diff --git a/salt/playbook/files/playbook_db_init.sql b/salt/playbook/files/playbook_db_init.sql
index 3a27d311f..0a10e6eb5 100644
--- a/salt/playbook/files/playbook_db_init.sql
+++ b/salt/playbook/files/playbook_db_init.sql
@@ -455,7 +455,7 @@ CREATE TABLE `custom_values` (
PRIMARY KEY (`id`),
KEY `custom_values_customized` (`customized_type`,`customized_id`),
KEY `index_custom_values_on_custom_field_id` (`custom_field_id`)
-) ENGINE=InnoDB AUTO_INCREMENT=11184 DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB AUTO_INCREMENT=11256 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
@@ -464,7 +464,7 @@ CREATE TABLE `custom_values` (
LOCK TABLES `custom_values` WRITE;
/*!40000 ALTER TABLE `custom_values` DISABLE KEYS */;
-INSERT INTO `custom_values` VALUES (5638,'Issue',313,1,'Executable in ADS'),(5639,'Issue',313,2,'Florian Roth, @0xrawsec'),(5640,'Issue',313,8,'https://twitter.com/0xrawsec/status/1002478725605273600?s=21'),(5641,'Issue',313,10,'critical'),(5642,'Issue',313,13,'community'),(5643,'Issue',313,14,'windows'),(5645,'Issue',313,11,'7a9593a8c'),(5646,'Issue',313,12,'b69888d4-380c-45ce-9cf9-d9ce46e67821'),(5647,'Issue',313,16,'win-sysmon'),(5648,'Issue',313,17,''),(5649,'Issue',313,7,''),(5650,'Issue',313,3,'Detects the creation of an ADS data stream that contains an executable (non-empty imphash)'),(5651,'Issue',313,4,''),(5652,'Issue',313,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nTargetFilename\nImage'),(5653,'Issue',313,6,'{{collapse(View ElastAlert Config)\n\n\n\n
\n}}'),(5654,'Issue',313,9,'{{collapse(View Sigma)\n\n\ntitle: Executable in ADS\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: experimental\ndescription: Detects the creation of an ADS data stream that contains an executable\n (non-empty imphash)\nreferences:\n- https://twitter.com/0xrawsec/status/1002478725605273600?s=21\ntags:\n- attack.defense_evasion\n- attack.t1027\n- attack.s0139\nauthor: Florian Roth, @0xrawsec\ndate: 2018/06/03\nlogsource:\n product: windows\n service: sysmon\n definition: \'Requirements: Sysmon config with Imphash logging activated\'\ndetection:\n selection:\n EventID: 15\n filter:\n Imphash:\n - \'00000000000000000000000000000000\'\n - \n condition: selection and not filter\nfields:\n- TargetFilename\n- Image\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(5655,'Issue',313,15,'T1027'),(5656,'Issue',314,1,'Alternate PowerShell Hosts Module Load'),(5657,'Issue',314,2,'Roberto Rodriguez @Cyb3rWard0g'),(5658,'Issue',314,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5659,'Issue',314,10,'high'),(5660,'Issue',314,13,'community'),(5661,'Issue',314,14,'windows'),(5663,'Issue',314,11,'2f468dc10'),(5664,'Issue',314,12,'f67f6c57-257d-4919-a416-69cd31f9aac3'),(5665,'Issue',314,16,'win-sysmon'),(5666,'Issue',314,17,''),(5667,'Issue',314,7,''),(5668,'Issue',314,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5669,'Issue',314,4,''),(5670,'Issue',314,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.'),(5671,'Issue',314,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Module Load\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5672,'Issue',314,9,'{{collapse(View Sigma)\n\n\ntitle: Alternate PowerShell Hosts Module Load\nid: f67f6c57-257d-4919-a416-69cd31f9aac3\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Description: system.management.automation\n ImageLoaded|contains: system.management.automation\n filter:\n Image|endswith: \\powershell.exe\n condition: selection and not filter\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: high\n\n
\n}}'),(5673,'Issue',314,15,'T1086'),(5674,'Issue',315,1,'Alternate PowerShell Hosts Pipe'),(5675,'Issue',315,2,'Roberto Rodriguez @Cyb3rWard0g'),(5676,'Issue',315,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5677,'Issue',315,10,'medium'),(5678,'Issue',315,13,'community'),(5679,'Issue',315,14,'windows'),(5681,'Issue',315,11,'705958333'),(5682,'Issue',315,12,'58cb02d5-78ce-4692-b3e1-dce850aae41a'),(5683,'Issue',315,16,'win-sysmon'),(5684,'Issue',315,17,''),(5685,'Issue',315,7,''),(5686,'Issue',315,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5687,'Issue',315,4,''),(5688,'Issue',315,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nPipeName'),(5689,'Issue',315,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"17\" AND event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Pipe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5690,'Issue',315,9,'{{collapse(View Sigma)\n\n\ntitle: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 17\n PipeName|startswith: \\PSHost\n filter:\n Image|endswith: \\powershell.exe\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n\n
\n}}'),(5691,'Issue',315,15,'T1086'),(5692,'Issue',316,1,'OceanLotus Registry Activity'),(5693,'Issue',316,2,'megan201296'),(5694,'Issue',316,8,'https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/'),(5695,'Issue',316,10,'critical'),(5696,'Issue',316,13,'community'),(5697,'Issue',316,14,'windows'),(5699,'Issue',316,11,'515c55bec'),(5700,'Issue',316,12,'4ac5fc44-a601-4c06-955b-309df8c4e9d4'),(5701,'Issue',316,16,'win-sysmon'),(5702,'Issue',316,17,''),(5703,'Issue',316,7,''),(5704,'Issue',316,3,'Detects registry keys created in OceanLotus (also known as APT32) attacks'),(5705,'Issue',316,4,''),(5706,'Issue',316,5,'_False Positives_\nUnknown'),(5707,'Issue',316,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(HKCR\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon OR HKU\\\\*_Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\* OR HKU\\\\*_Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\* OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E3517E26\\-8E93\\-458D\\-A6DF\\-8030BC80528B\\}\\\\*))\nindex: so-*\nname: OceanLotus Registry Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5708,'Issue',316,9,'{{collapse(View Sigma)\n\n\ntitle: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: experimental\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\ntags:\n- attack.t1112\nauthor: megan201296\ndate: 2019/04/14\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject:\n - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application\'\n - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon\'\n - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application\'\n - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon\'\n - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application\'\n - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon\'\n - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5709,'Issue',316,15,'T1112'),(5710,'Issue',317,1,'Turla Group Named Pipes'),(5711,'Issue',317,2,'Markus Neis'),(5712,'Issue',317,8,'Internal Research'),(5713,'Issue',317,10,'critical'),(5714,'Issue',317,13,'community'),(5715,'Issue',317,14,'windows'),(5716,'Issue',317,15,''),(5717,'Issue',317,11,'9f6d31f18'),(5718,'Issue',317,12,'739915e4-1e70-4778-8b8a-17db02f66db1'),(5719,'Issue',317,16,'win-sysmon'),(5720,'Issue',317,17,''),(5721,'Issue',317,7,''),(5722,'Issue',317,3,'Detects a named pipe used by Turla group samples'),(5723,'Issue',317,4,''),(5724,'Issue',317,5,'_False Positives_\nUnkown'),(5725,'Issue',317,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))\nindex: so-*\nname: Turla Group Named Pipes\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5726,'Issue',317,9,'{{collapse(View Sigma)\n\n\ntitle: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: experimental\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n- Internal Research\ndate: 2017/11/06\ntags:\n- attack.g0010\nauthor: Markus Neis\nlogsource:\n product: windows\n service: sysmon\n definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n selection:\n EventID:\n - 17\n - 18\n PipeName:\n - \\atctl\n - \\userpipe\n - \\iehelper\n - \\sdlrpc\n - \\comnap\n condition: selection\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(5727,'Issue',318,1,'Autorun Keys Modification'),(5728,'Issue',318,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(5729,'Issue',318,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(5730,'Issue',318,10,'medium'),(5731,'Issue',318,13,'community'),(5732,'Issue',318,14,'windows'),(5734,'Issue',318,11,'102e8b3e7'),(5735,'Issue',318,12,'17f878b8-9968-4578-b814-c4217fc5768c'),(5736,'Issue',318,16,'win-sysmon'),(5737,'Issue',318,17,''),(5738,'Issue',318,7,''),(5739,'Issue',318,3,'Detects modification of autostart extensibility point (ASEP) in registry'),(5740,'Issue',318,4,''),(5741,'Issue',318,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason'),(5742,'Issue',318,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders*))\nindex: so-*\nname: Autorun Keys Modification\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5743,'Issue',318,9,'{{collapse(View Sigma)\n\n\ntitle: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject|contains:\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n condition: selection\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(5744,'Issue',318,15,'T1060'),(5745,'Issue',319,1,'CACTUSTORCH Remote Thread Creation'),(5746,'Issue',319,2,'@SBousseaden (detection), Thomas Patzke (rule)'),(5747,'Issue',319,8,'https://twitter.com/SBousseaden/status/1090588499517079552\nhttps://github.com/mdsecactivebreach/CACTUSTORCH'),(5748,'Issue',319,10,'high'),(5749,'Issue',319,13,'community'),(5750,'Issue',319,14,'windows'),(5752,'Issue',319,11,'3ea2f31f8'),(5753,'Issue',319,12,'2e4e488a-6164-4811-9ea1-f960c7359c40'),(5754,'Issue',319,16,'win-sysmon'),(5755,'Issue',319,17,''),(5756,'Issue',319,7,''),(5757,'Issue',319,3,'Detects remote thread creation from CACTUSTORCH as described in references.'),(5758,'Issue',319,4,''),(5759,'Issue',319,5,'_False Positives_\nunknown'),(5760,'Issue',319,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: CACTUSTORCH Remote Thread Creation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5761,'Issue',319,9,'{{collapse(View Sigma)\n\n\ntitle: CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n- https://twitter.com/SBousseaden/status/1090588499517079552\n- https://github.com/mdsecactivebreach/CACTUSTORCH\nstatus: experimental\nauthor: \'@SBousseaden (detection), Thomas Patzke (rule)\'\ndate: 2019/02/01\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n SourceImage:\n - \'*\\System32\\cscript.exe\'\n - \'*\\System32\\wscript.exe\'\n - \'*\\System32\\mshta.exe\'\n - \'*\\winword.exe\'\n - \'*\\excel.exe\'\n TargetImage: \'*\\SysWOW64\\\\*\'\n StartModule:\n condition: selection\ntags:\n- attack.execution\n- attack.t1055\n- attack.t1064\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5762,'Issue',319,15,'T1055'),(5763,'Issue',319,15,'T1064'),(5764,'Issue',320,1,'CobaltStrike Process Injection'),(5765,'Issue',320,2,'Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community'),(5766,'Issue',320,8,'https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/'),(5767,'Issue',320,10,'high'),(5768,'Issue',320,13,'community'),(5769,'Issue',320,14,'windows'),(5771,'Issue',320,11,'28d3c60ec'),(5772,'Issue',320,12,'6309645e-122d-4c5b-bb2b-22e4f9c2fa42'),(5773,'Issue',320,16,'win-sysmon'),(5774,'Issue',320,17,''),(5775,'Issue',320,7,''),(5776,'Issue',320,3,'Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons'),(5777,'Issue',320,4,''),(5778,'Issue',320,5,'_False