040", + "attack.stealth", "T1070", "T1485" ], @@ -7119,7 +7103,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -7141,7 +7125,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002" ], @@ -7231,9 +7215,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -7387,9 +7371,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Potential AMSI Bypass Using NULL Bits" }, @@ -7456,7 +7439,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -7480,12 +7463,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", "TA0004", + "attack.defense-impairment", "T1543.003", - "T1562.001", - "T1562", + "T1685", "T1543" ], "title": "Devcon Execution Disabling VMware VMCI Device" @@ -7507,8 +7489,8 @@ ], "tags": [ "TA0006", - "TA0005", "TA0004", + "attack.stealth", "T1134", "T1003", "T1027" @@ -7531,7 +7513,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -7562,8 +7544,8 @@ "car.2013-08-001", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, @@ -7583,8 +7565,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218.003", "attack.g0069", "car.2019-04-001", @@ -7608,9 +7590,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disabling Windows Defender WMI Autologger Session via Reg.exe" }, @@ -7630,9 +7611,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", "TA0002", + "attack.defense-impairment", "T1112", "T1059.005", "T1059" @@ -7721,11 +7702,11 @@ ], "tags": [ "TA0003", - "TA0005", - "T1562.002", + "attack.defense-impairment", + "T1685.001", "T1112", "car.2022-03-001", - "T1562" + "T1685" ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Process" }, @@ -7767,7 +7748,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002" ], @@ -7832,8 +7813,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1127", "T1059" ], @@ -7879,7 +7860,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1036" ], "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" @@ -7900,7 +7881,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -7924,8 +7905,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1218.011", - "TA0005", "T1218" ], "title": "Rundll32 InstallScreenSaver Execution" @@ -7947,7 +7928,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Suspicious VBoxDrvInst.exe Parameters" @@ -7968,7 +7949,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.005", "T1218" ], @@ -8012,7 +7993,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "T1558.003", "TA0008", @@ -8083,8 +8063,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0006", + "attack.defense-impairment", "T1556.002", "T1556" ], @@ -8128,7 +8108,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1059", "T1202" ], @@ -8199,8 +8179,8 @@ "TA0004", "TA0002", "TA0003", + "attack.stealth", "T1053.005", - "TA0005", "T1218", "TA0011", "T1105", @@ -8224,7 +8204,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "T1070" ], @@ -8334,10 +8314,9 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", - "T1562.001", - "T1562" + "T1685" ], "title": "Reg Add Suspicious Paths" }, @@ -8357,7 +8336,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -8383,8 +8362,8 @@ "T1087.002", "T1069.002", "T1482", - "T1087", - "T1069" + "T1069", + "T1087" ], "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, @@ -8404,7 +8383,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Remote Access Tool - RURAT Execution From Unusual Location" }, @@ -8424,9 +8403,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Raccine Uninstall" }, @@ -8532,8 +8510,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1218", "TA0011", "T1105", @@ -8557,7 +8535,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059" ], @@ -8602,7 +8579,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055" ], "title": "Suspicious Rundll32 Invoking Inline VBScript" @@ -8624,14 +8601,14 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.005", "T1059.007", - "TA0005", "T1218.005", "T1027.004", "T1059", - "T1218", - "T1027" + "T1027", + "T1218" ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, @@ -8651,7 +8628,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036" ], @@ -8699,7 +8676,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potentially Suspicious GoogleUpdate Child Process" }, @@ -8743,8 +8720,8 @@ "tags": [ "TA0003", "TA0002", - "TA0005", "TA0004", + "attack.stealth", "T1203", "T1574.001", "T1574" @@ -8767,13 +8744,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.010", "T1218.007", "TA0002", "T1059.001", - "T1218", "T1027", + "T1218", "T1059" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" @@ -8817,9 +8794,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "HackTool - SharpEvtMute Execution" }, @@ -8883,7 +8860,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1003.001", "TA0006", @@ -8972,7 +8949,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" }, @@ -8992,9 +8969,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Potential AMSI Bypass Via .NET Reflection" }, @@ -9058,7 +9034,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1059.005", "T1059.001", "T1218", @@ -9154,7 +9130,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Potential Command Line Path Traversal Evasion Attempt" @@ -9196,7 +9172,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -9218,7 +9194,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "T1027.004", "T1027" @@ -9241,9 +9217,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Taskkill Symantec Endpoint Protection" }, @@ -9263,7 +9238,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -9329,7 +9304,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Memory Dumping Activity Via LiveKD" }, @@ -9371,7 +9346,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "REGISTER_APP.VBS Proxy Execution" @@ -9393,7 +9368,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1027", "T1059.001", "T1059" @@ -9481,10 +9456,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", + "attack.defense-impairment", + "T1686.003", "attack.s0108", - "T1562" + "T1686" ], "title": "Firewall Disabled via Netsh.EXE" }, @@ -9591,7 +9566,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Suspicious Provlaunch.EXE Child Process" @@ -9633,7 +9608,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -9656,7 +9630,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" }, @@ -9721,7 +9695,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" }, @@ -9741,7 +9715,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0011", "T1105" @@ -9808,7 +9782,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1134.004", "T1134" ], @@ -9830,7 +9804,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Gpscript Execution" @@ -9872,7 +9846,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "T1218" ], @@ -9939,9 +9913,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Potential Tampering With Security Products Via WMIC" }, @@ -9984,8 +9957,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -10053,7 +10027,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -10075,7 +10050,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" @@ -10118,7 +10093,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Uncommon Sigverif.EXE Child Process" @@ -10139,7 +10114,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -10187,8 +10162,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Arbitrary File Download Via MSOHTMED.EXE" @@ -10209,7 +10184,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Verclsid.exe Runs COM Object" @@ -10230,9 +10205,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, @@ -10273,9 +10247,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Vulnerable Driver Blocklist Registry Tampering Via CommandLine" }, @@ -10295,9 +10268,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", - "cve.2023-21746" + "cve.2023-21746", + "attack.stealth" ], "title": "HackTool - LocalPotato Execution" }, @@ -10317,7 +10290,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Indirect Command Execution From Script File Via Bash.EXE" @@ -10359,9 +10332,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Uninstall Crowdstrike Falcon Sensor" }, @@ -10424,7 +10396,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Certificate Exported Via Certutil.EXE" @@ -10445,7 +10417,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "PowerShell Set-Acl On Windows Folder" }, @@ -10488,8 +10460,8 @@ "tags": [ "TA0003", "TA0002", - "TA0005", "TA0007", + "attack.defense-impairment", "T1047", "T1112", "T1012" @@ -10517,9 +10489,9 @@ "TA0011", "T1071.004", "T1132.001", - "T1071", "T1132", - "T1048" + "T1048", + "T1071" ], "title": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -10539,7 +10511,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Ie4uinit Lolbin Use From Invalid Path" @@ -10604,7 +10576,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Suspicious Windows Update Agent Empty Cmdline" @@ -10668,7 +10640,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -10690,7 +10662,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.006", "T1564" ], @@ -10712,7 +10684,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" @@ -10803,7 +10775,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "car.2013-05-002" ], @@ -10846,7 +10818,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "UtilityFunctions.ps1 Proxy Dll" @@ -10867,9 +10839,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0001", + "attack.stealth", "T1047", "T1059.001", "T1059.003", @@ -10926,7 +10898,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" @@ -10971,8 +10943,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1106", - "TA0005", "T1218", "T1127" ], @@ -10994,8 +10966,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197", "attack.s0190", "T1036.003", @@ -11021,9 +10994,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Uninstall Sysinternals Sysmon" }, @@ -11043,15 +11015,15 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "TA0011", + "attack.stealth", "T1218", "T1564.004", "T1552.001", "T1105", - "T1552", - "T1564" + "T1564", + "T1552" ], "title": "Insensitive Subfolder Search Via Findstr.EXE" }, @@ -11142,8 +11114,8 @@ "TA0003", "T1053.005", "T1059.001", - "T1059", - "T1053" + "T1053", + "T1059" ], "title": "Scheduled Task Executing Encoded Payload from Registry" }, @@ -11250,7 +11222,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036.005", "T1036" @@ -11273,7 +11245,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -11298,7 +11270,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218", "T1202", "T1036.005", @@ -11322,7 +11294,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Use of Wfc.exe" @@ -11343,7 +11316,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.009", "T1218" ], @@ -11387,10 +11360,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1070", - "T1562", - "T1562.002" + "T1685", + "T1685.001" ], "title": "Filter Driver Unloaded Via Fltmc.EXE" }, @@ -11410,7 +11384,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "T1070" ], @@ -11453,7 +11427,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218" ], "title": "MpiExec Lolbin" @@ -11517,8 +11491,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", + "attack.stealth", "T1218", "T1003.001", "T1003" @@ -11542,8 +11516,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1027", "T1059" ], @@ -11588,7 +11562,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "LOLBIN Execution From Abnormal Drive" }, @@ -11608,7 +11582,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -11630,7 +11604,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" @@ -11651,7 +11625,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" @@ -11674,7 +11648,6 @@ "tags": [ "TA0011", "TA0003", - "TA0005", "T1219" ], "title": "Suspicious Velociraptor Child Process" @@ -11744,7 +11717,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1047", "T1220", "TA0002", @@ -11770,9 +11743,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Sysmon Configuration Update" }, @@ -11792,7 +11764,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Indirect Command Execution via SFTP ProxyCommand" @@ -11813,9 +11785,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "TA0009", + "attack.stealth", "T1185", "T1564.003", "T1564" @@ -11838,7 +11810,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Process Memory Dump Via Dotnet-Dump" @@ -11859,7 +11831,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Renamed AutoIt Execution" @@ -11880,7 +11852,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -11903,7 +11874,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "TA0006", "T1003.001", @@ -11973,8 +11944,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059", - "TA0005", "T1202" ], "title": "Suspicious Runscripthelper.exe" @@ -11995,7 +11966,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070", "TA0003", "T1542.003", @@ -12039,7 +12010,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "car.2019-04-001", @@ -12064,8 +12034,8 @@ ], "tags": [ "TA0003", - "T1112", - "TA0005" + "attack.defense-impairment", + "T1112" ], "title": "Potential Suspicious Registry File Imported Via Reg.EXE" }, @@ -12130,7 +12100,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "T1218" ], @@ -12174,7 +12144,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1218" ], @@ -12218,7 +12188,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -12240,9 +12210,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disabled Volume Snapshots" }, @@ -12309,7 +12278,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.005", "T1036" ], @@ -12354,7 +12323,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055.001", "T1055" ], @@ -12402,8 +12371,8 @@ "T1587.001", "TA0002", "T1569.002", - "T1569", - "T1587" + "T1587", + "T1569" ], "title": "PUA - CsExec Execution" }, @@ -12491,7 +12460,6 @@ ], "tags": [ "TA0004", - "TA0005", "TA0002", "T1059" ], @@ -12535,7 +12503,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" @@ -12600,7 +12568,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Suspicious High IntegrityLevel Conhost Legacy Option" @@ -12621,7 +12589,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Devtoolslauncher.exe Executes Specified Binary" @@ -12664,7 +12632,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "TA0006", "T1003.001", @@ -12692,7 +12660,7 @@ "TA0003", "TA0004", "TA0007", - "TA0005", + "attack.stealth", "T1082", "T1564", "T1543" @@ -12757,8 +12725,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1218", - "TA0005", "TA0002" ], "title": "Uncommon Child Process Of Appvlp.EXE" @@ -12821,7 +12789,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -12843,8 +12811,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Potential File Download Via MS-AppInstaller Protocol Handler" @@ -12908,7 +12876,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" @@ -13057,7 +13025,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059" ], @@ -13123,7 +13090,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" }, @@ -13143,8 +13110,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" @@ -13187,7 +13154,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" }, @@ -13229,8 +13196,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -13252,7 +13220,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -13274,8 +13242,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Write Protect For Storage Disabled" }, @@ -13342,8 +13310,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.006", - "TA0005", "T1027.010", "T1027", "T1059" @@ -13390,7 +13358,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.004", "T1027" ], @@ -13463,7 +13431,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -13485,7 +13453,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "WSL Kali-Linux Usage" @@ -13529,7 +13497,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070" ], "title": "IIS WebServer Log Deletion via CommandLine Utilities" @@ -13550,14 +13518,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "TA0003", + "attack.defense-impairment", "T1548.002", "T1546.001", "T1112", - "T1546", - "T1548" + "T1548", + "T1546" ], "title": "Registry Modification of MS-settings Protocol Handler" }, @@ -13577,7 +13545,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -13600,7 +13568,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" @@ -13642,8 +13610,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197", "attack.s0190", "T1036.003", @@ -13714,7 +13683,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "COM Object Execution via Xwizard.EXE" @@ -13781,7 +13750,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Suspicious Process Parents" @@ -13823,7 +13792,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Suspicious Cabinet File Execution Via Msdt.EXE" @@ -13891,7 +13860,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218", "T1202" ], @@ -13914,7 +13883,7 @@ ], "tags": [ "TA0008", - "TA0005", + "attack.stealth", "T1021.006", "T1218", "T1021" @@ -13937,7 +13906,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Potentially Suspicious Office Document Executed From Trusted Location" @@ -13958,7 +13927,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -13982,8 +13951,8 @@ "tags": [ "TA0003", "TA0004", + "attack.defense-impairment", "T1547.001", - "TA0005", "T1112", "T1547" ], @@ -14029,7 +13998,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574" ], "title": "DLL Execution Via Register-cimprovider.exe" @@ -14071,7 +14041,7 @@ ], "tags": [ "TA0003", - "TA0005" + "attack.stealth" ], "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, @@ -14091,8 +14061,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1134.002", "T1134" ], @@ -14117,8 +14087,8 @@ "TA0004", "TA0002", "TA0003", + "attack.stealth", "T1053.005", - "TA0005", "T1036.004", "T1036.005", "T1036", @@ -14143,8 +14113,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.005", - "TA0005", "T1218", "T1202", "T1059" @@ -14189,7 +14159,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "OpenWith.exe Executes Specified Binary" @@ -14210,7 +14180,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Suspicious Splwow64 Without Params" @@ -14276,8 +14246,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1027", "T1059" ], @@ -14299,7 +14269,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Register_App.Vbs LOLScript Abuse" @@ -14320,7 +14290,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.004", "T1027" ], @@ -14438,13 +14408,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1059.001", "T1059.003", "T1564.003", - "T1564", - "T1059" + "T1059", + "T1564" ], "title": "Powershell Executed From Headless ConHost Process" }, @@ -14464,8 +14434,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1036.005", "T1055", "T1055.012", @@ -14511,7 +14481,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potentially Suspicious CMD Shell Output Redirect" @@ -14552,7 +14522,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Explorer Process Tree Break" @@ -14595,7 +14565,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Use of TTDInject.exe" @@ -14638,7 +14609,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Execution Of Non-Existing File" }, @@ -14658,7 +14629,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "TA0011", "T1105", @@ -14703,8 +14674,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1564", "T1059" ], @@ -14726,7 +14697,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -14796,7 +14767,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1047", "T1220", "TA0002", @@ -14806,6 +14777,28 @@ ], "title": "Potential Remote SquiblyTwo Technique Execution" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects a potentially suspicious powershell script executions from temporary folder", + "event_ids": [ + "4688" + ], + "id": "18f506e1-2726-f3fa-8429-f7b06ce69825", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.001", + "T1059" + ], + "title": "Potentially Suspicious Powershell Script Execution From Temp Folder" + }, { "category": "process_creation", "channel": [ @@ -14930,7 +14923,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055.012", "T1055" ], @@ -14952,7 +14945,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "InfDefaultInstall.exe .inf Execution" @@ -14996,7 +14989,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potentially Suspicious Cabinet File Expansion" @@ -15043,8 +15036,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Arbitrary File Download Via Squirrel.EXE" @@ -15089,7 +15082,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Uncommon Link.EXE Parent Process" @@ -15133,7 +15126,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "T1216" ], @@ -15155,14 +15148,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0003", "TA0004", + "attack.stealth", "T1036.003", "T1053.005", - "T1036", - "T1053" + "T1053", + "T1036" ], "title": "Renamed Schtasks Execution" }, @@ -15182,9 +15175,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, @@ -15205,8 +15198,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0008", + "attack.defense-impairment", "T1021.001", "T1112", "T1021" @@ -15229,7 +15222,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "File Encoded To Base64 Via Certutil.EXE" @@ -15296,8 +15289,8 @@ ], "tags": [ "TA0003", - "T1112", - "TA0005" + "attack.defense-impairment", + "T1112" ], "title": "Imports Registry Key From an ADS" }, @@ -15318,7 +15311,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055" ], "title": "Suspicious Userinit Child Process" @@ -15339,7 +15332,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059" ], @@ -15361,7 +15353,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Lolbin Runexehelper Use As Proxy" @@ -15382,8 +15374,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197", "attack.s0190", "T1036.003", @@ -15456,7 +15449,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218", "T1202" ], @@ -15478,9 +15471,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, @@ -15545,9 +15537,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0001", + "attack.stealth", "T1047", "T1059.001", "T1059.003", @@ -15621,10 +15613,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1070", - "T1562", - "T1562.002" + "T1685", + "T1685.001" ], "title": "Sysmon Driver Unloaded Via Fltmc.EXE" }, @@ -15645,7 +15638,7 @@ ], "tags": [ "TA0002", - "TA0005" + "attack.stealth" ], "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" }, @@ -15665,7 +15658,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Uncommon Child Process Of Conhost.EXE" @@ -15730,7 +15723,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -15752,7 +15745,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -15818,7 +15811,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "DLL Loaded via CertOC.EXE" @@ -15839,7 +15832,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Suspicious AgentExecutor PowerShell Execution" @@ -15860,7 +15853,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Suspicious Mofcomp Execution" @@ -15924,12 +15917,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.defense-impairment", "T1059.001", - "T1562.001", - "T1059", - "T1562" + "T1685", + "T1059" ], "title": "Obfuscated PowerShell OneLiner Execution" }, @@ -15949,7 +15941,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -15973,7 +15965,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Proxy Execution via Vshadow" @@ -15994,7 +15986,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059" ], @@ -16016,7 +16007,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "AddinUtil.EXE Execution From Uncommon Directory" @@ -16037,8 +16028,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0008" + "TA0008", + "attack.stealth" ], "title": "HackTool - Wmiexec Default Powershell Command" }, @@ -16058,7 +16049,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" @@ -16079,7 +16070,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -16123,8 +16113,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Use of Scriptrunner.exe" @@ -16145,7 +16135,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential NTLM Coercion Via Certutil.EXE" @@ -16166,7 +16156,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.002", "T1036" ], @@ -16233,8 +16223,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1216", "T1059" ], @@ -16281,7 +16271,8 @@ ], "tags": [ "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1197" ], "title": "Monitoring For Persistence Via BITS" @@ -16324,9 +16315,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1211", "T1059", - "TA0005", "TA0003", "TA0002" ], @@ -16348,7 +16339,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -16421,8 +16412,8 @@ "T1570", "TA0002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Rundll32 Execution Without Parameters" }, @@ -16442,7 +16433,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -16576,7 +16567,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -16620,7 +16610,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" @@ -16641,7 +16631,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -16687,7 +16676,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1134.001", "T1134.003", "T1134" @@ -16710,8 +16699,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.defense-impairment", "T1484.001", "T1484" ], @@ -16733,7 +16722,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036" ], @@ -16755,7 +16744,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -16779,7 +16768,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "T1218" ], @@ -16802,7 +16791,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055" ], "title": "HackTool - DInjector PowerShell Cradle Execution" @@ -16848,7 +16837,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "HackTool - GMER Rootkit Detector and Remover Execution" }, @@ -16876,8 +16865,8 @@ "T1069.002", "TA0002", "T1059.001", - "T1069", "T1087", + "T1069", "T1059" ], "title": "HackTool - Bloodhound/Sharphound Execution" @@ -16918,9 +16907,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disabled IE Security Features" }, @@ -16960,7 +16948,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -16982,7 +16970,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Usage Of ShellExec_RunDLL" }, @@ -17002,9 +16990,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Powershell Defender Disable Scan Feature" }, @@ -17025,7 +17012,6 @@ ], "tags": [ "TA0006", - "TA0005", "TA0007", "TA0002", "TA0004", @@ -17080,10 +17066,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", + "attack.defense-impairment", + "T1686.003", "attack.s0246", - "T1562" + "T1686" ], "title": "New Firewall Rule Added Via Netsh.EXE" }, @@ -17125,7 +17111,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" @@ -17148,7 +17134,9 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", + "attack.defense-impairment", "T1574.001", "T1112", "T1574" @@ -17215,7 +17203,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.001", "T1218" ], @@ -17345,7 +17333,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "AgentExecutor PowerShell Execution" @@ -17367,7 +17355,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1059.001", "T1027", "T1059" @@ -17410,7 +17398,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.003", "T1070" ], @@ -17433,9 +17421,8 @@ ], "tags": [ "TA0002", - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Service StartupType Change Via PowerShell Set-Service" }, @@ -17455,7 +17442,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -17586,13 +17572,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1047", "T1204.002", "T1218.010", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Suspicious Microsoft Office Child Process" }, @@ -17635,7 +17621,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Process Execution From A Potentially Suspicious Folder" @@ -17678,7 +17664,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -17722,7 +17707,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" }, @@ -17742,7 +17727,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.005", "T1218" ], @@ -17766,7 +17751,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -17788,7 +17774,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Potential Arbitrary Code Execution Via Node.EXE" @@ -17809,7 +17796,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059.001", "T1059" @@ -17832,9 +17818,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Python Function Execution Security Warning Disabled In Excel" }, @@ -17877,8 +17862,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "Wab/Wabmig Unusual Parent Or Child Processes" }, @@ -17965,7 +17950,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Execute Files with Msdeploy.exe" @@ -17986,7 +17971,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1140" ], "title": "Potential Commandline Obfuscation Using Escape Characters" @@ -18007,8 +17992,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", + "attack.stealth", "T1036", "T1003.001", "car.2013-05-009", @@ -18053,7 +18038,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" @@ -18147,7 +18132,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" @@ -18210,9 +18195,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Powershell Defender Exclusion" }, @@ -18281,8 +18265,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Firewall Disabled via PowerShell" }, @@ -18324,11 +18308,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0040", + "attack.defense-impairment", "T1489", - "T1562.001", - "T1562" + "T1685" ], "title": "Suspicious Windows Service Tampering" }, @@ -18348,7 +18331,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Nslookup PowerShell Download Cradle - ProcessCreation" }, @@ -18368,7 +18351,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.003", "T1564" ], @@ -18390,7 +18373,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Uncommon Child Process Of AddinUtil.EXE" @@ -18455,8 +18438,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Arbitrary File Download Via MSPUB.EXE" @@ -18477,7 +18460,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Potential Arbitrary DLL Load Using Winword" @@ -18499,10 +18482,9 @@ ], "tags": [ "TA0002", + "attack.defense-impairment", "T1047", - "TA0005", - "T1562.001", - "T1562" + "T1685" ], "title": "Service Startup Type Change Via Wmic.EXE" }, @@ -18585,7 +18567,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "NtdllPipe Like Activity Execution" }, @@ -18605,10 +18587,32 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Remote Access Tool - NetSupport Execution From Unusual Location" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects attempts to disable Windows EventLog autologger sessions via registry modification.\nThe AutoLogger event tracing session records events that occur early in the operating system boot process.\nApplications and device drivers can use the AutoLogger session to capture traces before the user logs in.\nAdversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.\n", + "event_ids": [ + "4688" + ], + "id": "f2b97647-02a8-e38f-ebd7-03d1bbe3d6a4", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "attack.defense-impairment", + "T1685.001", + "T1685" + ], + "title": "Windows EventLog Autologger Session Registry Modification Via CommandLine" + }, { "category": "process_creation", "channel": [ @@ -18625,7 +18629,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1216" ], "title": "Suspicious CustomShellHost Execution" @@ -18646,7 +18650,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.002", "T1564" ], @@ -18690,7 +18694,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -18712,8 +18716,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.defense-impairment", "T1484.001", "T1484" ], @@ -18757,8 +18761,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0004" + "TA0004", + "attack.stealth" ], "title": "Windows Kernel Debugger Execution" }, @@ -18778,9 +18782,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "PUA - CleanWipe Execution" }, @@ -18800,10 +18803,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0007", "TA0003", "TA0004", + "attack.stealth", "T1622", "T1564", "T1543" @@ -18933,7 +18936,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218" ], "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" @@ -18954,11 +18957,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0001", "TA0003", "TA0004", "TA0008", + "attack.stealth", "T1021.002", "T1078", "T1021" @@ -18981,9 +18984,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "HackTool - PowerTool Execution" }, @@ -19009,8 +19011,8 @@ "T1021.004", "TA0011", "T1219", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "OpenEDR Spawning Command Shell" }, @@ -19030,7 +19032,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.007", "T1036" ], @@ -19052,7 +19054,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1036.003" ], @@ -19142,8 +19144,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.005", - "TA0005", "T1218", "T1202", "T1059" @@ -19206,36 +19208,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0011", "T1105" ], "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" }, - { - "category": "process_creation", - "channel": [ - "sec" - ], - "description": "Detects wscript/cscript executions of scripts located in user directories", - "event_ids": [ - "4688" - ], - "id": "4b713aaa-d275-9bdc-3492-6a1d3582348c", - "level": "medium", - "service": "", - "subcategory_guids": [ - "0CCE922B-69AE-11D9-BED3-505054503030" - ], - "tags": [ - "TA0002", - "T1059.005", - "T1059.007", - "T1059" - ], - "title": "Potential Dropper Script Execution Via WScript/CScript" - }, { "category": "process_creation", "channel": [ @@ -19272,7 +19251,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -19454,8 +19432,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1543.003", "T1574.011", "T1574", @@ -19480,11 +19459,11 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1548.002", "T1218.003", - "T1548", - "T1218" + "T1218", + "T1548" ], "title": "Bypass UAC via CMSTP" }, @@ -19548,8 +19527,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1127", "T1059" ], @@ -19592,7 +19571,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -19617,7 +19595,7 @@ "tags": [ "TA0004", "TA0002", - "TA0005", + "attack.stealth", "T1218.002", "TA0003", "T1546", @@ -19644,14 +19622,16 @@ "TA0009", "TA0007", "TA0003", - "TA0005", "TA0006", "TA0004", - "T1562.002", + "TA0002", + "attack.stealth", + "attack.defense-impairment", + "T1685.001", "T1547.001", "T1505.005", "T1556.002", - "T1562", + "T1685", "T1574.007", "T1564.002", "T1546.008", @@ -19661,12 +19641,12 @@ "T1547.002", "T1557", "T1082", - "T1574", "T1564", - "T1546", - "T1505", "T1547", - "T1556" + "T1546", + "T1574", + "T1556", + "T1505" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -19708,7 +19688,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -19730,9 +19710,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, @@ -19775,7 +19755,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Signing Bypass Via Windows Developer Features" }, @@ -19816,7 +19796,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -19882,7 +19862,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -19904,7 +19884,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -19968,9 +19948,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable Windows Defender AV Security Monitoring" }, @@ -20035,7 +20014,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Execution of Suspicious File Type Extension" }, @@ -20056,7 +20035,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -20102,7 +20080,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -20125,10 +20103,10 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", "TA0007", "TA0002", + "attack.stealth", "T1615", "T1569.002", "T1574.005", @@ -20153,7 +20131,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" @@ -20195,12 +20173,12 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1106", "T1059.003", "T1218.011", - "T1218", - "T1059" + "T1059", + "T1218" ], "title": "HackTool - RedMimicry Winnti Playbook Execution" }, @@ -20241,8 +20219,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Use Of The SFTP.EXE Binary As A LOLBIN" @@ -20285,8 +20263,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0011", + "attack.stealth", "T1105", "T1564.003", "T1564" @@ -20330,7 +20308,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Use of VSIISExeLauncher.exe" @@ -20352,10 +20331,9 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.defense-impairment", "T1059", - "T1562.001", - "T1562" + "T1685" ], "title": "HackTool - Stracciatella Execution" }, @@ -20375,7 +20353,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -20397,8 +20375,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197", "attack.s0190", "T1036.003", @@ -20425,8 +20404,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1027", "T1059" ], @@ -20448,8 +20427,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055" ], "title": "HackTool - CoercedPotato Execution" @@ -20471,11 +20450,11 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1027.005", - "T1059", - "T1027" + "T1027", + "T1059" ], "title": "HackTool - CrackMapExec PowerShell Obfuscation" }, @@ -20518,7 +20497,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Enable LM Hash Storage - ProcCreation" @@ -20559,7 +20538,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.001", "T1564" ], @@ -20581,9 +20560,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Security Service Disabled Via Reg.EXE" }, @@ -20628,7 +20606,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059" ], @@ -20712,8 +20689,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "HackTool - EDRSilencer Execution" }, @@ -20775,7 +20752,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1003.001", "TA0006", @@ -20820,7 +20797,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Suspicious Service Binary Directory" @@ -20842,7 +20819,7 @@ ], "tags": [ "TA0003", - "TA0005" + "attack.stealth" ], "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" }, @@ -20883,7 +20860,6 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", "T1548.002", "T1548" @@ -20906,7 +20882,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0011", "T1105" @@ -20977,7 +20953,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218" ], "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" @@ -21022,7 +20998,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "T1003", "T1558.003", @@ -21049,9 +21024,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Tamper Windows Defender Remove-MpPreference" }, @@ -21071,7 +21045,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Execution via WorkFolders.exe" @@ -21092,7 +21066,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1202", "T1027.003", @@ -21116,8 +21090,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", + "attack.stealth", "T1036", "T1003.001", "T1003" @@ -21163,7 +21137,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Rundll32 Spawned Via Explorer.EXE" }, @@ -21183,7 +21157,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Workstation Locking via Rundll32" }, @@ -21203,9 +21177,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Definition Files Removed" }, @@ -21225,8 +21198,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0011", + "attack.stealth", "T1105", "T1564.003", "T1564" @@ -21249,7 +21222,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "T1059" ], @@ -21271,8 +21243,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Arbitrary File Download Via IMEWDBLD.EXE" @@ -21293,7 +21265,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Use of VisualUiaVerifyNative.exe" @@ -21338,7 +21310,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "File Download Using ProtocolHandler.exe" @@ -21422,7 +21394,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Potential Mftrace.EXE Abuse" @@ -21443,7 +21416,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -21533,7 +21506,7 @@ ], "tags": [ "TA0011", - "TA0005", + "attack.stealth", "T1219.002", "T1036.003", "T1036", @@ -21665,8 +21638,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "ImagingDevices Unusual Parent/Child Processes" }, @@ -21752,7 +21725,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" @@ -21818,7 +21791,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -21841,7 +21815,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218", "T1202" ], @@ -21863,7 +21837,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Potential Arbitrary Command Execution Using Msdt.EXE" @@ -21884,7 +21858,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" }, @@ -21970,7 +21944,7 @@ ], "tags": [ "TA0002", - "TA0005" + "attack.stealth" ], "title": "Potential ShellDispatch.DLL Functionality Abuse" }, @@ -22011,7 +21985,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "T1202" ], @@ -22055,8 +22029,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "T1036", - "TA0005" + "attack.stealth", + "T1036" ], "title": "Suspicious CodePage Switch Via CHCP" }, @@ -22076,7 +22050,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Advpack Call Via Rundll32.EXE" }, @@ -22096,7 +22070,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1003.001", "TA0006", @@ -22142,7 +22116,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "DumpStack.log Defender Evasion" }, @@ -22228,7 +22202,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "T1003.001", "TA0006", @@ -22295,7 +22269,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "DLL Execution via Rasautou.exe" @@ -22513,7 +22487,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Suspicious Child Process of AspNetCompiler" @@ -22534,8 +22509,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218" ], "title": "Arbitrary File Download Via PresentationHost.EXE" @@ -22556,7 +22531,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -22580,7 +22555,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "Suspicious Calculator Usage" @@ -22667,7 +22642,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Abusing Print Executable" @@ -22688,7 +22663,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Suspicious AddinUtil.EXE CommandLine Execution" @@ -22709,9 +22684,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Sysinternals PsSuspend Suspicious Execution" }, @@ -22753,7 +22727,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "JScript Compiler Execution" @@ -22817,7 +22792,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1134.001", "T1134.003", "T1134" @@ -22840,7 +22815,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "T1218" ], @@ -22863,8 +22838,8 @@ ], "tags": [ "TA0003", - "T1112", - "TA0005" + "attack.defense-impairment", + "T1112" ], "title": "Suspicious Registry Modification From ADS Via Regini.EXE" }, @@ -22927,7 +22902,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -22949,7 +22924,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -22996,7 +22971,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Execution via stordiag.exe" @@ -23017,7 +22992,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -23062,7 +23036,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548" ], @@ -23167,6 +23140,29 @@ ], "title": "Malicious PowerShell Commandlets - ProcessCreation" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects wscript/cscript/mshta executions of scripts located in user directories", + "event_ids": [ + "4688" + ], + "id": "4b713aaa-d275-9bdc-3492-6a1d3582348c", + "level": "medium", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0002", + "T1059.005", + "T1059.007", + "T1059" + ], + "title": "Potential Dropper Script Execution Via WScript/CScript/MSHTA" + }, { "category": "process_creation", "channel": [ @@ -23183,7 +23179,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.008", "T1218" ], @@ -23228,8 +23224,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.003", - "TA0005", "T1027.010", "T1027", "T1059" @@ -23252,7 +23248,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.009", "T1027" ], @@ -23274,9 +23270,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Hacktool - EDR-Freeze Execution" }, @@ -23296,7 +23291,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -23318,7 +23313,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Suspicious DLL Loaded via CertOC.EXE" @@ -23340,7 +23335,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1059.001", "T1564.003", "T1059", @@ -23364,8 +23359,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218.005", "T1218" ], @@ -23429,8 +23424,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055" ], "title": "Suspect Svchost Activity" @@ -23451,7 +23446,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "Kavremover Dropped Binary LOLBIN Usage" @@ -23513,7 +23509,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Rundll32 Execution Without CommandLine Parameters" @@ -23556,7 +23552,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "System File Execution Location Anomaly" @@ -23577,8 +23573,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1059.001", "T1140", "T1027", @@ -23862,9 +23858,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "SafeBoot Registry Key Deleted Via Reg.EXE" }, @@ -23884,7 +23879,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1140", "TA0002", "T1059.001", @@ -23908,7 +23903,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "TA0002", + "attack.stealth", "T1127" ], "title": "AspNetCompiler Execution" @@ -23950,7 +23946,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" @@ -24014,7 +24010,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -24038,9 +24034,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Context Menu Removed" }, @@ -24061,7 +24056,7 @@ ], "tags": [ "TA0011", - "TA0005", + "attack.stealth", "T1218", "T1105" ], @@ -24128,8 +24123,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1216", "T1059" ], @@ -24196,7 +24191,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "T1070" ], @@ -24241,8 +24236,8 @@ ], "tags": [ "TA0011", + "attack.stealth", "T1105", - "TA0005", "T1564.004", "T1564" ], @@ -24264,7 +24259,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Start of NT Virtual DOS Machine" }, @@ -24307,9 +24302,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "RDP Connection Allowed Via Netsh.EXE" }, @@ -24352,8 +24347,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -24396,7 +24392,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036", "T1027.005", @@ -24420,7 +24416,6 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "car.2019-04-001", @@ -24466,7 +24461,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -24488,15 +24483,39 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1070.001", - "T1562.002", + "attack.defense-impairment", + "T1685.005", + "T1685.001", "car.2016-04-002", - "T1562", - "T1070" + "T1685" ], "title": "Suspicious Eventlog Clearing or Configuration Change Activity" }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.\n", + "event_ids": [ + "4688" + ], + "id": "138e119a-33c7-68ed-b14f-bb55df1be95a", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "attack.stealth", + "T1003.003", + "T1003.002", + "T1218", + "T1003" + ], + "title": "Sensitive File Dump Via Print.EXE" + }, { "category": "process_creation", "channel": [ @@ -24557,7 +24576,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.010", "T1027" ], @@ -24670,8 +24689,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "T1218", - "TA0005", "TA0002" ], "title": "Uncommon Child Process Of Defaultpack.EXE" @@ -24698,8 +24717,8 @@ "T1203", "T1059.003", "attack.g0032", - "T1059", - "T1566" + "T1566", + "T1059" ], "title": "Suspicious HWP Sub Processes" }, @@ -24719,9 +24738,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Service Registry Key Deleted Via Reg.EXE" }, @@ -24868,8 +24886,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1134.001", "T1134.002", "T1134" @@ -24934,8 +24952,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "T1218", - "TA0005" + "attack.stealth", + "T1218" ], "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, @@ -24976,7 +24994,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "T1218" ], @@ -24998,7 +25016,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "T1070" ], @@ -25020,7 +25038,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" @@ -25041,9 +25059,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0011", + "attack.stealth", "T1218.011", "T1071", "T1218" @@ -25109,7 +25127,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" @@ -25130,7 +25148,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Suspicious Msbuild Execution By Uncommon Parent Process" }, @@ -25172,9 +25190,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'" }, @@ -25235,7 +25252,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Process Launched Without Image Name" }, @@ -25255,7 +25272,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "File Decoded From Base64/Hex Via Certutil.EXE" @@ -25276,7 +25293,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036" ], @@ -25320,8 +25337,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055", "T1036" ], @@ -25462,8 +25479,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055", "detection.emerging-threats", "cve.2021-34527", @@ -25511,8 +25528,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.defense-impairment", "T1553", "detection.emerging-threats" ], @@ -25558,9 +25575,9 @@ ], "tags": [ "TA0002", - "TA0005", "cve.2021-40444", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Potential Exploitation Attempt From Office Application" }, @@ -25792,8 +25809,8 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", + "attack.stealth", "T1036", "T1098", "cve.2021-42287", @@ -25862,8 +25879,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1574.001", "detection.emerging-threats", "T1574" @@ -25976,7 +25994,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "detection.emerging-threats" ], @@ -25999,7 +26017,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", "detection.emerging-threats" ], @@ -26022,8 +26040,8 @@ ], "tags": [ "TA0002", - "TA0005", "TA0040", + "attack.stealth", "T1485", "T1498", "T1059.001", @@ -26050,8 +26068,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1574.001", "detection.emerging-threats", "T1574" @@ -26075,7 +26094,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", "detection.emerging-threats" ], @@ -26116,8 +26135,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" }, @@ -26254,8 +26273,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.003", - "TA0005", "T1218.011", "attack.s0412", "attack.g0001", @@ -26283,15 +26302,15 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "attack.stealth", "attack.g0010", "TA0002", "T1059.001", "T1053.005", "T1027", "detection.emerging-threats", - "T1053", - "T1059" + "T1059", + "T1053" ], "title": "Turla Group Commands May 2020" }, @@ -26521,7 +26540,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -26547,7 +26566,6 @@ "TA0002", "T1059.003", "T1059.001", - "TA0005", "detection.emerging-threats", "T1059" ], @@ -26637,8 +26655,8 @@ ], "tags": [ "TA0003", - "TA0005", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "COLDSTEEL RAT Anonymous User Process Execution" }, @@ -26677,9 +26695,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "COLDSTEEL Persistence Service Creation" }, @@ -26700,8 +26718,8 @@ ], "tags": [ "TA0003", - "TA0005", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "COLDSTEEL RAT Service Persistence Execution" }, @@ -26722,7 +26740,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055", "detection.emerging-threats" ], @@ -26786,9 +26804,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Qakbot Rundll32 Fake DLL Extension Execution" }, @@ -26808,9 +26826,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Potential Qakbot Rundll32 Execution" }, @@ -26830,9 +26848,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Qakbot Regsvr32 Calc Pattern" }, @@ -26852,9 +26870,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Qakbot Rundll32 Exports Execution" }, @@ -26874,7 +26892,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -27021,9 +27039,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0011", "TA0002", + "attack.stealth", "T1059.003", "T1105", "T1218", @@ -27072,9 +27090,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" }, @@ -27095,7 +27113,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055.012", "detection.emerging-threats", "T1055" @@ -27248,7 +27266,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002", "detection.emerging-threats" @@ -27273,7 +27291,7 @@ "tags": [ "TA0011", "TA0002", - "TA0005", + "attack.stealth", "T1218", "detection.emerging-threats" ], @@ -27295,7 +27313,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002", "detection.emerging-threats" @@ -27493,8 +27511,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562", + "attack.defense-impairment", + "T1685", "detection.emerging-threats" ], "title": "Diamond Sleet APT Scheduled Task Creation - Registry" @@ -27588,6 +27606,80 @@ ], "title": "Peach Sandstorm APT Process Activity Indicators" }, + { + "category": "", + "channel": [ + "Microsoft-Windows-Windows Defender/Operational" + ], + "description": "Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe\ndropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.\nThis covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based\nAV bypass/privilege escalation tool.\n\nRedSun works as follows:\n 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\\RS-{GUID}\\\n 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger\n a Defender scan and remediation attempt\n 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file\n 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open\n 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect\n \\\\?\\C:\\Windows\\System32 to the attacker-controlled temp path\n 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges\n", + "event_ids": [ + "1119" + ], + "id": "d3f14e8a-e0f1-4337-023e-35e868617bf4", + "level": "critical", + "service": "windefend", + "subcategory_guids": [], + "tags": [ + "attack.stealth", + "attack.defense-impairment", + "T1036.005", + "T1685", + "TA0004", + "T1055", + "detection.emerging-threats", + "T1036" + ], + "title": "RedSun - TieringEngineService.exe Detected as EICAR Test File" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.\nObserved process chain\n services.exe\n → TieringEngineService.exe\n → conhost.exe (SYSTEM, CommandLine: bare path, no arguments)\n → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)\n\nStage 1 — TieringEngineService.exe spawns argument-less conhost.exe:\n After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance\n / services.exe) detects it is NT AUTHORITY\\SYSTEM and calls LaunchConsoleInSessionId().\n This opens \\\\.\\pipe\\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then\n calls CreateProcessAsUser to spawn conhost.exe with no arguments.\n\nStage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):\n The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.\n On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.\n The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.\n", + "event_ids": [ + "4688" + ], + "id": "9bbf2c33-b756-f40e-93bb-63e488c5ba29", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0004", + "attack.stealth", + "T1134.002", + "T1036.005", + "detection.emerging-threats", + "T1134", + "T1036" + ], + "title": "RedSun - Conhost.exe Spawned by TieringEngineService.exe" + }, + { + "category": "process_creation", + "channel": [ + "sec" + ], + "description": "Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).\nAn attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.\nWhen a UNC path is used (e.g. \\\\attacker.com\\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.\nHTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.\nThe URI can be delivered via a malicious hyperlink, phishing email, or web page.\n", + "event_ids": [ + "4688" + ], + "id": "d7e34f3e-44fe-cd0b-6374-24a9bfeb97ad", + "level": "high", + "service": "", + "subcategory_guids": [ + "0CCE922B-69AE-11D9-BED3-505054503030" + ], + "tags": [ + "TA0006", + "T1187", + "detection.emerging-threats", + "cve.2026-33829" + ], + "title": "Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI" + }, { "category": "process_creation", "channel": [ @@ -27608,7 +27700,6 @@ "T1195.002", "TA0002", "TA0011", - "TA0005", "T1059.003", "T1059.005", "T1105", @@ -27770,7 +27861,7 @@ "tags": [ "TA0011", "TA0002", - "TA0005", + "attack.stealth", "T1218", "TA0008", "T1105", @@ -27868,8 +27959,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", "TA0001", + "attack.stealth", "T1078.001", "detection.emerging-threats", "cve.2025-57788", @@ -27895,7 +27986,8 @@ "tags": [ "TA0003", "TA0004", - "TA0005", + "TA0002", + "attack.stealth", "T1574.008", "cve.2025-49144", "detection.emerging-threats", @@ -28258,8 +28350,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0002", + "attack.defense-impairment", "T1112", "detection.emerging-threats" ], @@ -28281,8 +28373,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055", "TA0007", "T1135", @@ -28353,8 +28445,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1059.001", - "TA0005", "T1027", "detection.emerging-threats", "T1059" @@ -28378,8 +28470,8 @@ ], "tags": [ "TA0002", - "TA0005", "TA0007", + "attack.stealth", "T1012", "T1059.003", "T1059.001", @@ -28428,7 +28520,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "detection.emerging-threats", "T1218" @@ -28451,7 +28543,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.010", "detection.emerging-threats", "T1218" @@ -28550,8 +28642,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "attack.g0020", - "TA0005", "T1218.011", "detection.emerging-threats", "T1218" @@ -28577,16 +28669,16 @@ "TA0004", "TA0003", "TA0007", + "attack.stealth", "T1012", - "TA0005", "T1036.004", "T1027", "TA0002", "T1053.005", "T1059.001", "detection.emerging-threats", - "T1036", "T1053", + "T1036", "T1059" ], "title": "Operation Wocao Activity" @@ -28610,17 +28702,17 @@ "TA0004", "TA0003", "TA0007", + "attack.stealth", "T1012", - "TA0005", "T1036.004", "T1027", "TA0002", "T1053.005", "T1059.001", "detection.emerging-threats", - "T1053", + "T1059", "T1036", - "T1059" + "T1053" ], "title": "Operation Wocao Activity - Security" }, @@ -28647,8 +28739,8 @@ "T1566.001", "cve.2017-0261", "detection.emerging-threats", - "T1566", - "T1204" + "T1204", + "T1566" ], "title": "Exploit for CVE-2017-0261" }, @@ -28752,10 +28844,10 @@ ], "tags": [ "TA0008", + "attack.defense-impairment", "T1210", "TA0007", "T1083", - "TA0005", "T1222.001", "TA0040", "T1486", @@ -28804,16 +28896,17 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1218.011", - "T1070.001", + "T1685.005", "TA0006", "T1003.001", "car.2016-04-002", "detection.emerging-threats", - "T1003", + "T1685", "T1218", - "T1070" + "T1003" ], "title": "NotPetya Ransomware Activity" }, @@ -28834,7 +28927,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -28883,8 +28976,9 @@ "tags": [ "TA0004", "TA0003", + "TA0002", + "attack.stealth", "attack.s0013", - "TA0005", "T1574.001", "detection.emerging-threats", "T1574" @@ -28907,7 +29001,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.005", "detection.emerging-threats", "T1036" @@ -28998,7 +29092,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "attack.g0035", "T1036.003", "car.2013-05-009", @@ -29047,7 +29141,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.005", "cve.2015-1641", "detection.emerging-threats", @@ -29157,7 +29251,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1221", "detection.emerging-threats" ], @@ -29523,7 +29617,7 @@ "tags": [ "TA0003", "TA0002", - "TA0005", + "attack.defense-impairment", "T1112", "cve.2020-1048", "detection.emerging-threats" @@ -29616,11 +29710,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.defense-impairment", "attack.g0004", - "TA0005", - "T1562.001", - "detection.emerging-threats", - "T1562" + "T1685", + "detection.emerging-threats" ], "title": "Potential Ke3chang/TidePool Malware Activity" }, @@ -29641,8 +29734,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0002", + "attack.defense-impairment", "T1112", "T1047", "detection.emerging-threats" @@ -29665,9 +29758,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0003", + "attack.defense-impairment", "T1112", "T1047", "detection.emerging-threats" @@ -29690,8 +29783,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112", "detection.emerging-threats" ], @@ -29739,7 +29832,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -29856,12 +29949,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ + "attack.stealth", "attack.g0049", "TA0002", "T1059.001", "TA0011", "T1105", - "TA0005", "T1036.005", "detection.emerging-threats", "T1059", @@ -29886,8 +29979,8 @@ ], "tags": [ "TA0004", - "TA0005", "TA0002", + "attack.stealth", "T1055.001", "detection.emerging-threats", "T1055" @@ -29910,7 +30003,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -29959,7 +30052,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "attack.g0044", "detection.emerging-threats", @@ -29985,7 +30079,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "attack.g0044", "detection.emerging-threats", @@ -30108,8 +30203,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "attack.g0007", "T1059.003", "T1218.011", @@ -30137,7 +30232,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", "detection.emerging-threats" ], @@ -30159,8 +30254,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "attack.g0069", "detection.emerging-threats" ], @@ -30185,11 +30280,11 @@ "TA0004", "TA0002", "TA0003", + "attack.defense-impairment", "attack.g0049", "T1053.005", "attack.s0111", "T1543.003", - "TA0005", "T1112", "TA0011", "T1071.004", @@ -30220,18 +30315,18 @@ "TA0004", "TA0002", "TA0003", + "attack.defense-impairment", "attack.g0049", "T1053.005", "attack.s0111", "T1543.003", - "TA0005", "T1112", "TA0011", "T1071.004", "detection.emerging-threats", - "T1543", + "T1053", "T1071", - "T1053" + "T1543" ], "title": "OilRig APT Schedule Task Persistence - Security" }, @@ -30254,18 +30349,18 @@ "TA0004", "TA0002", "TA0003", + "attack.defense-impairment", "attack.g0049", "T1053.005", "attack.s0111", "T1543.003", - "TA0005", "T1112", "TA0011", "T1071.004", "detection.emerging-threats", - "T1071", + "T1543", "T1053", - "T1543" + "T1071" ], "title": "OilRig APT Registry Persistence" }, @@ -30286,17 +30381,17 @@ "TA0004", "TA0002", "TA0003", + "attack.defense-impairment", "attack.g0049", "T1053.005", "attack.s0111", "T1543.003", - "TA0005", "T1112", "TA0011", "T1071.004", "detection.emerging-threats", - "T1053", "T1543", + "T1053", "T1071" ], "title": "OilRig APT Schedule Task Persistence - System" @@ -30319,7 +30414,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "attack.g0027", "detection.emerging-threats", @@ -30366,8 +30462,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -30393,9 +30489,9 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "cve.2024-1709", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.defense-impairment" ], "title": "ScreenConnect User Database Modification - Security" }, @@ -30513,8 +30609,8 @@ ], "tags": [ "TA0003", + "attack.defense-impairment", "T1112", - "TA0005", "detection.emerging-threats" ], "title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" @@ -30535,8 +30631,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -30584,7 +30680,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1553.003", "detection.emerging-threats", "T1553" @@ -30607,7 +30703,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "detection.emerging-threats", "T1218" @@ -30749,7 +30845,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1055", "detection.emerging-threats" ], @@ -30771,9 +30867,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "detection.emerging-threats" + "detection.emerging-threats", + "attack.stealth" ], "title": "Forest Blizzard APT - Process Creation Activity" }, @@ -30886,7 +30982,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "RedMimicry Winnti Playbook Registry Manipulation" @@ -30908,7 +31004,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Wdigest CredGuard Registry Modification" @@ -30930,11 +31026,11 @@ ], "tags": [ "TA0003", - "TA0005", - "T1562.002", + "attack.defense-impairment", + "T1685.001", "T1112", "car.2022-03-001", - "T1562" + "T1685" ], "title": "Disable Security Events Logging Adding Reg Key MiniNt" }, @@ -30955,7 +31051,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Run Once Task Configuration in Registry" @@ -30999,9 +31095,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, @@ -31066,7 +31161,6 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -31089,9 +31183,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", "TA0002", + "attack.defense-impairment", "T1112", "T1059.005", "T1059" @@ -31160,7 +31254,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Potential Qakbot Registry Activity" @@ -31205,7 +31299,7 @@ ], "tags": [ "TA0004", - "TA0005", + "attack.stealth", "T1218", "TA0003", "T1547" @@ -31229,7 +31323,6 @@ ], "tags": [ "TA0008", - "TA0005", "TA0011", "T1090" ], @@ -31343,9 +31436,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Threat Severity Default Action Modified" }, @@ -31456,12 +31548,11 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", "T1548.002", "T1546.001", - "T1546", - "T1548" + "T1548", + "T1546" ], "title": "Shell Open Registry Keys Manipulation" }, @@ -31481,8 +31572,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1218.003", "attack.g0069", "car.2019-04-001", @@ -31574,9 +31665,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", "TA0002", + "attack.defense-impairment", "T1112" ], "title": "Registry Entries For Azorult Malware" @@ -31598,10 +31689,9 @@ ], "tags": [ "TA0003", - "TA0005", - "T1562.001", - "T1112", - "T1562" + "attack.defense-impairment", + "T1685", + "T1112" ], "title": "NetNTLM Downgrade Attack - Registry" }, @@ -31687,9 +31777,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Service Disabled - Registry" }, @@ -31710,7 +31799,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Add DisallowRun Execution to Registry" @@ -31731,9 +31820,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", - "T1562", + "attack.defense-impairment", + "T1685", "T1569.002", "T1569" ], @@ -31756,7 +31845,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" @@ -31801,7 +31890,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" @@ -31868,7 +31957,9 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", + "attack.defense-impairment", "T1574.001", "T1112", "T1574" @@ -31891,7 +31982,6 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "car.2019-04-001", @@ -31958,9 +32048,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable PUA Protection on Windows Defender" }, @@ -31981,11 +32070,11 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1204.004", - "TA0005", "T1027.010", - "T1204", - "T1027" + "T1027", + "T1204" ], "title": "Suspicious Space Characters in RunMRU Registry Path - ClickFix" }, @@ -32028,7 +32117,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036" ], @@ -32050,7 +32139,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.005", "T1070" ], @@ -32095,9 +32184,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable Exploit Guard Network Protection on Windows Defender" }, @@ -32119,7 +32207,8 @@ "tags": [ "TA0003", "TA0004", - "TA0005", + "TA0002", + "attack.stealth", "T1574.012", "T1574" ], @@ -32141,8 +32230,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112" ], "title": "RDP Sensitive Settings Changed to Zero" @@ -32164,9 +32253,9 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", - "T1562" + "T1685" ], "title": "ETW Logging Disabled For SCM" }, @@ -32186,9 +32275,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "T1562.001", - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Suspicious Service Installed" }, @@ -32209,7 +32297,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Modification of IE Registry Settings" @@ -32262,7 +32350,7 @@ "channel": [ "sec" ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "description": "Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.\nThere are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.\nThus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.\n", "event_ids": [ "4657" ], @@ -32341,7 +32429,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "T1218" ], @@ -32364,7 +32452,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Uncommon Microsoft Office Trusted Location Added" @@ -32407,7 +32495,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Change User Account Associated with the FAX Service" @@ -32451,8 +32539,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Hide Schedule Task Via Index Value Tamper" }, @@ -32495,8 +32583,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112" ], "title": "Potential Persistence Via Outlook Home Page" @@ -32517,7 +32605,6 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -32540,10 +32627,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562.006", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "AMSI Disabled via Registry Modification" }, @@ -32564,7 +32649,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "New BgInfo.EXE Custom DB Path Registry Configuration" @@ -32631,9 +32716,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Microsoft Office Protected View Disabled" }, @@ -32653,9 +32737,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Disable Microsoft Defender Firewall via Registry" }, @@ -32676,7 +32760,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "New BgInfo.EXE Custom VBScript Registry Configuration" @@ -32762,7 +32846,9 @@ "tags": [ "TA0003", "TA0004", - "TA0005", + "TA0002", + "attack.stealth", + "attack.defense-impairment", "T1112", "T1574.001", "T1574" @@ -32785,9 +32871,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "TA0003", + "attack.defense-impairment", "T1556" ], "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" @@ -32830,7 +32916,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -32853,7 +32938,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Wdigest Enable UseLogonCredential" @@ -32874,9 +32959,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable Windows Defender Functionalities Via Registry Keys" }, @@ -32897,7 +32981,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Potential Persistence Via Event Viewer Events.asp" @@ -32918,7 +33002,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" }, @@ -32938,8 +33022,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112" ], "title": "RDP Sensitive Settings Changed" @@ -32981,7 +33065,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "RestrictedAdminMode Registry Value Tampering" @@ -33002,7 +33086,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Custom File Open Handler Executes PowerShell" @@ -33023,7 +33107,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" @@ -33044,7 +33128,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Disable Macro Runtime Scan Scope" }, @@ -33108,9 +33192,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Python Function Execution Security Warning Disabled In Excel - Registry" }, @@ -33130,7 +33213,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.001", "T1564" ], @@ -33152,7 +33235,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.005", "T1070" ], @@ -33198,7 +33281,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.002", "T1564" ], @@ -33221,8 +33304,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574", "cve.2021-1675" ], @@ -33245,7 +33329,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Service Binary in Suspicious Folder" @@ -33289,7 +33373,6 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "TA0003", "T1548.002", @@ -33316,7 +33399,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "NET NGenAssemblyUsageLog Registry Key Tamper" @@ -33337,8 +33420,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0003" + "TA0003", + "attack.stealth" ], "title": "Suspicious Environment Variable Has Been Registered" }, @@ -33358,8 +33441,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0003" + "TA0003", + "attack.defense-impairment" ], "title": "Winget Admin Settings Modification" }, @@ -33380,7 +33463,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Activate Suppression of Windows Security Center Notifications" @@ -33425,7 +33508,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -33448,8 +33530,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1574" ], "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" @@ -33517,7 +33600,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Trust Access Disable For VBApplications" @@ -33527,7 +33610,7 @@ "channel": [ "sec" ], - "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", + "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.\nThe AutoLogger event tracing session records events up that occur early in the operating system boot process.\nApplications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.\nAdversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.\n", "event_ids": [ "4657" ], @@ -33538,7 +33621,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Potential AutoLogger Sessions Tampering" }, @@ -33581,7 +33666,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" }, @@ -33624,9 +33709,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disabled Windows Defender Eventlog" }, @@ -33647,7 +33731,6 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", "T1546", "T1548" @@ -33692,7 +33775,9 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", + "attack.defense-impairment", "T1574.001", "T1112", "T1574" @@ -33716,9 +33801,9 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", - "T1562" + "T1685" ], "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, @@ -33738,9 +33823,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" }, @@ -33760,7 +33844,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Signing Bypass Via Windows Developer Features - Registry" }, @@ -33804,7 +33888,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Potential Persistence Via Custom Protocol Handler" @@ -33872,7 +33956,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "ClickOnce Trust Prompt Tampering" @@ -33894,7 +33978,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Enable LM Hash Storage" @@ -33916,7 +34000,8 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1140", "T1112" ], @@ -33962,7 +34047,8 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1564", "T1112" ], @@ -34037,7 +34123,7 @@ "channel": [ "sec" ], - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "description": "Detects modification of Windows Registry Classes keys used for persistence.\nAdversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.\nVarious legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,\nthus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.\n", "event_ids": [ "4657" ], @@ -34111,9 +34197,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Potential EventLog File Location Tampering" }, @@ -34159,7 +34245,7 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "attack.defense-impairment", "T1547.001", "T1112", "T1547" @@ -34182,9 +34268,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Exclusions Added - Registry" }, @@ -34204,7 +34289,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Potential Attachment Manager Settings Attachments Tamper" }, @@ -34225,7 +34310,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -34277,9 +34361,9 @@ "T1021.002", "T1543.003", "T1569.002", - "T1543", + "T1021", "T1569", - "T1021" + "T1543" ], "title": "Potential CobaltStrike Service Installations - Registry" }, @@ -34366,7 +34450,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1553.003", "T1553" ], @@ -34388,7 +34472,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Potential Attachment Manager Settings Associations Tamper" }, @@ -34408,7 +34492,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Potential PowerShell Execution Policy Tampering" }, @@ -34428,9 +34512,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Credential Guard Disabled - Registry" }, @@ -34450,7 +34533,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1564.001", "T1112", "TA0003", @@ -34474,9 +34558,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, @@ -34538,7 +34621,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Disable Internal Tools or Feature in Registry" @@ -34560,9 +34643,9 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", - "T1562" + "T1685" ], "title": "ETW Logging Disabled For rpcrt4.dll" }, @@ -34583,8 +34666,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0040", + "attack.defense-impairment", "T1112", "T1491.001", "T1491" @@ -34631,8 +34714,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1204.004", - "TA0005", "T1027.010", "T1204", "T1027" @@ -34656,11 +34739,11 @@ ], "tags": [ "TA0003", - "TA0005", - "T1562.002", + "attack.defense-impairment", + "T1685.001", "T1112", "car.2022-03-001", - "T1562" + "T1685" ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set" }, @@ -34680,9 +34763,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Potential AMSI COM Server Hijacking" }, @@ -34703,7 +34785,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Disable Windows Security Center Notifications" @@ -34725,7 +34807,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Macro Enabled In A Potentially Suspicious Document" @@ -34746,9 +34828,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Hypervisor Enforced Code Integrity Disabled" }, @@ -34769,7 +34850,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -34791,7 +34871,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.001", "T1564" ], @@ -34837,7 +34917,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Allow RDP Remote Assistance Feature" @@ -34881,9 +34961,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Change Winevt Channel Access Permission Via Registry" }, @@ -35010,9 +35090,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Tamper With Sophos AV Registry Keys" }, @@ -35055,9 +35134,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Sysmon Driver Altitude Change" }, @@ -35100,7 +35178,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Internet Explorer DisableFirstRunCustomize Enabled" }, @@ -35120,9 +35198,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Suspicious Path In Keyboard Layout IME File Registry Value" }, @@ -35143,7 +35220,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Winlogon AllowMultipleTSSessions Enable" @@ -35230,9 +35307,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" }, @@ -35294,7 +35370,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Registry Hide Function from User" @@ -35316,7 +35392,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Registry Explorer Policy Modification" @@ -35338,7 +35414,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Office Macros Warning Disabled" @@ -35359,9 +35435,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable Privacy Settings Experience in Registry" }, @@ -35427,7 +35502,6 @@ ], "tags": [ "TA0004", - "TA0005", "T1548.002", "T1548" ], @@ -35475,8 +35549,8 @@ "TA0003", "T1547.001", "T1546.009", - "T1547", - "T1546" + "T1546", + "T1547" ], "title": "Session Manager Autorun Keys Modification" }, @@ -35497,7 +35571,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Change the Fax Dll" @@ -35518,8 +35592,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112" ], "title": "Potential Persistence Via Outlook Today Page" @@ -35586,7 +35660,6 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "T1548" @@ -35609,7 +35682,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "New File Association Using Exefile" }, @@ -35654,9 +35727,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Disable Windows Event Logging Via Registry" }, @@ -35718,9 +35791,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Hypervisor Enforced Paging Translation Disabled" }, @@ -35740,7 +35812,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036" ], @@ -35762,7 +35834,6 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548.002", "car.2019-04-001", @@ -35827,7 +35898,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Execution DLL of Choice Using WAB.EXE" @@ -35938,9 +36009,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Disable Windows Firewall by Registry" }, @@ -35960,8 +36031,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0003" + "TA0003", + "attack.stealth" ], "title": "Enable Local Manifest Installation With Winget" }, @@ -35981,9 +36052,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Suspicious Application Allowed Through Exploit Guard" }, @@ -36025,9 +36095,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable Tamper Protection on Windows Defender" }, @@ -36047,7 +36116,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Driver Added To Disallowed Images In HVCI - Registry" }, @@ -36069,7 +36138,6 @@ "tags": [ "TA0004", "TA0003", - "TA0005", "T1546.012", "car.2013-01-002", "T1546" @@ -36137,9 +36205,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Vulnerable Driver Blocklist Disabled" }, @@ -36178,7 +36245,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -36305,10 +36372,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "TA0002", - "T1562" + "attack.defense-impairment", + "T1685", + "TA0002" ], "title": "AMSI Bypass Pattern Assembly GetType" }, @@ -36347,7 +36413,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.005", "T1553" ], @@ -36368,7 +36434,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -36433,7 +36499,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1222" ], "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" @@ -36453,7 +36519,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.005", "T1070" ], @@ -36474,7 +36540,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "T1218" ], @@ -36515,7 +36581,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -36538,8 +36604,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055", "TA0002", "T1059.001", @@ -36646,9 +36712,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Disable-WindowsOptionalFeature Command PowerShell" }, @@ -36689,9 +36754,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, @@ -36730,7 +36794,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1036.003", "T1036" ], @@ -36752,8 +36816,9 @@ "subcategory_guids": [], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -36866,8 +36931,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "TA0005", - "TA0004" + "TA0004", + "attack.defense-impairment" ], "title": "Potential Persistence Via Security Descriptors - ScriptBlock" }, @@ -36907,7 +36972,7 @@ "subcategory_guids": [], "tags": [ "TA0003", - "TA0005" + "attack.stealth" ], "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" }, @@ -36926,7 +36991,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Suspicious Windows Feature Enabled" }, @@ -36945,7 +37010,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" }, @@ -37006,7 +37071,6 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0006", "T1003", "T1558.003", @@ -37032,7 +37096,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.003", "T1070" ], @@ -37053,7 +37117,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070", "T1070.003" ], @@ -37095,7 +37159,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -37118,9 +37182,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Potential AMSI Bypass Script Using NULL Bits" }, @@ -37140,8 +37203,9 @@ "subcategory_guids": [], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1574.011", "stp.2a", "T1574" @@ -37163,7 +37227,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.003", "T1070" ], @@ -37185,9 +37249,9 @@ "subcategory_guids": [], "tags": [ "TA0004", - "TA0005", "TA0003", "TA0001", + "attack.stealth", "T1078.002", "T1098", "T1078" @@ -37209,8 +37273,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0004", + "attack.defense-impairment", "T1484.001", "T1484" ], @@ -37291,7 +37355,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.005", "T1553" ], @@ -37312,7 +37376,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.003", "T1070" ], @@ -37333,7 +37397,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "T1564" ], @@ -37437,7 +37501,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1202" ], "title": "Troubleshooting Pack Cmdlet Execution" @@ -37457,9 +37521,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", "TA0002", + "attack.defense-impairment", "T1112", "T1059.005", "T1059" @@ -37502,8 +37566,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562", + "attack.defense-impairment", + "T1685", "TA0002", "T1059" ], @@ -37543,11 +37607,11 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1070", - "T1562.006", - "car.2016-04-002", - "T1562" + "T1685", + "car.2016-04-002" ], "title": "Disable of ETW Trace - Powershell" }, @@ -37587,8 +37651,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1027", "T1059.001", "T1059" @@ -37631,7 +37695,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1564.003", "T1564" ], @@ -37652,7 +37716,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -37734,7 +37798,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -37780,8 +37844,9 @@ "subcategory_guids": [], "tags": [ "TA0003", - "TA0005", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -38029,7 +38094,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -38070,7 +38135,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" @@ -38090,7 +38155,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1564.006", "T1564" ], @@ -38198,7 +38263,6 @@ "subcategory_guids": [], "tags": [ "TA0006", - "TA0005", "TA0007", "TA0002", "TA0004", @@ -38210,8 +38274,8 @@ "T1552.001", "T1555", "T1555.003", - "T1552", - "T1548" + "T1548", + "T1552" ], "title": "HackTool - WinPwn Execution - ScriptBlock" }, @@ -38395,7 +38459,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1222" ], "title": "PowerShell Set-Acl On Windows Folder - PsScript" @@ -38438,7 +38502,7 @@ "subcategory_guids": [], "tags": [ "TA0007", - "TA0005", + "attack.stealth", "T1497.001", "T1497" ], @@ -38459,7 +38523,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -38482,7 +38546,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -38588,7 +38652,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -38704,7 +38768,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.006", "T1070" ], @@ -38787,7 +38851,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -38810,9 +38874,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1070.001", - "T1070" + "attack.defense-impairment", + "T1685.005", + "T1685" ], "title": "Suspicious Eventlog Clear" }, @@ -38937,7 +39001,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1620" ], "title": "Potential In-Memory Execution Using Reflection.Assembly" @@ -38978,9 +39042,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Tamper Windows Defender - ScriptBlockLogging" }, @@ -39000,8 +39063,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "TA0005", "TA0006", + "attack.defense-impairment", "T1556.002", "T1556" ], @@ -39022,9 +39085,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Windows Firewall Profile Disabled" }, @@ -39068,8 +39131,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1027", "T1059.001", "T1059" @@ -39153,7 +39216,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "PowerShell Write-EventLog Usage" }, @@ -39213,7 +39276,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" @@ -39256,7 +39319,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -39300,7 +39363,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "TA0002", "T1059.001", @@ -39324,7 +39387,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.defense-impairment", "T1553.005", "T1553" ], @@ -39410,8 +39473,9 @@ "subcategory_guids": [], "tags": [ "TA0004", - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1574.012", "T1574" ], @@ -39454,8 +39518,8 @@ "tags": [ "TA0004", "TA0001", - "TA0005", "TA0003", + "attack.stealth", "T1078.002", "T1098", "T1078" @@ -39477,7 +39541,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -39658,7 +39722,7 @@ "service": "powershell-classic", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" @@ -39677,7 +39741,6 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0002", "T1059.001", "T1059" @@ -39698,7 +39761,6 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", "TA0002", "T1059.001", "T1059" @@ -39739,7 +39801,10 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1095" + "TA0002", + "T1095", + "T1059.001", + "T1059" ], "title": "Netcat The Powershell Version" }, @@ -39757,9 +39822,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Tamper Windows Defender - PSClassic" }, @@ -39781,8 +39845,8 @@ "T1059.001", "TA0008", "T1021.006", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "Remote PowerShell Session (PS Classic)" }, @@ -39806,6 +39870,28 @@ ], "title": "Nslookup PowerShell Download Cradle" }, + { + "category": "ps_classic_start", + "channel": [ + "pwsh" + ], + "description": "Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.