Positives_\nunknown'),(5779,'Issue',320,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))\nindex: so-*\nname: CobaltStrike Process Injection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5780,'Issue',320,9,'{{collapse(View Sigma)\n\n\ntitle: CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\ndescription: Detects a possible remote threat creation with certain characteristics\n which are typical for Cobalt Strike beacons\nreferences:\n- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\ntags:\n- attack.defense_evasion\n- attack.t1055\nstatus: experimental\nauthor: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community\ndate: 2018/11/30\nmodified: 2019/11/08\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n TargetProcessAddress|endswith:\n - 0B80\n - 0C7C\n - 0C88\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5781,'Issue',320,15,'T1055'),(5782,'Issue',321,1,'CreateRemoteThread API and LoadLibrary'),(5783,'Issue',321,2,'Roberto Rodriguez @Cyb3rWard0g'),(5784,'Issue',321,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md'),(5785,'Issue',321,10,'critical'),(5786,'Issue',321,13,'community'),(5787,'Issue',321,14,'windows'),(5789,'Issue',321,11,'3325ffed5'),(5790,'Issue',321,12,'052ec6f6-1adc-41e6-907a-f1c813478bee'),(5791,'Issue',321,16,'win-sysmon'),(5792,'Issue',321,17,''),(5793,'Issue',321,7,''),(5794,'Issue',321,3,'Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process'),(5795,'Issue',321,4,''),(5796,'Issue',321,5,'_False Positives_\nUnknown'),(5797,'Issue',321,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")\nindex: so-*\nname: CreateRemoteThread API and LoadLibrary\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5798,'Issue',321,9,'{{collapse(View Sigma)\n\n\ntitle: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function\n to inject DLL into a process\nstatus: experimental\ndate: 2019/08/11\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n StartModule|endswith: \\kernel32.dll\n StartFunction: LoadLibraryA\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5799,'Issue',321,15,'T1055'),(5800,'Issue',322,1,'Credentials Dumping Tools Accessing LSASS Memory'),(5801,'Issue',322,2,'Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)'),(5802,'Issue',322,8,'https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf'),(5803,'Issue',322,10,'high'),(5804,'Issue',322,13,'community'),(5805,'Issue',322,14,'windows'),(5807,'Issue',322,11,'38beb365c'),(5808,'Issue',322,12,'32d0d3e2-e58d-4d41-926b-18b520b2b32d'),(5809,'Issue',322,16,'win-sysmon'),(5810,'Issue',322,17,''),(5811,'Issue',322,7,''),(5812,'Issue',322,3,'Detects process access LSASS memory which is typical for credentials dumping tools'),(5813,'Issue',322,4,''),(5814,'Issue',322,5,'_False Positives_\nLegitimate software accessing LSASS process for legitimate reason; update the whitelist with it\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage'),(5815,'Issue',322,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\lsass.exe AND event_data.GrantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))\nindex: so-*\nname: Credentials Dumping Tools Accessing LSASS Memory\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5816,'Issue',322,9,'{{collapse(View Sigma)\n\n\ntitle: Credentials Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: experimental\ndescription: Detects process access LSASS memory which is typical for credentials\n dumping tools\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas\n Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\n (update)\ndate: 2017/02/16\nmodified: 2019/11/08\nreferences:\n- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage|endswith: \\lsass.exe\n GrantedAccess|contains:\n - \'0x40\'\n - \'0x1000\'\n - \'0x1400\'\n - \'0x100000\'\n - \'0x1410\'\n - \'0x1010\'\n - \'0x1438\'\n - \'0x143a\'\n - \'0x1418\'\n - \'0x1f0fff\'\n - \'0x1f1fff\'\n - \'0x1f2fff\'\n - \'0x1f3fff\'\n filter:\n ProcessName|endswith:\n - \\wmiprvse.exe\n - \\taskmgr.exe\n - \\procexp64.exe\n - \\procexp.exe\n - \\lsm.exe\n - \\csrss.exe\n - \\wininit.exe\n - \\vmtoolsd.exe\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- SourceImage\nfalsepositives:\n- Legitimate software accessing LSASS process for legitimate reason; update the whitelist\n with it\nlevel: high\n\n
\n}}'),(5817,'Issue',322,15,'T1003'),(5818,'Issue',323,1,'Cred Dump Tools Dropped Files'),(5819,'Issue',323,2,'Teymur Kheirkhabarov, oscd.community'),(5820,'Issue',323,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5821,'Issue',323,10,'high'),(5822,'Issue',323,13,'community'),(5823,'Issue',323,14,'windows'),(5825,'Issue',323,11,'3205565a1'),(5826,'Issue',323,12,'8fbf3271-1ef6-4e94-8210-03c2317947f6'),(5827,'Issue',323,16,'win-sysmon'),(5828,'Issue',323,17,''),(5829,'Issue',323,7,''),(5830,'Issue',323,3,'Files with well-known filenames (parts of credential dump software or files produced by them) creation'),(5831,'Issue',323,4,''),(5832,'Issue',323,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5833,'Issue',323,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\pwdump* OR *\\\\kirbi* OR *\\\\pwhashes* OR *\\\\wce_ccache* OR *\\\\wce_krbtkts* OR *\\\\fgdump\\-log*) AND event_data.TargetFilename.keyword:(*\\\\test.pwd OR *\\\\lsremora64.dll OR *\\\\lsremora.dll OR *\\\\fgexec.exe OR *\\\\wceaux.dll OR *\\\\SAM.out OR *\\\\SECURITY.out OR *\\\\SYSTEM.out OR *\\\\NTDS.out OR *\\\\DumpExt.dll OR *\\\\DumpSvc.exe OR *\\\\cachedump64.exe OR *\\\\cachedump.exe OR *\\\\pstgdump.exe OR *\\\\servpw.exe OR *\\\\servpw64.exe OR *\\\\pwdump.exe OR *\\\\procdump64.exe))\nindex: so-*\nname: Cred Dump Tools Dropped Files\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5834,'Issue',323,9,'{{collapse(View Sigma)\n\n\ntitle: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\ndescription: Files with well-known filenames (parts of credential dump software or\n files produced by them) creation\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename|contains:\n - \\pwdump\n - \\kirbi\n - \\pwhashes\n - \\wce_ccache\n - \\wce_krbtkts\n - \\fgdump-log\n TargetFilename|endswith:\n - \\test.pwd\n - \\lsremora64.dll\n - \\lsremora.dll\n - \\fgexec.exe\n - \\wceaux.dll\n - \\SAM.out\n - \\SECURITY.out\n - \\SYSTEM.out\n - \\NTDS.out\n - \\DumpExt.dll\n - \\DumpSvc.exe\n - \\cachedump64.exe\n - \\cachedump.exe\n - \\pstgdump.exe\n - \\servpw.exe\n - \\servpw64.exe\n - \\pwdump.exe\n - \\procdump64.exe\n condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: high\nstatus: experimental\n\n
\n}}'),(5835,'Issue',323,15,'T1003'),(5836,'Issue',324,1,'Cred Dump-Tools Named Pipes'),(5837,'Issue',324,2,'Teymur Kheirkhabarov, oscd.community'),(5838,'Issue',324,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5839,'Issue',324,10,'critical'),(5840,'Issue',324,13,'community'),(5841,'Issue',324,14,'windows'),(5843,'Issue',324,11,'f819bdb50'),(5844,'Issue',324,12,'961d0ba2-3eea-4303-a930-2cf78bbfcc5e'),(5845,'Issue',324,16,'win-sysmon'),(5846,'Issue',324,17,''),(5847,'Issue',324,7,''),(5848,'Issue',324,3,'Detects well-known credential dumping tools execution via specific named pipes'),(5849,'Issue',324,4,''),(5850,'Issue',324,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5851,'Issue',324,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"17\" AND event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))\nindex: so-*\nname: Cred Dump-Tools Named Pipes\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5852,'Issue',324,9,'{{collapse(View Sigma)\n\n\ntitle: Cred Dump-Tools Named Pipes\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\ndescription: Detects well-known credential dumping tools execution via specific named\n pipes\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 17\n PipeName|contains:\n - \\lsadump\n - \\cachedump\n - \\wceservicepipe\n condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: critical\nstatus: experimental\n\n
\n}}'),(5853,'Issue',324,15,'T1003'),(5854,'Issue',325,1,'DHCP Callout DLL Installation'),(5855,'Issue',325,2,'Dimitrios Slamaris'),(5856,'Issue',325,8,'https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx'),(5857,'Issue',325,10,'high'),(5858,'Issue',325,13,'community'),(5859,'Issue',325,14,'windows'),(5861,'Issue',325,11,'6fbe5639d'),(5862,'Issue',325,12,'9d3436ef-9476-4c43-acca-90ce06bdf33a'),(5863,'Issue',325,16,'win-sysmon'),(5864,'Issue',325,17,''),(5865,'Issue',325,7,''),(5866,'Issue',325,3,'Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)'),(5867,'Issue',325,4,''),(5868,'Issue',325,5,'_False Positives_\nunknown'),(5869,'Issue',325,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls OR *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))\nindex: so-*\nname: DHCP Callout DLL Installation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5870,'Issue',325,9,'{{collapse(View Sigma)\n\n\ntitle: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: experimental\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled\n parameter in Registry, which can be used to execute code in context of the DHCP\n server (restart required)\nreferences:\n- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\ndate: 2017/05/15\nauthor: Dimitrios Slamaris\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1112\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject:\n - \'*\\Services\\DHCPServer\\Parameters\\CalloutDlls\'\n - \'*\\Services\\DHCPServer\\Parameters\\CalloutEnabled\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5871,'Issue',325,15,'T1073'),(5872,'Issue',325,15,'T1112'),(5873,'Issue',326,1,'Disable Security Events Logging Adding Reg Key MiniNt'),(5874,'Issue',326,2,'Ilyas Ochkov, oscd.community'),(5875,'Issue',326,8,'https://twitter.com/0gtweet/status/1182516740955226112'),(5876,'Issue',326,10,'high'),(5877,'Issue',326,13,'community'),(5878,'Issue',326,14,'windows'),(5880,'Issue',326,11,'685c808fd'),(5881,'Issue',326,12,'919f2ef0-be2d-4a7a-b635-eb2b41fde044'),(5882,'Issue',326,16,'win-sysmon'),(5883,'Issue',326,17,''),(5884,'Issue',326,7,''),(5885,'Issue',326,3,'Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot, Windows Event Log service will stopped write events.'),(5886,'Issue',326,4,''),(5887,'Issue',326,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(5888,'Issue',326,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\")))\nindex: so-*\nname: Disable Security Events Logging Adding Reg Key MiniNt\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5889,'Issue',326,9,'{{collapse(View Sigma)\n\n\ntitle: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: experimental\ndescription: Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot,\n Windows Event Log service will stopped write events.\nreferences:\n- https://twitter.com/0gtweet/status/1182516740955226112\ntags:\n- attack.defense_evasion\n- attack.t1089\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n - EventID: 12\n TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n - EventID: 14\n NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(5890,'Issue',326,15,'T1089'),(5891,'Issue',327,1,'Detection of SafetyKatz'),(5892,'Issue',327,2,'Markus Neis'),(5893,'Issue',327,8,'https://github.com/GhostPack/SafetyKatz'),(5894,'Issue',327,10,'high'),(5895,'Issue',327,13,'community'),(5896,'Issue',327,14,'windows'),(5898,'Issue',327,11,'de878e0bb'),(5899,'Issue',327,12,'e074832a-eada-4fd7-94a1-10642b130e16'),(5900,'Issue',327,16,'win-sysmon'),(5901,'Issue',327,17,''),(5902,'Issue',327,7,''),(5903,'Issue',327,3,'Detects possible SafetyKatz Behaviour'),(5904,'Issue',327,4,''),(5905,'Issue',327,5,'_False Positives_\nUnknown'),(5906,'Issue',327,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Temp\\\\debug.bin)\nindex: so-*\nname: Detection of SafetyKatz\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5907,'Issue',327,9,'{{collapse(View Sigma)\n\n\ntitle: Detection of SafetyKatz\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: experimental\ndescription: Detects possible SafetyKatz Behaviour\nreferences:\n- https://github.com/GhostPack/SafetyKatz\ntags:\n- attack.credential_access\n- attack.t1003\nauthor: Markus Neis\ndate: 2018/07/24\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename: \'*\\Temp\\debug.bin\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(5908,'Issue',327,15,'T1003'),(5909,'Issue',328,1,'Suspicious In-Memory Module Execution'),(5910,'Issue',328,2,'Perez Diego (@darkquassar), oscd.community'),(5911,'Issue',328,8,'https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/'),(5912,'Issue',328,10,'critical'),(5913,'Issue',328,13,'community'),(5914,'Issue',328,14,'windows'),(5916,'Issue',328,11,'0b938deb6'),(5917,'Issue',328,12,'5f113a8f-8b61-41ca-b90f-d374fa7e4a39'),(5918,'Issue',328,16,'win-sysmon'),(5919,'Issue',328,17,''),(5920,'Issue',328,7,''),(5921,'Issue',328,3,'Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.'),(5922,'Issue',328,4,''),(5923,'Issue',328,5,'_False Positives_\nLow\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage\nCallTrace'),(5924,'Issue',328,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND (event_data.CallTrace.keyword:(C\\:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\+*|C\\:\\\\Windows\\\\System32\\\\KERNELBASE.dll\\+*|UNKNOWN\\(*\\) OR *UNKNOWN\\(*\\)|UNKNOWN\\(*\\)) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.CallTrace.keyword:*UNKNOWN* AND event_data.GrantedAccess:(\"0x1F0FFF\" OR \"0x1F1FFF\" OR \"0x143A\" OR \"0x1410\" OR \"0x1010\" OR \"0x1F2FFF\" OR \"0x1F3FFF\" OR \"0x1FFFFF\"))))\nindex: so-*\nname: Suspicious In-Memory Module Execution\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5925,'Issue',328,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\ndescription: Detects the access to processes by other suspicious processes which have\n reflectively loaded libraries in their memory space. An example is SilentTrinity\n C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack\n call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as\n the module name. Usually this means the stack call points to a module that was reflectively\n loaded in memory. Adding to this, it is not common to see such few calls in the\n stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most\n of the functions required by the process to execute certain routines are already\n present in memory, not requiring any calls to external libraries. The latter should\n also be considered suspicious.\nstatus: experimental\ndate: 2019/10/27\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\ntags:\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_01:\n EventID: 10\n CallTrace:\n - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n - \'*UNKNOWN(*)|UNKNOWN(*)\'\n selection_02:\n EventID: 10\n CallTrace: \'*UNKNOWN*\'\n granted_access:\n GrantedAccess:\n - \'0x1F0FFF\'\n - \'0x1F1FFF\'\n - \'0x143A\'\n - \'0x1410\'\n - \'0x1010\'\n - \'0x1F2FFF\'\n - \'0x1F3FFF\'\n - \'0x1FFFFF\'\n condition: selection_01 OR (selection_02 AND granted_access)\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\nlevel: critical\nfalsepositives:\n- Low\n\n
\n}}'),(5926,'Issue',328,15,'T1055'),(5927,'Issue',329,1,'In-memory PowerShell'),(5928,'Issue',329,2,'Tom Kern, oscd.community'),(5929,'Issue',329,8,'https://adsecurity.org/?p=2921\nhttps://github.com/p3nt4/PowerShdll'),(5930,'Issue',329,10,'high'),(5931,'Issue',329,13,'community'),(5932,'Issue',329,14,'windows'),(5934,'Issue',329,11,'442bc82a3'),(5935,'Issue',329,12,'092bc4b9-3d1d-43b4-a6b4-8c8acd83522f'),(5936,'Issue',329,16,'win-sysmon'),(5937,'Issue',329,17,''),(5938,'Issue',329,7,''),(5939,'Issue',329,3,'Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter\'s \"load powershell\" extension.'),(5940,'Issue',329,4,''),(5941,'Issue',329,5,'_False Positives_\nUsed by some .NET binaries, minimal on user workstation.'),(5942,'Issue',329,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\System.Management.Automation.Dll OR *\\\\System.Management.Automation.ni.Dll)) AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe) AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: In-memory PowerShell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5943,'Issue',329,9,'{{collapse(View Sigma)\n\n\ntitle: In-memory PowerShell\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nstatus: experimental\ndescription: Detects loading of essential DLL used by PowerShell, but not by the process\n powershell.exe. Detects meterpreter\'s \"load powershell\" extension.\nauthor: Tom Kern, oscd.community\ndate: 2019/11/14\nmodified: 2019/11/30\nreferences:\n- https://adsecurity.org/?p=2921\n- https://github.com/p3nt4/PowerShdll\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n ImageLoaded|endswith:\n - \\System.Management.Automation.Dll\n - \\System.Management.Automation.ni.Dll\n filter:\n Image|endswith:\n - \\powershell.exe\n - \\WINDOWS\\System32\\sdiagnhost.exe\n User: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfalsepositives:\n- Used by some .NET binaries, minimal on user workstation.\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(5944,'Issue',329,15,'T1086'),(5945,'Issue',330,1,'Suspect Svchost Memory Asccess'),(5946,'Issue',330,2,'Tim Burrell'),(5947,'Issue',330,8,'https://github.com/hlldz/Invoke-Phant0m\nhttps://twitter.com/timbmsft/status/900724491076214784'),(5948,'Issue',330,10,'high'),(5949,'Issue',330,13,'community'),(5950,'Issue',330,14,'windows'),(5952,'Issue',330,11,'ff9ac8949'),(5953,'Issue',330,12,'166e9c50-8cd9-44af-815d-d1f0c0e90dde'),(5954,'Issue',330,16,'win-sysmon'),(5955,'Issue',330,17,''),(5956,'Issue',330,7,''),(5957,'Issue',330,3,'Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.'),(5958,'Issue',330,4,''),(5959,'Issue',330,5,'_False Positives_\nunknown'),(5960,'Issue',330,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\windows\\\\system32\\\\svchost.exe AND event_data.GrantedAccess:\"0x1f3fff\" AND event_data.CallTrace.keyword:(*unknown*))\nindex: so-*\nname: Suspect Svchost Memory Asccess\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5961,'Issue',330,9,'{{collapse(View Sigma)\n\n\ntitle: Suspect Svchost Memory Asccess\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: experimental\ndescription: Detects suspect access to svchost process memory such as that used by\n Invoke-Phantom to kill the winRM windows event logging service.\nauthor: Tim Burrell\ndate: 2020/01/02\nreferences:\n- https://github.com/hlldz/Invoke-Phant0m\n- https://twitter.com/timbmsft/status/900724491076214784\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage: \'*\\windows\\system32\\svchost.exe\'\n GrantedAccess: \'0x1f3fff\'\n CallTrace:\n - \'*unknown*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5962,'Issue',330,15,'T1089'),(5963,'Issue',331,1,'LSASS Memory Dump'),(5964,'Issue',331,2,'Samir Bousseaden'),(5965,'Issue',331,8,'https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html'),(5966,'Issue',331,10,'high'),(5967,'Issue',331,13,'community'),(5968,'Issue',331,14,'windows'),(5970,'Issue',331,11,'183b4c501'),(5971,'Issue',331,12,'5ef9853e-4d0e-4a70-846f-a9ca37d876da'),(5972,'Issue',331,16,'win-sysmon'),(5973,'Issue',331,17,''),(5974,'Issue',331,7,''),(5975,'Issue',331,3,'Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10'),(5976,'Issue',331,4,''),(5977,'Issue',331,5,'_False Positives_\nunknown'),(5978,'Issue',331,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.GrantedAccess:\"0x1fffff\" AND event_data.CallTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))\nindex: so-*\nname: LSASS Memory Dump\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5979,'Issue',331,9,'{{collapse(View Sigma)\n\n\ntitle: LSASS Memory Dump\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: Detects process LSASS memory dump using procdump or taskmgr based on\n the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10\nauthor: Samir Bousseaden\ndate: 2019/04/03\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage: C:\\windows\\system32\\lsass.exe\n GrantedAccess: \'0x1fffff\'\n CallTrace:\n - \'*dbghelp.dll*\'\n - \'*dbgcore.dll*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5980,'Issue',331,15,'T1003'),(5981,'Issue',332,1,'LSASS Memory Dump File Creation'),(5982,'Issue',332,2,'Teymur Kheirkhabarov, oscd.community'),(5983,'Issue',332,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5984,'Issue',332,10,'medium'),(5985,'Issue',332,13,'community'),(5986,'Issue',332,14,'windows'),(5988,'Issue',332,11,'d6052fb1a'),(5989,'Issue',332,12,'5e3d3601-0662-4af0-b1d2-36a05e90c40a'),(5990,'Issue',332,16,'win-sysmon'),(5991,'Issue',332,17,''),(5992,'Issue',332,7,''),(5993,'Issue',332,3,'LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified'),(5994,'Issue',332,4,''),(5995,'Issue',332,5,'_False Positives_\nDumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n\n_Interesting Log Fields_\nComputerName\nTargetFileName'),(5996,'Issue',332,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*lsass* AND event_data.TargetFilename.keyword:*dmp)\nindex: so-*\nname: LSASS Memory Dump File Creation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5997,'Issue',332,9,'{{collapse(View Sigma)\n\n\ntitle: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\ndescription: LSASS memory dump creation using operating systems utilities. Procdump\n will use process name in output file if no name is specified\nauthor: Teymur Kheirkhabarov, oscd.community\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ndate: 2019/10/22\nmodified: 2019/11/13\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename|contains: lsass\n TargetFilename|endswith: dmp\n condition: selection\nfields:\n- ComputerName\n- TargetFileName\nfalsepositives:\n- Dumping lsass memory for forensic investigation purposes by legitimate incident\n responder or forensic invetigator\nlevel: medium\nstatus: experimental\n\n