\nThis technique is often abused by attackers to download additional payloads.\n", + "event_ids": [ + "400" + ], + "id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757", + "level": "low", + "service": "", + "subcategory_guids": [], + "tags": [ + "TA0002", + "TA0011", + "T1059.001", + "T1105", + "T1059" + ], + "title": "PowerShell Download Via Net.WebClient - PowerShell Classic" + }, { "category": "ps_classic_start", "channel": [ @@ -39840,7 +39926,7 @@ "subcategory_guids": [], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1059.001", "T1036.003", "T1059", @@ -39869,26 +39955,6 @@ ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, - { - "category": "ps_classic_start", - "channel": [ - "pwsh" - ], - "description": "Detects suspicious PowerShell download command", - "event_ids": [ - "400" - ], - "id": "d938bbb0-a745-c4fc-ce0d-eb5a006e6757", - "level": "medium", - "service": "", - "subcategory_guids": [], - "tags": [ - "TA0002", - "T1059.001", - "T1059" - ], - "title": "Suspicious PowerShell Download" - }, { "category": "ps_module", "channel": [ @@ -39904,7 +39970,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -39927,7 +39993,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -39950,7 +40016,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -39992,7 +40058,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" @@ -40012,7 +40078,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40120,8 +40186,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", "TA0001", + "attack.stealth", "T1078" ], "title": "Suspicious Computer Machine Password by PowerShell" @@ -40141,7 +40207,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40206,7 +40272,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40229,7 +40295,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40273,7 +40339,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40296,7 +40362,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" @@ -40316,7 +40382,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40339,7 +40405,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40404,7 +40470,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.003", "T1070" ], @@ -40425,7 +40491,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -40473,8 +40539,8 @@ "T1059.001", "TA0008", "T1021.006", - "T1059", - "T1021" + "T1021", + "T1059" ], "title": "Remote PowerShell Session (PS Module)" }, @@ -40563,7 +40629,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1140" ], "title": "PowerShell Decompress Commands" @@ -40714,7 +40780,7 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070" ], "title": "Remove Exported Mailbox from Exchange Webserver" @@ -40775,7 +40841,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -40795,8 +40862,8 @@ "service": "appmodel-runtime", "subcategory_guids": [], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "Sysinternals Tools AppX Versions Execution" }, @@ -40814,9 +40881,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Microsoft Defender Tamper Protection Trigger" }, @@ -40834,9 +40900,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Real-time Protection Disabled" }, @@ -40893,9 +40958,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Win Defender Restored Quarantine File" }, @@ -40913,9 +40977,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Exploit Guard Tamper" }, @@ -40955,9 +41018,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Virus Scanning Feature Disabled" }, @@ -40975,9 +41037,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Submit Sample Feature Disabled" }, @@ -41018,9 +41079,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Real-Time Protection Failure/Restart" }, @@ -41038,9 +41098,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Configuration Changes" }, @@ -41058,9 +41117,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Grace Period Expired" }, @@ -41078,9 +41136,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Exclusions Added" }, @@ -41098,9 +41155,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Malware And PUA Scanning Disabled" }, @@ -41118,7 +41174,7 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Windows Defender Malware Detection History Deletion" }, @@ -41181,7 +41237,6 @@ "0CCE921B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0008", "TA0006", "T1558", @@ -41208,8 +41263,8 @@ "tags": [ "TA0004", "TA0001", - "TA0005", "TA0003", + "attack.stealth", "T1078.002", "T1098", "T1078" @@ -41233,9 +41288,9 @@ ], "tags": [ "TA0006", - "TA0005", "TA0003", "TA0007", + "attack.defense-impairment", "attack.s0075", "T1012", "T1112", @@ -41265,10 +41320,10 @@ ], "tags": [ "TA0008", - "TA0005", "TA0001", "TA0003", "TA0004", + "attack.stealth", "T1078" ], "title": "Interactive Logon to Server Systems" @@ -41291,8 +41346,8 @@ "tags": [ "TA0004", "TA0001", - "TA0005", "TA0003", + "attack.stealth", "T1078.002", "T1098", "T1078" @@ -41318,7 +41373,6 @@ ], "tags": [ "TA0008", - "TA0005", "T1550.002", "car.2016-04-004", "T1550" @@ -41633,10 +41687,10 @@ "subcategory_guids": [], "tags": [ "TA0002", + "attack.stealth", "T1203", "TA0004", "T1068", - "TA0005", "T1211", "TA0006", "T1212", @@ -41662,7 +41716,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "T1070" ], @@ -41717,7 +41771,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "MSSQL Disable Audit Settings" }, @@ -41894,7 +41948,6 @@ "tags": [ "TA0008", "TA0002", - "TA0005", "T1072" ], "title": "Restricted Software Access By SRP" @@ -41954,7 +42007,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1218", "T1218.007" ], @@ -42053,10 +42106,10 @@ "service": "application", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1211", - "T1562.001", - "T1562" + "T1685" ], "title": "Microsoft Malware Protection Engine Crash" }, @@ -42322,7 +42375,6 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", "TA0008", "T1550.002", "T1550" @@ -42344,7 +42396,7 @@ "subcategory_guids": [], "tags": [ "TA0006", - "TA0005", + "attack.defense-impairment", "T1553.004", "T1553" ], @@ -42366,7 +42418,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -42390,7 +42443,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -42410,7 +42464,6 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", "TA0004", "T1548" ], @@ -42496,8 +42549,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Sysmon Application Crashed" }, @@ -42537,10 +42590,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", - "T1070.001", + "attack.defense-impairment", + "T1685.005", "car.2016-04-002", - "T1070" + "T1685" ], "title": "Important Windows Eventlog Cleared" }, @@ -42558,10 +42611,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", - "T1070.001", + "attack.defense-impairment", + "T1685.005", "car.2016-04-002", - "T1070" + "T1685" ], "title": "Eventlog Cleared" }, @@ -42645,7 +42698,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -42733,7 +42786,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -42777,7 +42830,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Important Windows Service Terminated Unexpectedly" }, @@ -42795,7 +42848,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -42817,7 +42870,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -42897,7 +42950,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -42926,8 +42979,8 @@ "T1021.002", "T1543.003", "T1569.002", - "T1543", "T1569", + "T1543", "T1021" ], "title": "CobaltStrike Service Installations - System" @@ -42946,9 +42999,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Threat Detection Service Disabled" }, @@ -42975,8 +43027,8 @@ "T1003.006", "T1569.002", "attack.s0005", - "T1569", - "T1003" + "T1003", + "T1569" ], "title": "Credential Dumping Tools Service Execution - System" }, @@ -42994,8 +43046,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1134.001", "T1134.002", "T1134" @@ -43107,8 +43159,8 @@ "TA0002", "T1021.002", "T1569.002", - "T1021", - "T1569" + "T1569", + "T1021" ], "title": "smbexec.py Service Installation" }, @@ -43206,7 +43258,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Important Windows Service Terminated With Error" }, @@ -43249,7 +43301,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -43337,7 +43389,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -43420,7 +43472,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Windows Service Terminated With Error" }, @@ -43494,7 +43546,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -43516,7 +43568,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -43538,7 +43590,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" @@ -43557,7 +43609,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -43846,7 +43898,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Deployment AppX Package Was Blocked By AppLocker" }, @@ -43867,7 +43919,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.defense-impairment" ], "title": "Deployment Of The AppX Package Was Blocked By The Policy" }, @@ -43885,7 +43937,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "AppX Package Deployment Failed Due to Signing Requirements" }, @@ -43903,7 +43955,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "AppX Located in Uncommon Directory Added to Deployment Pipeline" }, @@ -43921,7 +43973,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "AppX Located in Known Staging Directory Added to Deployment Pipeline" }, @@ -43939,7 +43991,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Remote AppX Package Downloaded from File Sharing or CDN Domain" }, @@ -43958,7 +44010,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005" + "attack.stealth" ], "title": "Potential Malicious AppX Package Installation Attempts" }, @@ -43976,8 +44028,8 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005", "TA0002", + "attack.defense-impairment", "T1204.002", "T1553.005", "T1204", @@ -43999,12 +44051,12 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "TA0005", "TA0002", + "attack.defense-impairment", "T1204.002", "T1553.005", - "T1553", - "T1204" + "T1204", + "T1553" ], "title": "Windows AppX Deployment Unsigned Package Installation" }, @@ -44022,8 +44074,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "New BITS Job Created Via PowerShell" @@ -44042,8 +44095,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "BITS Transfer Job Download From Direct IP" @@ -44062,8 +44116,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "New BITS Job Created Via Bitsadmin" @@ -44082,8 +44137,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" @@ -44102,8 +44158,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "BITS Transfer Job Download To Potential Suspicious Folder" @@ -44122,8 +44179,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" @@ -44142,8 +44200,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "TA0005", "TA0003", + "TA0002", + "attack.stealth", "T1197" ], "title": "BITS Transfer Job Download From File Sharing Domains" @@ -44162,8 +44221,8 @@ "service": "appxpackaging-om", "subcategory_guids": [], "tags": [ - "TA0005", - "TA0002" + "TA0002", + "attack.stealth" ], "title": "Suspicious Digital Signature Of AppX Package" }, @@ -44181,10 +44240,10 @@ "service": "application", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1211", - "T1562.001", - "T1562" + "T1685" ], "title": "Microsoft Malware Protection Engine Crash - WER" }, @@ -44207,25 +44266,6 @@ ], "title": "Certificate Private Key Acquired" }, - { - "category": "", - "channel": [ - "Microsoft-Windows-TaskScheduler/Operational" - ], - "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", - "event_ids": [ - "141" - ], - "id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940", - "level": "high", - "service": "taskscheduler", - "subcategory_guids": [], - "tags": [ - "TA0040", - "T1489" - ], - "title": "Important Scheduled Task Deleted" - }, { "category": "", "channel": [ @@ -44248,6 +44288,26 @@ ], "title": "Scheduled Task Executed Uncommon LOLBIN" }, + { + "category": "", + "channel": [ + "Microsoft-Windows-TaskScheduler/Operational" + ], + "description": "Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities\n", + "event_ids": [ + "141", + "142" + ], + "id": "0c0e2be2-30d2-c713-0c9c-63cd9752a940", + "level": "high", + "service": "taskscheduler", + "subcategory_guids": [], + "tags": [ + "TA0040", + "T1489" + ], + "title": "Important Scheduled Task Deleted or Disabled" + }, { "category": "", "channel": [ @@ -44323,7 +44383,6 @@ "service": "ntlm", "subcategory_guids": [], "tags": [ - "TA0005", "TA0008", "T1550.002", "T1550" @@ -44346,8 +44405,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0011" + "TA0011", + "attack.stealth" ], "title": "Office Application Initiated Network Connection Over Uncommon Ports" }, @@ -44367,9 +44426,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0011", + "attack.stealth", "T1218.011", "T1218" ], @@ -44456,7 +44515,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.003", "T1218" ], @@ -44499,7 +44558,6 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0006", "T1558", "TA0008", @@ -44615,7 +44673,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1127.001", "T1127" ], @@ -44637,7 +44695,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.009", "T1218" ], @@ -44728,7 +44786,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "TA0002", "T1218" @@ -44793,7 +44851,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218" ], "title": "Network Connection Initiated By AddinUtil.EXE" @@ -44817,7 +44875,7 @@ "TA0004", "TA0011", "TA0002", - "TA0005", + "attack.stealth", "T1055" ], "title": "Network Connection Initiated Via Notepad.EXE" @@ -44839,10 +44897,10 @@ ], "tags": [ "TA0004", + "attack.stealth", "T1055", "T1218", - "TA0002", - "TA0005" + "TA0002" ], "title": "Microsoft Sync Center Suspicious Network Connections" }, @@ -44862,8 +44920,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "TA0011" + "TA0011", + "attack.stealth" ], "title": "Suspicious Wordpad Outbound Connections" }, @@ -44910,8 +44968,8 @@ "T1071.004", "TA0002", "T1059.003", - "T1071", - "T1059" + "T1059", + "T1071" ], "title": "Network Connection Initiated via Finger.EXE" }, @@ -44975,8 +45033,8 @@ ], "tags": [ "TA0002", + "attack.stealth", "T1559.001", - "TA0005", "T1218.010", "T1559", "T1218" @@ -45042,7 +45100,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -45065,7 +45124,8 @@ "tags": [ "TA0004", "TA0003", - "TA0005", + "TA0002", + "attack.stealth", "T1574.001", "T1574" ], @@ -45112,7 +45172,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "detection.threat-hunting" ], @@ -45294,8 +45354,8 @@ ], "tags": [ "TA0002", - "TA0005", - "detection.threat-hunting" + "detection.threat-hunting", + "attack.stealth" ], "title": "Potential File Override/Append Via