\n}}'),(5998,'Issue',332,15,'T1003'),(5999,'Issue',333,1,'Malicious Named Pipe'),(6000,'Issue',333,2,'Florian Roth'),(6001,'Issue',333,8,'Various sources'),(6002,'Issue',333,10,'critical'),(6003,'Issue',333,13,'community'),(6004,'Issue',333,14,'windows'),(6006,'Issue',333,11,'192999425'),(6007,'Issue',333,12,'fe3ac066-98bb-432a-b1e7-a5229cb39d4a'),(6008,'Issue',333,16,'win-sysmon'),(6009,'Issue',333,17,''),(6010,'Issue',333,7,''),(6011,'Issue',333,3,'Detects the creation of a named pipe used by known APT malware'),(6012,'Issue',333,4,''),(6013,'Issue',333,5,'_False Positives_\nUnkown'),(6014,'Issue',333,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))\nindex: so-*\nname: Malicious Named Pipe\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6015,'Issue',333,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious Named Pipe\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: experimental\ndescription: Detects the creation of a named pipe used by known APT malware\nreferences:\n- Various sources\ndate: 2017/11/06\nauthor: Florian Roth\nlogsource:\n product: windows\n service: sysmon\n definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n selection:\n EventID:\n - 17\n - 18\n PipeName:\n - \\isapi_http\n - \\isapi_dg\n - \\isapi_dg2\n - \\sdlrpc\n - \\ahexec\n - \\winsession\n - \\lsassw\n - \\46a676ab7f179e511e30dd2dc41bd388\n - \\9f81f59bc58452127884ce513865ed20\n - \\e710f28d59aa529d6792ca6ff0ca1b34\n - \\rpchlp_3\n - \\NamePipe_MoreWindows\n - \\pcheap_reuse\n - \\msagent_*\n - \\gruntsvc\n condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(6016,'Issue',333,15,'T1055'),(6017,'Issue',334,1,'Suspicious Typical Malware Back Connect Ports'),(6018,'Issue',334,2,'Florian Roth'),(6019,'Issue',334,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6020,'Issue',334,10,'medium'),(6021,'Issue',334,13,'community'),(6022,'Issue',334,14,'windows'),(6024,'Issue',334,11,'1e14702d5'),(6025,'Issue',334,12,'4b89abaa-99fe-4232-afdd-8f9aa4d20382'),(6026,'Issue',334,16,'win-sysmon'),(6027,'Issue',334,17,''),(6028,'Issue',334,7,''),(6029,'Issue',334,3,'Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases'),(6030,'Issue',334,4,''),(6031,'Issue',334,5,'_False Positives_\nunknown'),(6032,'Issue',334,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND event_data.Initiated:\"true\" AND destination_port:(\"4443\" OR \"2448\" OR \"8143\" OR \"1777\" OR \"1443\" OR \"243\" OR \"65535\" OR \"13506\" OR \"3360\" OR \"200\" OR \"198\" OR \"49180\" OR \"13507\" OR \"6625\" OR \"4444\" OR \"4438\" OR \"1904\" OR \"13505\" OR \"13504\" OR \"12102\" OR \"9631\" OR \"5445\" OR \"2443\" OR \"777\" OR \"13394\" OR \"13145\" OR \"12103\" OR \"5552\" OR \"3939\" OR \"3675\" OR \"666\" OR \"473\" OR \"5649\" OR \"4455\" OR \"4433\" OR \"1817\" OR \"100\" OR \"65520\" OR \"1960\" OR \"1515\" OR \"743\" OR \"700\" OR \"14154\" OR \"14103\" OR \"14102\" OR \"12322\" OR \"10101\" OR \"7210\" OR \"4040\" OR \"9943\")) AND (NOT ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\Program\\ Files* OR (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND event_data.DestinationIsIpv6:\"false\"))))))\nindex: so-*\nname: Suspicious Typical Malware Back Connect Ports\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6033,'Issue',334,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Typical Malware Back Connect Ports\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nstatus: experimental\ndescription: Detects programs that connect to typical malware back connect ports based\n on statistical analysis from two different sandbox system databases\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n product: windows\n service: sysmon\n definition: \'Use the following config to generate the necessary Event ID 10 Process\n Access events: VBE7.DLLUNKNOWN\'\ndetection:\n selection:\n EventID: 3\n Initiated: \'true\'\n DestinationPort:\n - \'4443\'\n - \'2448\'\n - \'8143\'\n - \'1777\'\n - \'1443\'\n - \'243\'\n - \'65535\'\n - \'13506\'\n - \'3360\'\n - \'200\'\n - \'198\'\n - \'49180\'\n - \'13507\'\n - \'6625\'\n - \'4444\'\n - \'4438\'\n - \'1904\'\n - \'13505\'\n - \'13504\'\n - \'12102\'\n - \'9631\'\n - \'5445\'\n - \'2443\'\n - \'777\'\n - \'13394\'\n - \'13145\'\n - \'12103\'\n - \'5552\'\n - \'3939\'\n - \'3675\'\n - \'666\'\n - \'473\'\n - \'5649\'\n - \'4455\'\n - \'4433\'\n - \'1817\'\n - \'100\'\n - \'65520\'\n - \'1960\'\n - \'1515\'\n - \'743\'\n - \'700\'\n - \'14154\'\n - \'14103\'\n - \'14102\'\n - \'12322\'\n - \'10101\'\n - \'7210\'\n - \'4040\'\n - \'9943\'\n filter1:\n Image: \'*\\Program Files*\'\n filter2:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.*\n DestinationIsIpv6: \'false\'\n condition: selection and not ( filter1 or filter2 )\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6034,'Issue',334,15,'T1043'),(6035,'Issue',335,1,'Malware Shellcode in Verclsid Target Process'),(6036,'Issue',335,2,'John Lambert (tech), Florian Roth (rule)'),(6037,'Issue',335,8,'https://twitter.com/JohnLaTwC/status/837743453039534080'),(6038,'Issue',335,10,'high'),(6039,'Issue',335,13,'community'),(6040,'Issue',335,14,'windows'),(6042,'Issue',335,11,'0ff3c02c6'),(6043,'Issue',335,12,'b7967e22-3d7e-409b-9ed5-cdae3f9243a1'),(6044,'Issue',335,16,'win-sysmon'),(6045,'Issue',335,17,''),(6046,'Issue',335,7,''),(6047,'Issue',335,3,'Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro'),(6048,'Issue',335,4,''),(6049,'Issue',335,5,'_False Positives_\nunknown'),(6050,'Issue',335,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\verclsid.exe AND event_data.GrantedAccess:\"0x1FFFFF\") AND (event_data.CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (event_data.SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND event_data.CallTrace.keyword:*|UNKNOWN*)))\nindex: so-*\nname: Malware Shellcode in Verclsid Target Process\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6051,'Issue',335,9,'{{collapse(View Sigma)\n\n\ntitle: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: experimental\ndescription: Detects a process access to verclsid.exe that injects shellcode from\n a Microsoft Office application / VBA macro\nreferences:\n- https://twitter.com/JohnLaTwC/status/837743453039534080\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nauthor: John Lambert (tech), Florian Roth (rule)\ndate: 2017/03/04\nlogsource:\n product: windows\n service: sysmon\n definition: \'Use the following config to generate the necessary Event ID 10 Process\n Access events: VBE7.DLLUNKNOWN\'\ndetection:\n selection:\n EventID: 10\n TargetImage: \'*\\verclsid.exe\'\n GrantedAccess: \'0x1FFFFF\'\n combination1:\n CallTrace: \'*|UNKNOWN(*VBE7.DLL*\'\n combination2:\n SourceImage: \'*\\Microsoft Office\\\\*\'\n CallTrace: \'*|UNKNOWN*\'\n condition: selection and 1 of combination*\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6052,'Issue',335,15,'T1055'),(6053,'Issue',336,1,'Mimikatz In-Memory'),(6054,'Issue',336,2,'none'),(6055,'Issue',336,8,'https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/'),(6056,'Issue',336,10,'medium'),(6057,'Issue',336,13,'community'),(6058,'Issue',336,14,'windows'),(6060,'Issue',336,11,'aa5743912'),(6061,'Issue',336,12,'c0478ead-5336-46c2-bd5e-b4c84bc3a36e'),(6062,'Issue',336,16,'win-sysmon'),(6063,'Issue',336,17,''),(6064,'Issue',336,7,''),(6065,'Issue',336,3,'Detects certain DLL loads when Mimikatz gets executed'),(6066,'Issue',336,4,''),(6067,'Issue',336,5,'_False Positives_\nunknown'),(6068,'Issue',336,6,'{{collapse(View ElastAlert Config)\n\n\n\n
\n}}'),(6069,'Issue',336,9,'{{collapse(View Sigma)\n\n\ntitle: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: experimental\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\ntags:\n- attack.s0002\n- attack.t1003\n- attack.lateral_movement\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n product: windows\n service: sysmon\ndate: 2017/03/13\ndetection:\n selector:\n EventID: 7\n Image: C:\\Windows\\System32\\rundll32.exe\n dllload1:\n ImageLoaded: \'*\\vaultcli.dll\'\n dllload2:\n ImageLoaded: \'*\\wlanapi.dll\'\n exclusion:\n ImageLoaded:\n - ntdsapi.dll\n - netapi32.dll\n - imm32.dll\n - samlib.dll\n - combase.dll\n - srvcli.dll\n - shcore.dll\n - ntasn1.dll\n - cryptdll.dll\n - logoncli.dll\n timeframe: 30s\n condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6070,'Issue',336,15,'T1003'),(6071,'Issue',337,1,'Mimikatz through Windows Remote Management'),(6072,'Issue',337,2,'Patryk Prauze - ING Tech'),(6073,'Issue',337,8,'https://pentestlab.blog/2018/05/15/lateral-movement-winrm/'),(6074,'Issue',337,10,'high'),(6075,'Issue',337,13,'community'),(6076,'Issue',337,14,'windows'),(6078,'Issue',337,11,'e1af444f5'),(6079,'Issue',337,12,'aa35a627-33fb-4d04-a165-d33b4afca3e8'),(6080,'Issue',337,16,'win-sysmon'),(6081,'Issue',337,17,''),(6082,'Issue',337,7,''),(6083,'Issue',337,3,'Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.'),(6084,'Issue',337,4,''),(6085,'Issue',337,5,'_False Positives_\nlow'),(6086,'Issue',337,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.SourceImage:\"C\\:\\\\Windows\\\\system32\\\\wsmprovhost.exe\")\nindex: so-*\nname: Mimikatz through Windows Remote Management\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6087,'Issue',337,9,'{{collapse(View Sigma)\n\n\ntitle: Mimikatz through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\ndescription: Detects usage of mimikatz through WinRM protocol by monitoring access\n to lsass process by wsmprovhost.exe.\nreferences:\n- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nstatus: stable\nauthor: Patryk Prauze - ING Tech\ndate: 2019/05/20\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage: C:\\windows\\system32\\lsass.exe\n SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n condition: selection\ntags:\n- attack.credential_access\n- attack.execution\n- attack.t1003\n- attack.t1028\n- attack.s0005\nfalsepositives:\n- low\nlevel: high\n\n
\n}}'),(6088,'Issue',337,15,'T1003'),(6089,'Issue',337,15,'T1028'),(6090,'Issue',338,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API'),(6091,'Issue',338,2,'Perez Diego (@darkquassar), oscd.community'),(6092,'Issue',338,8,'https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6'),(6093,'Issue',338,10,'critical'),(6094,'Issue',338,13,'community'),(6095,'Issue',338,14,'windows'),(6097,'Issue',338,11,'465ca35d4'),(6098,'Issue',338,12,'dd5ab153-beaa-4315-9647-65abc5f71541'),(6099,'Issue',338,16,'win-sysmon'),(6100,'Issue',338,17,''),(6101,'Issue',338,7,''),(6102,'Issue',338,3,'Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker\'s machine.'),(6103,'Issue',338,4,''),(6104,'Issue',338,5,'_False Positives_\nPenetration tests\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(6105,'Issue',338,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND process.executable.keyword:(*\\\\msbuild.exe OR *\\\\cmd.exe OR *\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\powershell.exe OR *\\\\word.exe OR *\\\\excel.exe OR *\\\\powerpnt.exe OR *\\\\outlook.exe OR *\\\\monitoringhost.exe OR *\\\\wmic.exe OR *\\\\msiexec.exe OR *\\\\bash.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\schtasks.exe OR *\\\\dnx.exe OR *\\\\regsvcs.exe OR *\\\\sc.exe OR *\\\\scriptrunner.exe)) AND (NOT (process.executable.keyword:*Visual\\ Studio*))) OR ((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND Signed:\"FALSE\") AND (NOT (process.executable.keyword:*Visual\\ Studio*)))))\nindex: so-*\nname: Dumping Lsass.exe Memory with MiniDumpWriteDump API\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6106,'Issue',338,9,'{{collapse(View Sigma)\n\n\ntitle: Dumping Lsass.exe Memory with MiniDumpWriteDump API\nid: dd5ab153-beaa-4315-9647-65abc5f71541\nstatus: experimental\ndescription: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory\n in a stealth way. Tools like ProcessHacker and some attacker tradecract use this\n API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework\n has a module that leverages this API to dump the contents of Lsass.exe and transfer\n it over the network back to the attacker\'s machine.\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n signedprocess:\n EventID: 7\n ImageLoaded|endswith:\n - \\dbghelp.dll\n - \\dbgcore.dll\n Image|endswith:\n - \\msbuild.exe\n - \\cmd.exe\n - \\svchost.exe\n - \\rundll32.exe\n - \\powershell.exe\n - \\word.exe\n - \\excel.exe\n - \\powerpnt.exe\n - \\outlook.exe\n - \\monitoringhost.exe\n - \\wmic.exe\n - \\msiexec.exe\n - \\bash.exe\n - \\wscript.exe\n - \\cscript.exe\n - \\mshta.exe\n - \\regsvr32.exe\n - \\schtasks.exe\n - \\dnx.exe\n - \\regsvcs.exe\n - \\sc.exe\n - \\scriptrunner.exe\n unsignedprocess:\n EventID: 7\n ImageLoaded|endswith:\n - \\dbghelp.dll\n - \\dbgcore.dll\n Signed: \'FALSE\'\n filter:\n Image|contains: Visual Studio\n condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Penetration tests\nlevel: critical\n\n
\n}}'),(6107,'Issue',338,15,'T1003'),(6108,'Issue',339,1,'Narrator\'s Feedback-Hub Persistence'),(6109,'Issue',339,2,'Dmitriy Lifanov, oscd.community'),(6110,'Issue',339,8,'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'),(6111,'Issue',339,10,'high'),(6112,'Issue',339,13,'community'),(6113,'Issue',339,14,'windows'),(6115,'Issue',339,11,'cfdda5bc0'),(6116,'Issue',339,12,'f663a6d9-9d1b-49b8-b2b1-0637914d199a'),(6117,'Issue',339,16,'win-sysmon'),(6118,'Issue',339,17,''),(6119,'Issue',339,7,''),(6120,'Issue',339,3,'Detects abusing Windows 10 Narrator\'s Feedback-Hub'),(6121,'Issue',339,4,''),(6122,'Issue',339,5,'_False Positives_\nunknown'),(6123,'Issue',339,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.EventType:\"DeleteValue\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute) OR (event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\\\(Default\\))))\nindex: so-*\nname: Narrator\'s Feedback-Hub Persistence\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6124,'Issue',339,9,'{{collapse(View Sigma)\n\n\ntitle: Narrator\'s Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\ndescription: Detects abusing Windows 10 Narrator\'s Feedback-Hub\nreferences:\n- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\ntags:\n- attack.persistence\n- attack.t1060\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection1:\n EventID: 12\n EventType: DeleteValue\n TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n selection2:\n EventID: 13\n TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n condition: 1 of them\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6125,'Issue',339,15,'T1060'),(6126,'Issue',340,1,'New DLL Added to AppCertDlls Registry Key'),(6127,'Issue',340,2,'Ilyas Ochkov, oscd.community'),(6128,'Issue',340,8,'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html'),(6129,'Issue',340,10,'medium'),(6130,'Issue',340,13,'community'),(6131,'Issue',340,14,'windows'),(6133,'Issue',340,11,'c62e6aeb2'),(6134,'Issue',340,12,'6aa1d992-5925-4e9f-a49b-845e51d1de01'),(6135,'Issue',340,16,'win-sysmon'),(6136,'Issue',340,17,''),(6137,'Issue',340,7,''),(6138,'Issue',340,3,'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.'),(6139,'Issue',340,4,''),(6140,'Issue',340,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6141,'Issue',340,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\")))\nindex: so-*\nname: New DLL Added to AppCertDlls Registry Key\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6142,'Issue',340,9,'{{collapse(View Sigma)\n\n\ntitle: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: experimental\ndescription: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value\n in the Registry key can be abused to obtain persistence and privilege escalation\n by causing a malicious DLL to be loaded and run in the context of separate processes\n on the computer.\nreferences:\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\ntags:\n- attack.persistence\n- attack.t1182\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n - EventID:\n - 12\n - 13\n TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n - EventID: 14\n NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\n condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6143,'Issue',340,15,'T1182'),(6144,'Issue',341,1,'New DLL Added to AppInit_DLLs Registry Key'),(6145,'Issue',341,2,'Ilyas Ochkov, oscd.community'),(6146,'Issue',341,8,'https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html'),(6147,'Issue',341,10,'medium'),(6148,'Issue',341,13,'community'),(6149,'Issue',341,14,'windows'),(6151,'Issue',341,11,'2c5115a75'),(6152,'Issue',341,12,'4f84b697-c9ed-4420-8ab5-e09af5b2345d'),(6153,'Issue',341,16,'win-sysmon'),(6154,'Issue',341,17,''),(6155,'Issue',341,7,''),(6156,'Issue',341,3,'DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll'),(6157,'Issue',341,4,''),(6158,'Issue',341,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6159,'Issue',341,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls)) OR (event.code:\"14\" AND NewName.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls))))\nindex: so-*\nname: New DLL Added to AppInit_DLLs Registry Key\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6160,'Issue',341,9,'{{collapse(View Sigma)\n\n\ntitle: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: experimental\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key\n HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll\n into every process that loads user32.dll\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\ntags:\n- attack.persistence\n- attack.t1103\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n - EventID:\n - 12\n - 13\n TargetObject:\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n - EventID: 14\n NewName:\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6161,'Issue',341,15,'T1103'),(6162,'Issue',342,1,'Password Dumper Remote Thread in LSASS'),(6163,'Issue',342,2,'Thomas Patzke'),(6164,'Issue',342,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm'),(6165,'Issue',342,10,'high'),(6166,'Issue',342,13,'community'),(6167,'Issue',342,14,'windows'),(6169,'Issue',342,11,'5c5659709'),(6170,'Issue',342,12,'f239b326-2f41-4d6b-9dfa-c846a60ef505'),(6171,'Issue',342,16,'win-sysmon'),(6172,'Issue',342,17,''),(6173,'Issue',342,7,''),(6174,'Issue',342,3,'Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.'),(6175,'Issue',342,4,''),(6176,'Issue',342,5,'_False Positives_\nunknown'),(6177,'Issue',342,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: Password Dumper Remote Thread in LSASS\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6178,'Issue',342,9,'{{collapse(View Sigma)\n\n\ntitle: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\ndescription: Detects password dumper activity by monitoring remote thread creation\n EventID 8 in combination with the lsass.exe process as TargetImage. The process\n in field Process is the malicious program. A single execution can lead to hundreds\n of events.\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nstatus: stable\nauthor: Thomas Patzke\ndate: 2017/02/19\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n TargetImage: C:\\Windows\\System32\\lsass.exe\n StartModule:\n condition: selection\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6179,'Issue',342,15,'T1003'),(6180,'Issue',343,1,'Possible DNS Rebinding'),(6181,'Issue',343,2,'Ilyas Ochkov, oscd.community'),(6182,'Issue',343,8,'https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325'),(6183,'Issue',343,10,'medium'),(6184,'Issue',343,13,'community'),(6185,'Issue',343,14,'windows'),(6187,'Issue',343,11,'238493844'),(6188,'Issue',343,12,'eb07e747-2552-44cd-af36-b659ae0958e4'),(6189,'Issue',343,16,'win-sysmon'),(6190,'Issue',343,17,''),(6191,'Issue',343,7,''),(6192,'Issue',343,3,'Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).'),(6193,'Issue',343,4,''),(6194,'Issue',343,5,'_False Positives_\n Unknown'),(6195,'Issue',343,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))\nindex: so-*\nmax_threshold: 3\nmetric_agg_key: QueryName.keyword\nmetric_agg_type: cardinality\nname: Possible DNS Rebinding\npriority: 3\nquery_key: event_data.ComputerName.keyword\nrealert:\n minutes: 0\ntype: metric_aggregation\n
\n}}'),(6196,'Issue',343,9,'{{collapse(View Sigma)\n\n\ntitle: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: experimental\ndescription: Detects several different DNS-answers by one domain with IPs from internal\n and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved\n in host cache for a while TTL).\ndate: 2019/10/25\nmodified: 2019/11/13\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n product: windows\n service: sysmon\ndetection:\n dns_answer:\n EventID: 22\n QueryName: \'*\'\n QueryStatus: \'0\'\n filter_int_ip:\n QueryResults|startswith:\n - (::ffff:)?10.\n - (::ffff:)?192.168.\n - (::ffff:)?172.16.\n - (::ffff:)?172.17.\n - (::ffff:)?172.18.\n - (::ffff:)?172.19.\n - (::ffff:)?172.20.\n - (::ffff:)?172.21.\n - (::ffff:)?172.22.\n - (::ffff:)?172.23.\n - (::ffff:)?172.24.\n - (::ffff:)?172.25.\n - (::ffff:)?172.26.\n - (::ffff:)?172.27.\n - (::ffff:)?172.28.\n - (::ffff:)?172.29.\n - (::ffff:)?172.30.\n - (::ffff:)?172.31.\n - (::ffff:)?127.\n timeframe: 30s\n condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n | count(QueryName) by ComputerName > 3\nlevel: medium\n\n