SET Command" }, @@ -45315,8 +45375,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1055", "detection.threat-hunting" ], @@ -45338,10 +45398,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.004", + "attack.defense-impairment", + "T1686.003", "detection.threat-hunting", - "T1562" + "T1686" ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" }, @@ -45361,7 +45421,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002", "detection.threat-hunting" @@ -45385,7 +45445,6 @@ ], "tags": [ "TA0004", - "TA0005", "TA0002", "T1059", "detection.threat-hunting" @@ -45409,7 +45468,7 @@ ], "tags": [ "TA0002", - "TA0005", + "attack.stealth", "T1218", "T1202", "detection.threat-hunting" @@ -45432,7 +45491,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "detection.threat-hunting" ], @@ -45454,7 +45513,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.004", "detection.threat-hunting", "T1564" @@ -45498,7 +45557,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "detection.threat-hunting" ], @@ -45520,7 +45579,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002", "detection.threat-hunting" @@ -45543,8 +45602,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1059.001", "T1027.010", "detection.threat-hunting", @@ -45569,8 +45628,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", + "attack.stealth", "T1127", "T1218", "detection.threat-hunting" @@ -45593,7 +45652,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "detection.threat-hunting" ], @@ -45627,7 +45686,7 @@ "channel": [ "sec" ], - "description": "Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript", + "description": "Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.", "event_ids": [ "4688" ], @@ -45662,7 +45721,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1222.001", "detection.threat-hunting", "T1222" @@ -45729,7 +45788,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036", "detection.threat-hunting" ], @@ -45751,7 +45810,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "detection.threat-hunting" ], @@ -46012,8 +46071,8 @@ ], "tags": [ "TA0002", - "TA0005", - "detection.threat-hunting" + "detection.threat-hunting", + "attack.stealth" ], "title": "Suspicious New Instance Of An Office COM Object" }, @@ -46077,7 +46136,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "detection.threat-hunting" ], @@ -46099,7 +46158,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.004", "detection.threat-hunting", "T1027" @@ -46123,8 +46182,8 @@ ], "tags": [ "TA0002", - "TA0005", - "detection.threat-hunting" + "detection.threat-hunting", + "attack.stealth" ], "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" }, @@ -46170,7 +46229,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1564.001", "detection.threat-hunting", "T1564" @@ -46260,7 +46319,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.011", "detection.threat-hunting", "T1218" @@ -46307,7 +46366,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "detection.threat-hunting" ], @@ -46377,8 +46436,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112", "detection.threat-hunting" ], @@ -46400,8 +46459,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", + "attack.defense-impairment", "T1112", "detection.threat-hunting" ], @@ -46444,10 +46503,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0002", "TA0003", "TA0004", + "attack.stealth", "T1059.001", "T1027.010", "T1547.001", @@ -46494,7 +46553,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.008", "detection.threat-hunting", "T1070" @@ -46538,7 +46597,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1070.004", "detection.threat-hunting", "T1070" @@ -46582,10 +46641,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", + "attack.defense-impairment", + "T1686.003", "detection.threat-hunting", - "T1562" + "T1686" ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" }, @@ -46626,7 +46685,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027.009", "detection.threat-hunting", "T1027" @@ -46648,14 +46707,14 @@ "service": "", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1564.008", "TA0010", "TA0009", "T1114.003", "detection.threat-hunting", - "T1114", - "T1564" + "T1564", + "T1114" ], "title": "Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet" }, @@ -46675,14 +46734,14 @@ "subcategory_guids": [], "tags": [ "TA0009", + "attack.stealth", "T1114.003", - "TA0005", "T1564.008", "TA0010", "T1020", "detection.threat-hunting", - "T1564", - "T1114" + "T1114", + "T1564" ], "title": "Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet" }, @@ -46923,7 +46982,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.001", "detection.threat-hunting", "T1218" @@ -46946,7 +47005,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218.007", "detection.threat-hunting", "T1218" @@ -46969,7 +47028,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1218", "TA0002", "T1559.001", @@ -47071,10 +47130,10 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", + "attack.defense-impairment", + "T1686.003", "detection.threat-hunting", - "T1562" + "T1686" ], "title": "Firewall Rule Modified In The Windows Firewall Exception List" }, @@ -47138,8 +47197,8 @@ "T1087.002", "T1069.002", "attack.s0039", - "T1069", - "T1087" + "T1087", + "T1069" ], "title": "Reconnaissance Activity" }, @@ -47180,7 +47239,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1036" ], "title": "New or Renamed User Account with '$' Character" @@ -47254,9 +47313,8 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -47278,8 +47336,8 @@ "0CCE9234-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "HackTool - EDRSilencer Execution - Filter Added" }, @@ -47303,7 +47361,6 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0007", "TA0002", "TA0009", @@ -47334,9 +47391,9 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", "TA0004", + "attack.stealth", "T1134.005", "T1134" ], @@ -47358,8 +47415,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.defense-impairment", "T1484.001", "T1484" ], @@ -47457,8 +47514,8 @@ "T1003.006", "T1569.002", "attack.s0005", - "T1569", - "T1003" + "T1003", + "T1569" ], "title": "Credential Dumping Tools Service Execution - Security" }, @@ -47500,8 +47557,8 @@ "0CCE9234-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1134", "T1134.001" ], @@ -47523,7 +47580,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -47570,8 +47627,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1134.001", "T1134.002", "T1134" @@ -47622,8 +47679,8 @@ "TA0002", "T1543.003", "T1569.002", - "T1543", - "T1569" + "T1569", + "T1543" ], "title": "Remote Access Tool Services Have Been Installed - Security" }, @@ -47644,7 +47701,7 @@ "0CCE9212-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027.001", "T1027" ], @@ -47693,7 +47750,6 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "T1548" ], @@ -47811,7 +47867,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -47907,8 +47963,8 @@ ], "tags": [ "TA0001", - "TA0005", "TA0004", + "attack.stealth", "T1078", "TA0003", "T1098" @@ -48003,10 +48059,9 @@ ], "tags": [ "TA0003", - "TA0005", - "T1562.001", - "T1112", - "T1562" + "attack.defense-impairment", + "T1685", + "T1112" ], "title": "NetNTLM Downgrade Attack" }, @@ -48027,7 +48082,7 @@ "0CCE9236-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1207" ], "title": "Add or Remove Computer from DC" @@ -48092,11 +48147,11 @@ "subcategory_guids": [], "tags": [ "TA0001", - "TA0005", "cve.2021-42278", "cve.2021-42287", "TA0003", "TA0004", + "attack.stealth", "T1078" ], "title": "Win Susp Computer Name Containing Samtheadmin" @@ -48117,7 +48172,6 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0011", "TA0008", "T1090.001", @@ -48210,7 +48264,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" @@ -48231,7 +48285,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -48255,8 +48309,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" }, @@ -48276,9 +48330,8 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Weak Encryption Enabled and Kerberoast" }, @@ -48324,8 +48377,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0006", + "attack.defense-impairment", "T1556" ], "title": "Possible Shadow Credentials Added" @@ -48519,7 +48572,7 @@ "69979849-797A-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1070.006", "T1070" ], @@ -48546,8 +48599,8 @@ "T1570", "TA0002", "T1569.002", - "T1569", - "T1021" + "T1021", + "T1569" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -48592,7 +48645,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -48635,7 +48688,7 @@ "service": "security", "subcategory_guids": [], "tags": [ - "TA0005", + "attack.stealth", "T1027" ], "title": "Password Protected ZIP File Opened" @@ -48704,9 +48757,9 @@ "0CCE922F-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Windows Event Auditing Disabled" }, @@ -48729,8 +48782,8 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", + "attack.defense-impairment", "T1484.001", "T1547", "T1484" @@ -48752,7 +48805,7 @@ "subcategory_guids": [], "tags": [ "TA0011", - "TA0005", + "attack.stealth", "T1027", "T1105", "T1036" @@ -48849,7 +48902,7 @@ "TA0004", "TA0003", "TA0001", - "TA0005", + "attack.stealth", "T1078", "TA0008" ], @@ -48916,8 +48969,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.stealth", "T1134.001", "stp.4u", "T1134" @@ -48940,7 +48993,6 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0008", "attack.s0002", "T1550.002", @@ -49010,9 +49062,9 @@ "tags": [ "TA0004", "TA0003", - "TA0005", "TA0008", "TA0001", + "attack.stealth", "T1078.001", "T1078.002", "T1078.003", @@ -49062,9 +49114,9 @@ "tags": [ "TA0004", "TA0003", - "TA0005", "TA0001", "TA0006", + "attack.stealth", "T1133", "T1078", "T1110" @@ -49110,7 +49162,6 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0008", "T1550" ], @@ -49158,9 +49209,9 @@ "tags": [ "TA0004", "TA0003", - "TA0005", "TA0001", "TA0006", + "attack.stealth", "T1133", "T1078", "T1110" @@ -49205,9 +49256,9 @@ ], "tags": [ "TA0004", - "TA0005", "TA0001", "TA0003", + "attack.stealth", "T1078", "T1190", "T1133" @@ -49230,7 +49281,6 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0008", "T1550.002", "T1550" @@ -49253,7 +49303,6 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", "TA0006", "T1548" @@ -49302,9 +49351,9 @@ ], "tags": [ "TA0003", - "TA0005", "TA0004", "TA0001", + "attack.stealth", "T1078" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" @@ -49397,7 +49446,7 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112" ], "title": "Sysmon Channel Reference Deletion" @@ -49491,8 +49540,8 @@ "T1543.003", "T1569.002", "T1569", - "T1543", - "T1021" + "T1021", + "T1543" ], "title": "CobaltStrike Service Installations - Security" }, @@ -49512,9 +49561,9 @@ "0CCE922F-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.002", - "T1562" + "attack.defense-impairment", + "T1685.001", + "T1685" ], "title": "Important Windows Event Auditing Disabled" }, @@ -49534,9 +49583,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Exclusion List Modified" }, @@ -49603,7 +49651,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -49626,10 +49674,10 @@ "service": "security", "subcategory_guids": [], "tags": [ - "TA0005", - "T1070.001", + "attack.defense-impairment", + "T1685.005", "car.2016-04-002", - "T1070" + "T1685" ], "title": "Security Eventlog Cleared" }, @@ -49673,9 +49721,9 @@ ], "tags": [ "TA0003", - "TA0005", + "attack.defense-impairment", "T1112", - "T1562" + "T1685" ], "title": "ETW Logging Disabled In .NET Processes - Registry" }, @@ -49739,7 +49787,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -49831,7 +49879,7 @@ ], "tags": [ "TA0006", - "TA0005", + "attack.defense-impairment", "T1207" ], "title": "Possible DC Shadow Attack" @@ -49911,15 +49959,16 @@ ], "tags": [ "TA0040", - "TA0005", + "attack.stealth", + "attack.defense-impairment", "T1070.004", "T1027.005", "T1485", "T1553.002", "attack.s0195", + "T1553", "T1070", - "T1027", - "T1553" + "T1027" ], "title": "Potential Secure Deletion with SDelete" }, @@ -49965,9 +50014,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", - "T1562.001", - "T1562" + "attack.defense-impairment", + "T1685" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, @@ -50166,7 +50214,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -50190,7 +50238,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -50214,7 +50262,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -50285,8 +50333,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0004", + "attack.defense-impairment", "T1484.001", "T1484" ], @@ -50308,7 +50356,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.stealth", "T1027", "TA0002", "T1059.001", @@ -50377,7 +50425,7 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", + "attack.defense-impairment", "T1222.001", "T1222" ], @@ -50426,9 +50474,10 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "TA0005", "TA0003", "TA0004", + "TA0002", + "attack.stealth", "T1574.011", "T1574" ], @@ -50470,8 +50519,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "TA0005", "TA0001", + "attack.stealth", "T1027", "T1566.001", "T1566" @@ -50538,9 +50587,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" }, @@ -50559,9 +50608,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, @@ -50580,9 +50629,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, @@ -50600,9 +50649,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "The Windows Defender Firewall Service Failed To Load Group Policy" }, @@ -50622,9 +50671,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" }, @@ -50646,9 +50695,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Windows Firewall Settings Have Been Changed" }, @@ -50668,9 +50717,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, @@ -50689,9 +50738,9 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "TA0005", - "T1562.004", - "T1562" + "attack.defense-impairment", + "T1686.003", + "T1686" ], "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, @@ -50831,8 +50880,8 @@ "T1218.010", "TA0002", "TA0005", - "T1218", - "T1204" + "T1204", + "T1218" ], "title": "New Lolbin Process by Office Applications" }, @@ -51230,8 +51279,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Office Applications Spawning Wmi Cli Alternate" }, @@ -52317,8 +52366,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "WMI Execution Via Office Process" }, @@ -52594,8 +52643,8 @@ "T1564.004", "T1552.001", "T1105", - "T1564", - "T1552" + "T1552", + "T1564" ], "title": "Abusing Findstr for Defense Evasion" }, @@ -52730,8 +52779,8 @@ "T1218.010", "TA0002", "TA0005", - "T1204", - "T1218" + "T1218", + "T1204" ], "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" }, @@ -55344,10 +55393,10 @@ "T1570", "T1021.002", "T1569.002", - "T1569", - "T1136", "T1543", - "T1021" + "T1021", + "T1569", + "T1136" ], "title": "PSExec Lateral Movement" },