\n}}'),(6197,'Issue',343,15,'T1043'),(6198,'Issue',344,1,'Possible Privilege Escalation via Service Permissions Weakness'),(6199,'Issue',344,2,'Teymur Kheirkhabarov'),(6200,'Issue',344,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/'),(6201,'Issue',344,10,'high'),(6202,'Issue',344,13,'community'),(6203,'Issue',344,14,'windows'),(6205,'Issue',344,11,'ca6038e23'),(6206,'Issue',344,12,'0f9c21f1-6a73-4b0e-9809-cb562cb8d981'),(6207,'Issue',344,16,'win-sysmon'),(6208,'Issue',344,17,''),(6209,'Issue',344,7,''),(6210,'Issue',344,3,'Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level'),(6211,'Issue',344,4,''),(6212,'Issue',344,5,'_False Positives_\nUnknown'),(6213,'Issue',344,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND IntegrityLevel:\"Medium\" AND event_data.TargetObject.keyword:*\\\\services\\* AND event_data.TargetObject.keyword:(*\\\\ImagePath OR *\\\\FailureCommand OR *\\\\Parameters\\\\ServiceDll))\nindex: so-*\nname: Possible Privilege Escalation via Service Permissions Weakness\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6214,'Issue',344,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\ndescription: Detect modification of services configuration (ImagePath, FailureCommand\n and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1058\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n IntegrityLevel: Medium\n TargetObject|contains: \\services\\\n TargetObject|endswith:\n - \\ImagePath\n - \\FailureCommand\n - \\Parameters\\ServiceDll\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(6215,'Issue',344,15,'T1058'),(6216,'Issue',345,1,'PowerShell Execution'),(6217,'Issue',345,2,'Roberto Rodriguez @Cyb3rWard0g'),(6218,'Issue',345,8,'https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml'),(6219,'Issue',345,10,'medium'),(6220,'Issue',345,13,'community'),(6221,'Issue',345,14,'windows'),(6223,'Issue',345,11,'b785c06a3'),(6224,'Issue',345,12,'867613fb-fa60-4497-a017-a82df74a172c'),(6225,'Issue',345,16,'win-sysmon'),(6226,'Issue',345,17,''),(6227,'Issue',345,7,''),(6228,'Issue',345,3,'Detects execution of PowerShell'),(6229,'Issue',345,4,''),(6230,'Issue',345,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nImageLoaded'),(6231,'Issue',345,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*)\nindex: so-*\nname: PowerShell Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6232,'Issue',345,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml\nlogsource:\n product: windows\n service: sysmon\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n selection:\n EventID: 7\n Description: system.management.automation\n ImageLoaded|contains: system.management.automation\n condition: selection\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6233,'Issue',345,15,'T1086'),(6234,'Issue',346,1,'Malicious PowerShell Commandlet Names'),(6235,'Issue',346,2,'Markus Neis'),(6236,'Issue',346,8,'https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml'),(6237,'Issue',346,10,'high'),(6238,'Issue',346,13,'community'),(6239,'Issue',346,14,'windows'),(6241,'Issue',346,11,'89b3e1259'),(6242,'Issue',346,12,'f331aa1f-8c53-4fc3-b083-cc159bc971cb'),(6243,'Issue',346,16,'win-sysmon'),(6244,'Issue',346,17,''),(6245,'Issue',346,7,''),(6246,'Issue',346,3,'Detects the creation of known powershell scripts for exploitation'),(6247,'Issue',346,4,''),(6248,'Issue',346,5,'_False Positives_\nPenetration Tests'),(6249,'Issue',346,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))\nindex: so-*\nname: Malicious PowerShell Commandlet Names\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6250,'Issue',346,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious PowerShell Commandlet Names\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nstatus: experimental\ndescription: Detects the creation of known powershell scripts for exploitation\nreferences:\n- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\ntags:\n- attack.execution\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/04/07\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename:\n - \'*\\Invoke-DllInjection.ps1\'\n - \'*\\Invoke-WmiCommand.ps1\'\n - \'*\\Get-GPPPassword.ps1\'\n - \'*\\Get-Keystrokes.ps1\'\n - \'*\\Get-VaultCredential.ps1\'\n - \'*\\Invoke-CredentialInjection.ps1\'\n - \'*\\Invoke-Mimikatz.ps1\'\n - \'*\\Invoke-NinjaCopy.ps1\'\n - \'*\\Invoke-TokenManipulation.ps1\'\n - \'*\\Out-Minidump.ps1\'\n - \'*\\VolumeShadowCopyTools.ps1\'\n - \'*\\Invoke-ReflectivePEInjection.ps1\'\n - \'*\\Get-TimedScreenshot.ps1\'\n - \'*\\Invoke-UserHunter.ps1\'\n - \'*\\Find-GPOLocation.ps1\'\n - \'*\\Invoke-ACLScanner.ps1\'\n - \'*\\Invoke-DowngradeAccount.ps1\'\n - \'*\\Get-ServiceUnquoted.ps1\'\n - \'*\\Get-ServiceFilePermission.ps1\'\n - \'*\\Get-ServicePermission.ps1\'\n - \'*\\Invoke-ServiceAbuse.ps1\'\n - \'*\\Install-ServiceBinary.ps1\'\n - \'*\\Get-RegAutoLogon.ps1\'\n - \'*\\Get-VulnAutoRun.ps1\'\n - \'*\\Get-VulnSchTask.ps1\'\n - \'*\\Get-UnattendedInstallFile.ps1\'\n - \'*\\Get-WebConfig.ps1\'\n - \'*\\Get-ApplicationHost.ps1\'\n - \'*\\Get-RegAlwaysInstallElevated.ps1\'\n - \'*\\Get-Unconstrained.ps1\'\n - \'*\\Add-RegBackdoor.ps1\'\n - \'*\\Add-ScrnSaveBackdoor.ps1\'\n - \'*\\Gupt-Backdoor.ps1\'\n - \'*\\Invoke-ADSBackdoor.ps1\'\n - \'*\\Enabled-DuplicateToken.ps1\'\n - \'*\\Invoke-PsUaCme.ps1\'\n - \'*\\Remove-Update.ps1\'\n - \'*\\Check-VM.ps1\'\n - \'*\\Get-LSASecret.ps1\'\n - \'*\\Get-PassHashes.ps1\'\n - \'*\\Show-TargetScreen.ps1\'\n - \'*\\Port-Scan.ps1\'\n - \'*\\Invoke-PoshRatHttp.ps1\'\n - \'*\\Invoke-PowerShellTCP.ps1\'\n - \'*\\Invoke-PowerShellWMI.ps1\'\n - \'*\\Add-Exfiltration.ps1\'\n - \'*\\Add-Persistence.ps1\'\n - \'*\\Do-Exfiltration.ps1\'\n - \'*\\Start-CaptureServer.ps1\'\n - \'*\\Invoke-ShellCode.ps1\'\n - \'*\\Get-ChromeDump.ps1\'\n - \'*\\Get-ClipboardContents.ps1\'\n - \'*\\Get-FoxDump.ps1\'\n - \'*\\Get-IndexedItem.ps1\'\n - \'*\\Get-Screenshot.ps1\'\n - \'*\\Invoke-Inveigh.ps1\'\n - \'*\\Invoke-NetRipper.ps1\'\n - \'*\\Invoke-EgressCheck.ps1\'\n - \'*\\Invoke-PostExfil.ps1\'\n - \'*\\Invoke-PSInject.ps1\'\n - \'*\\Invoke-RunAs.ps1\'\n - \'*\\MailRaider.ps1\'\n - \'*\\New-HoneyHash.ps1\'\n - \'*\\Set-MacAttribute.ps1\'\n - \'*\\Invoke-DCSync.ps1\'\n - \'*\\Invoke-PowerDump.ps1\'\n - \'*\\Exploit-Jboss.ps1\'\n - \'*\\Invoke-ThunderStruck.ps1\'\n - \'*\\Invoke-VoiceTroll.ps1\'\n - \'*\\Set-Wallpaper.ps1\'\n - \'*\\Invoke-InveighRelay.ps1\'\n - \'*\\Invoke-PsExec.ps1\'\n - \'*\\Invoke-SSHCommand.ps1\'\n - \'*\\Get-SecurityPackages.ps1\'\n - \'*\\Install-SSP.ps1\'\n - \'*\\Invoke-BackdoorLNK.ps1\'\n - \'*\\PowerBreach.ps1\'\n - \'*\\Get-SiteListPassword.ps1\'\n - \'*\\Get-System.ps1\'\n - \'*\\Invoke-BypassUAC.ps1\'\n - \'*\\Invoke-Tater.ps1\'\n - \'*\\Invoke-WScriptBypassUAC.ps1\'\n - \'*\\PowerUp.ps1\'\n - \'*\\PowerView.ps1\'\n - \'*\\Get-RickAstley.ps1\'\n - \'*\\Find-Fruit.ps1\'\n - \'*\\HTTP-Login.ps1\'\n - \'*\\Find-TrustedDocuments.ps1\'\n - \'*\\Invoke-Paranoia.ps1\'\n - \'*\\Invoke-WinEnum.ps1\'\n - \'*\\Invoke-ARPScan.ps1\'\n - \'*\\Invoke-PortScan.ps1\'\n - \'*\\Invoke-ReverseDNSLookup.ps1\'\n - \'*\\Invoke-SMBScanner.ps1\'\n - \'*\\Invoke-Mimikittenz.ps1\'\n condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(6251,'Issue',346,15,'T1086'),(6252,'Issue',347,1,'PowerShell Network Connections'),(6253,'Issue',347,2,'Florian Roth'),(6254,'Issue',347,8,'https://www.youtube.com/watch?v=DLtJTxMWZ2o'),(6255,'Issue',347,10,'low'),(6256,'Issue',347,13,'community'),(6257,'Issue',347,14,'windows'),(6259,'Issue',347,11,'bdecf01db'),(6260,'Issue',347,12,'1f21ec3f-810d-4b0e-8045-322202e22b4b'),(6261,'Issue',347,16,'win-sysmon'),(6262,'Issue',347,17,''),(6263,'Issue',347,7,''),(6264,'Issue',347,3,'Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')'),(6265,'Issue',347,4,''),(6266,'Issue',347,5,'_False Positives_\nAdministrative scripts'),(6267,'Issue',347,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\powershell.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND event_data.DestinationIsIpv6:\"false\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: PowerShell Network Connections\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6268,'Issue',347,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Network Connections\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: experimental\ndescription: Detects a Powershell process that opens network connections - check for\n suspicious target ports and target systems - adjust to your environment (e.g. extend\n filters with company\'s ip range\')\nauthor: Florian Roth\ndate: 2017/03/13\nreferences:\n- https://www.youtube.com/watch?v=DLtJTxMWZ2o\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Image: \'*\\powershell.exe\'\n Initiated: \'true\'\n filter:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.0.0.1\n DestinationIsIpv6: \'false\'\n User: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfalsepositives:\n- Administrative scripts\nlevel: low\n\n
\n}}'),(6269,'Issue',347,15,'T1086'),(6270,'Issue',348,1,'QuarksPwDump Dump File'),(6271,'Issue',348,2,'Florian Roth'),(6272,'Issue',348,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm'),(6273,'Issue',348,10,'critical'),(6274,'Issue',348,13,'community'),(6275,'Issue',348,14,'windows'),(6277,'Issue',348,11,'3ce09ad54'),(6278,'Issue',348,12,'847def9e-924d-4e90-b7c4-5f581395a2b4'),(6279,'Issue',348,16,'win-sysmon'),(6280,'Issue',348,17,''),(6281,'Issue',348,7,''),(6282,'Issue',348,3,'Detects a dump file written by QuarksPwDump password dumper'),(6283,'Issue',348,4,''),(6284,'Issue',348,5,'_False Positives_\nUnknown'),(6285,'Issue',348,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)\nindex: so-*\nname: QuarksPwDump Dump File\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6286,'Issue',348,9,'{{collapse(View Sigma)\n\n\ntitle: QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: experimental\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth\ndate: 2018/02/10\ntags:\n- attack.credential_access\n- attack.t1003\nlevel: critical\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename: \'*\\AppData\\Local\\Temp\\SAM-*.dmp*\'\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(6287,'Issue',348,15,'T1003'),(6288,'Issue',349,1,'Raw Disk Access Using Illegitimate Tools'),(6289,'Issue',349,2,'Teymur Kheirkhabarov, oscd.community'),(6290,'Issue',349,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(6291,'Issue',349,10,'medium'),(6292,'Issue',349,13,'community'),(6293,'Issue',349,14,'windows'),(6295,'Issue',349,11,'979a4709f'),(6296,'Issue',349,12,'db809f10-56ce-4420-8c86-d6a7d793c79c'),(6297,'Issue',349,16,'win-sysmon'),(6298,'Issue',349,17,''),(6299,'Issue',349,7,''),(6300,'Issue',349,3,'Raw disk access using illegitimate tools, possible defence evasion'),(6301,'Issue',349,4,''),(6302,'Issue',349,5,'_False Positives_\nLegitimate Administrator using tool for raw access or ongoing forensic investigation\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nDevice'),(6303,'Issue',349,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (process.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))\nindex: so-*\nname: Raw Disk Access Using Illegitimate Tools\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6304,'Issue',349,9,'{{collapse(View Sigma)\n\n\ntitle: Raw Disk Access Using Illegitimate Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\ndescription: Raw disk access using illegitimate tools, possible defence evasion\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.defense_evasion\n- attack.t1006\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 9\n filter_1:\n Device|contains: floppy\n filter_2:\n - Image|endswith:\n - \\wmiprvse.exe\n - \\sdiagnhost.exe\n - \\searchindexer.exe\n - \\csrss.exe\n - \\defrag.exe\n - \\smss.exe\n - \\vssvc.exe\n - \\compattelrunner.exe\n - \\wininit.exe\n - \\autochk.exe\n - \\taskhost.exe\n - \\dfsrs.exe\n - \\vds.exe\n - \\lsass.exe\n condition: selection and not filter_1 and not filter_2\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\nfalsepositives:\n- Legitimate Administrator using tool for raw access or ongoing forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(6305,'Issue',349,15,'T1006'),(6306,'Issue',350,1,'RDP Registry Modification'),(6307,'Issue',350,2,'Roberto Rodriguez @Cyb3rWard0g'),(6308,'Issue',350,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md'),(6309,'Issue',350,10,'high'),(6310,'Issue',350,13,'community'),(6311,'Issue',350,14,'windows'),(6313,'Issue',350,11,'5a3902041'),(6314,'Issue',350,12,'41904ebe-d56c-4904-b9ad-7a77bdf154b3'),(6315,'Issue',350,16,'win-sysmon'),(6316,'Issue',350,17,''),(6317,'Issue',350,7,''),(6318,'Issue',350,3,'Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.'),(6319,'Issue',350,4,''),(6320,'Issue',350,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nEventType\nTargetObject'),(6321,'Issue',350,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\WinStations\\\\RDP\\-Tcp\\\\UserAuthentication OR *\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections) AND event_data.Details:\"DWORD\\ \\(0x00000000\\)\")\nindex: so-*\nname: RDP Registry Modification\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6322,'Issue',350,9,'{{collapse(View Sigma)\n\n\ntitle: RDP Registry Modification\nid: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\ndescription: Detects potential malicious modification of the property value of fDenyTSConnections\n and UserAuthentication to enable remote desktop connections.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md\ntags:\n- attack.defense_evasion\n- attack.t1112\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject|endswith:\n - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\n Details: DWORD (0x00000000)\n condition: selection\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6323,'Issue',350,15,'T1112'),(6324,'Issue',351,1,'RDP Over Reverse SSH Tunnel'),(6325,'Issue',351,2,'Samir Bousseaden'),(6326,'Issue',351,8,'https://twitter.com/SBousseaden/status/1096148422984384514'),(6327,'Issue',351,10,'high'),(6328,'Issue',351,13,'community'),(6329,'Issue',351,14,'windows'),(6331,'Issue',351,11,'31989b88d'),(6332,'Issue',351,12,'5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4'),(6333,'Issue',351,16,'win-sysmon'),(6334,'Issue',351,17,''),(6335,'Issue',351,7,''),(6336,'Issue',351,3,'Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389'),(6337,'Issue',351,4,''),(6338,'Issue',351,5,'_False Positives_\nunknown'),(6339,'Issue',351,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:*\\\\svchost.exe AND event_data.Initiated:\"true\" AND SourcePort:\"3389\" AND destination_ip.keyword:(127.* OR \\:\\:1))\nindex: so-*\nname: RDP Over Reverse SSH Tunnel\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6340,'Issue',351,9,'{{collapse(View Sigma)\n\n\ntitle: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: experimental\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback\n address and on TCP port 3389\nreferences:\n- https://twitter.com/SBousseaden/status/1096148422984384514\nauthor: Samir Bousseaden\ndate: 2019/02/16\ntags:\n- attack.defense_evasion\n- attack.command_and_control\n- attack.t1076\n- car.2013-07-002\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Image: \'*\\svchost.exe\'\n Initiated: \'true\'\n SourcePort: 3389\n DestinationIp:\n - 127.*\n - ::1\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6341,'Issue',351,15,'T1076'),(6342,'Issue',352,1,'RDP Sensitive Settings Changed'),(6343,'Issue',352,2,'Samir Bousseaden'),(6344,'Issue',352,8,'https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html'),(6345,'Issue',352,10,'high'),(6346,'Issue',352,13,'community'),(6347,'Issue',352,14,'windows'),(6348,'Issue',352,15,''),(6349,'Issue',352,11,'548ae70d5'),(6350,'Issue',352,12,'171b67e1-74b4-460e-8d55-b331f3e32d67'),(6351,'Issue',352,16,'win-sysmon'),(6352,'Issue',352,17,''),(6353,'Issue',352,7,''),(6354,'Issue',352,3,'Detects changes to RDP terminal service sensitive settings'),(6355,'Issue',352,4,''),(6356,'Issue',352,5,'_False Positives_\nunknown'),(6357,'Issue',352,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* OR *\\\\Control\\\\Terminal\\ Server\\\\fSingleSessionPerUser* OR *\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections*))\nindex: so-*\nname: RDP Sensitive Settings Changed\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6358,'Issue',352,9,'{{collapse(View Sigma)\n\n\ntitle: RDP Sensitive Settings Changed\nid: 171b67e1-74b4-460e-8d55-b331f3e32d67\ndescription: Detects changes to RDP terminal service sensitive settings\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\ndate: 2019/04/03\nauthor: Samir Bousseaden\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_reg:\n EventID: 13\n TargetObject:\n - \'*\\services\\TermService\\Parameters\\ServiceDll*\'\n - \'*\\Control\\Terminal Server\\fSingleSessionPerUser*\'\n - \'*\\Control\\Terminal Server\\fDenyTSConnections*\'\n condition: selection_reg\ntags:\n- attack.defense_evasion\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6359,'Issue',353,1,'Windows Registry Persistence COM Key Linking'),(6360,'Issue',353,2,'Kutepov Anton, oscd.community'),(6361,'Issue',353,8,'https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/'),(6362,'Issue',353,10,'medium'),(6363,'Issue',353,13,'community'),(6364,'Issue',353,14,'windows'),(6366,'Issue',353,11,'6f021fb7c'),(6367,'Issue',353,12,'9b0f8a61-91b2-464f-aceb-0527e0a45020'),(6368,'Issue',353,16,'win-sysmon'),(6369,'Issue',353,17,''),(6370,'Issue',353,7,''),(6371,'Issue',353,3,'Detects COM object hijacking via TreatAs subkey'),(6372,'Issue',353,4,''),(6373,'Issue',353,5,'_False Positives_\nMaybe some system utilities in rare cases use linking keys for backward compability'),(6374,'Issue',353,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\TreatAs)\nindex: so-*\nname: Windows Registry Persistence COM Key Linking\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6375,'Issue',353,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Registry Persistence COM Key Linking\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: experimental\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/07\ntags:\n- attack.persistence\n- attack.t1122\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 12\n TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n condition: selection\nfalsepositives:\n- Maybe some system utilities in rare cases use linking keys for backward compability\nlevel: medium\n\n
\n}}'),(6376,'Issue',353,15,'T1122'),(6377,'Issue',354,1,'Windows Registry Persistence COM Search Order Hijacking'),(6378,'Issue',354,2,'Maxime Thiebaut (@0xThiebaut)'),(6379,'Issue',354,8,'https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/'),(6380,'Issue',354,10,'medium'),(6381,'Issue',354,13,'community'),(6382,'Issue',354,14,'windows'),(6384,'Issue',354,11,'27898e00b'),(6385,'Issue',354,12,'a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12'),(6386,'Issue',354,16,'win-sysmon'),(6387,'Issue',354,17,''),(6388,'Issue',354,7,''),(6389,'Issue',354,3,'Detects potential COM object hijacking leveraging the COM Search Order'),(6390,'Issue',354,4,''),(6391,'Issue',354,5,'_False Positives_\nSome installed utilities (i.e. OneDrive) may serve new COM objects at user-level'),(6392,'Issue',354,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\InProcServer32\\\\\\(Default\\)) AND (NOT (event_data.Details.keyword:(%%systemroot%%\\\\system32\\\\* OR %%systemroot%%\\\\SysWow64\\\\* OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileCoAuthLib64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileSyncShell64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\*\\\\Microsoft.Teams.AddinLoader.dll))))\nindex: so-*\nname: Windows Registry Persistence COM Search Order Hijacking\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6393,'Issue',354,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Registry Persistence COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: experimental\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/04/14\ntags:\n- attack.persistence\n- attack.t1038\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n filter:\n Details:\n - \'%%systemroot%%\\system32\\\\*\'\n - \'%%systemroot%%\\SysWow64\\\\*\'\n - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll\'\n - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll\'\n - \'*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll\'\n condition: selection and not filter\nfalsepositives:\n- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n\n
\n}}'),(6394,'Issue',354,15,'T1038'),(6395,'Issue',355,1,'Windows Registry Trust Record Modification'),(6396,'Issue',355,2,'Antonlovesdnb'),(6397,'Issue',355,8,'https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html'),(6398,'Issue',355,10,'medium'),(6399,'Issue',355,13,'community'),(6400,'Issue',355,14,'windows'),(6402,'Issue',355,11,'ab08d709e'),(6403,'Issue',355,12,'295a59c1-7b79-4b47-a930-df12c15fc9c2'),(6404,'Issue',355,16,'win-sysmon'),(6405,'Issue',355,17,''),(6406,'Issue',355,7,''),(6407,'Issue',355,3,'Alerts on trust record modification within the registry, indicating usage of macros'),(6408,'Issue',355,4,''),(6409,'Issue',355,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6410,'Issue',355,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:*TrustRecords*)\nindex: so-*\nname: Windows Registry Trust Record Modification\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6411,'Issue',355,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nstatus: experimental\ndescription: Alerts on trust record modification within the registry, indicating usage\n of macros\nreferences:\n- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nauthor: Antonlovesdnb\ndate: 2020/02/19\nmodified: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 12\n TargetObject|contains: TrustRecords\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: medium\n\n
\n}}'),(6412,'Issue',355,15,'T1193'),(6413,'Issue',356,1,'Regsvr32 Network Activity'),(6414,'Issue',356,2,'Dmitriy Lifanov, oscd.community'),(6415,'Issue',356,8,'https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md'),(6416,'Issue',356,10,'high'),(6417,'Issue',356,13,'community'),(6418,'Issue',356,14,'windows'),(6420,'Issue',356,11,'2dae90c53'),(6421,'Issue',356,12,'c7e91a02-d771-4a6d-a700-42587e0b1095'),(6422,'Issue',356,16,'win-sysmon'),(6423,'Issue',356,17,''),(6424,'Issue',356,7,''),(6425,'Issue',356,3,'Detects network connections and DNS queries initiated by Regsvr32.exe'),(6426,'Issue',356,4,''),(6427,'Issue',356,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nDestinationIp\nDestinationPort'),(6428,'Issue',356,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"3\" OR \"22\") AND process.executable.keyword:*\\\\regsvr32.exe)\nindex: so-*\nname: Regsvr32 Network Activity\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6429,'Issue',356,9,'{{collapse(View Sigma)\n\n\ntitle: Regsvr32 Network Activity\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\ndescription: Detects network connections and DNS queries initiated by Regsvr32.exe\nreferences:\n- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1117\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID:\n - 3\n - 22\n Image|endswith: \\regsvr32.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6430,'Issue',356,15,'T1117'),(6431,'Issue',357,1,'Remote PowerShell Session'),(6432,'Issue',357,2,'Roberto Rodriguez @Cyb3rWard0g'),(6433,'Issue',357,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(6434,'Issue',357,10,'high'),(6435,'Issue',357,13,'community'),(6436,'Issue',357,14,'windows'),(6438,'Issue',357,11,'1a8504907'),(6439,'Issue',357,12,'c539afac-c12a-46ed-b1bd-5a5567c9f045'),(6440,'Issue',357,16,'win-sysmon'),(6441,'Issue',357,17,''),(6442,'Issue',357,7,''),(6443,'Issue',357,3,'Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account'),(6444,'Issue',357,4,''),(6445,'Issue',357,5,'_False Positives_\nLeigitmate usage of remote PowerShell, e.g. remote administration and monitoring.'),(6446,'Issue',357,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:(\"5985\" OR \"5986\")) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\")))\nindex: so-*\nname: Remote PowerShell Session\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6447,'Issue',357,9,'{{collapse(View Sigma)\n\n\ntitle: Remote PowerShell Session\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\ndescription: Detects remote PowerShell connections by monitoring network outbount\n connections to ports 5985 or 5986 from not network service account\nstatus: experimental\ndate: 2019/09/12\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n DestinationPort:\n - 5985\n - 5986\n filter:\n User: NT AUTHORITY\\NETWORK SERVICE\n condition: selection and not filter\nfalsepositives:\n- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.\nlevel: high\n\n
\n}}'),(6448,'Issue',357,15,'T1086'),(6449,'Issue',358,1,'Renamed jusched.exe'),(6450,'Issue',358,2,'Markus Neis, Swisscom'),(6451,'Issue',358,8,'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'),(6452,'Issue',358,10,'high'),(6453,'Issue',358,13,'community'),(6454,'Issue',358,14,'windows'),(6456,'Issue',358,11,'3042f2e24'),(6457,'Issue',358,12,'edd8a48c-1b9f-4ba1-83aa-490338cd1ccb'),(6458,'Issue',358,16,'win-sysmon'),(6459,'Issue',358,17,''),(6460,'Issue',358,7,''),(6461,'Issue',358,3,'Detects renamed jusched.exe used by cobalt group'),(6462,'Issue',358,4,''),(6463,'Issue',358,5,'_False Positives_\npenetration tests, red teaming'),(6464,'Issue',358,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.pe.description:\"Java\\ Update\\ Scheduler\" OR process.pe.description:\"Java\\(TM\\)\\ Update\\ Scheduler\")) AND (NOT (process.executable.keyword:(*\\\\jusched.exe))))\nindex: so-*\nname: Renamed jusched.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6465,'Issue',358,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed jusched.exe\nstatus: experimental\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\ndescription: Detects renamed jusched.exe used by cobalt group\nreferences:\n- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\ntags:\n- attack.t1036\n- attack.execution\nauthor: Markus Neis, Swisscom\ndate: 2019/06/04\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Description: Java Update Scheduler\n selection2:\n Description: Java(TM) Update Scheduler\n filter:\n Image|endswith:\n - \\jusched.exe\n condition: (selection1 or selection2) and not filter\nfalsepositives:\n- penetration tests, red teaming\nlevel: high\n\n
\n}}'),(6466,'Issue',358,15,'T1036'),(6467,'Issue',359,1,'Renamed PowerShell'),(6468,'Issue',359,2,'Florian Roth'),(6469,'Issue',359,8,'https://twitter.com/christophetd/status/1164506034720952320'),(6470,'Issue',359,10,'critical'),(6471,'Issue',359,13,'community'),(6472,'Issue',359,14,'windows'),(6473,'Issue',359,15,''),(6474,'Issue',359,11,'a6d71f3ed'),(6475,'Issue',359,12,'d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20'),(6476,'Issue',359,16,'win-sysmon'),(6477,'Issue',359,17,''),(6478,'Issue',359,7,''),(6479,'Issue',359,3,'Detects the execution of a renamed PowerShell often used by attackers or malware'),(6480,'Issue',359,4,''),(6481,'Issue',359,5,'_False Positives_\nUnknown'),(6482,'Issue',359,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Windows\\ PowerShell\" AND event_data.Company:\"Microsoft\\ Corporation\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))\nindex: so-*\nname: Renamed PowerShell\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6483,'Issue',359,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: experimental\ndescription: Detects the execution of a renamed PowerShell often used by attackers\n or malware\nreferences:\n- https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth\ndate: 2019/08/22\ntags:\n- car.2013-05-009\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n Description: Windows PowerShell\n Company: Microsoft Corporation\n filter:\n Image:\n - \'*\\powershell.exe\'\n - \'*\\powershell_ise.exe\'\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(6484,'Issue',360,1,'Renamed ProcDump'),(6485,'Issue',360,2,'Florian Roth'),(6486,'Issue',360,8,'https://docs.microsoft.com/en-us/sysinternals/downloads/procdump'),(6487,'Issue',360,10,'critical'),(6488,'Issue',360,13,'community'),(6489,'Issue',360,14,'windows'),(6491,'Issue',360,11,'abbcffccf'),(6492,'Issue',360,12,'4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67'),(6493,'Issue',360,16,'win-sysmon'),(6494,'Issue',360,17,''),(6495,'Issue',360,7,''),(6496,'Issue',360,3,'Detects the execution of a renamed ProcDump executable often used by attackers or malware'),(6497,'Issue',360,4,''),(6498,'Issue',360,5,'_False Positives_\nProcdump illegaly bundled with legitimate software\nWeird admins who renamed binaries'),(6499,'Issue',360,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:\"procdump\" AND (NOT (process.executable.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))\nindex: so-*\nname: Renamed ProcDump\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6500,'Issue',360,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed ProcDump\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nstatus: experimental\ndescription: Detects the execution of a renamed ProcDump executable often used by\n attackers or malware\nreferences:\n- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth\ndate: 2019/11/18\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n OriginalFileName: procdump\n filter:\n Image:\n - \'*\\procdump.exe\'\n - \'*\\procdump64.exe\'\n condition: selection and not filter\nfalsepositives:\n- Procdump illegaly bundled with legitimate software\n- Weird admins who renamed binaries\nlevel: critical\n\n
\n}}'),(6501,'Issue',360,15,'T1036'),(6502,'Issue',361,1,'Renamed PsExec'),(6503,'Issue',361,2,'Florian Roth'),(6504,'Issue',361,8,'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks'),(6505,'Issue',361,10,'high'),(6506,'Issue',361,13,'community'),(6507,'Issue',361,14,'windows'),(6508,'Issue',361,15,''),(6509,'Issue',361,11,'297d076c3'),(6510,'Issue',361,12,'a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2'),(6511,'Issue',361,16,'win-sysmon'),(6512,'Issue',361,17,''),(6513,'Issue',361,7,''),(6514,'Issue',361,3,'Detects the execution of a renamed PsExec often used by attackers or malware'),(6515,'Issue',361,4,''),(6516,'Issue',361,5,'_False Positives_\nSoftware that illegaly integrates PsExec in a renamed form\nAdministrators that have renamed PsExec and no one knows why'),(6517,'Issue',361,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Execute\\ processes\\ remotely\" AND process.pe.product:\"Sysinternals\\ PsExec\") AND (NOT (process.executable.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))\nindex: so-*\nname: Renamed PsExec\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6518,'Issue',361,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: experimental\ndescription: Detects the execution of a renamed PsExec often used by attackers or\n malware\nreferences:\n- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth\ndate: 2019/05/21\ntags:\n- car.2013-05-009\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n Description: Execute processes remotely\n Product: Sysinternals PsExec\n filter:\n Image:\n - \'*\\PsExec.exe\'\n - \'*\\PsExec64.exe\'\n condition: selection and not filter\nfalsepositives:\n- Software that illegaly integrates PsExec in a renamed form\n- Administrators that have renamed PsExec and no one knows why\nlevel: high\n\n
\n}}'),(6519,'Issue',362,1,'Rundll32 Internet Connection'),(6520,'Issue',362,2,'Florian Roth'),(6521,'Issue',362,8,'https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100'),(6522,'Issue',362,10,'medium'),(6523,'Issue',362,13,'community'),(6524,'Issue',362,14,'windows'),(6526,'Issue',362,11,'0381dead4'),(6527,'Issue',362,12,'cdc8da7d-c303-42f8-b08c-b4ab47230263'),(6528,'Issue',362,16,'win-sysmon'),(6529,'Issue',362,17,''),(6530,'Issue',362,7,''),(6531,'Issue',362,3,'Detects a rundll32 that communicates with public IP addresses'),(6532,'Issue',362,4,''),(6533,'Issue',362,5,'_False Positives_\nCommunication to other corporate systems that use IP addresses from public address spaces'),(6534,'Issue',362,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\rundll32.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))\nindex: so-*\nname: Rundll32 Internet Connection\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6535,'Issue',362,9,'{{collapse(View Sigma)\n\n\ntitle: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: experimental\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth\ndate: 2017/11/04\ntags:\n- attack.t1085\n- attack.defense_evasion\n- attack.execution\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Image: \'*\\rundll32.exe\'\n Initiated: \'true\'\n filter:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.*\n condition: selection and not filter\nfalsepositives:\n- Communication to other corporate systems that use IP addresses from public address\n spaces\nlevel: medium\n\n
\n}}'),(6536,'Issue',362,15,'T1085'),(6537,'Issue',363,1,'Security Support Provider (SSP) Added to LSA Configuration'),(6538,'Issue',363,2,'iwillkeepwatch'),(6539,'Issue',363,8,'https://attack.mitre.org/techniques/T1101/\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/'),(6540,'Issue',363,10,'critical'),(6541,'Issue',363,13,'community'),(6542,'Issue',363,14,'windows'),(6544,'Issue',363,11,'9bc1e9894'),(6545,'Issue',363,12,'eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc'),(6546,'Issue',363,16,'win-sysmon'),(6547,'Issue',363,17,''),(6548,'Issue',363,7,''),(6549,'Issue',363,3,'Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.'),(6550,'Issue',363,4,''),(6551,'Issue',363,5,'_False Positives_\nUnlikely'),(6552,'Issue',363,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages\")) AND (NOT (process.executable:\"C\\:\\\\Windows\\\\system32\\\\msiexec.exe\" OR process.executable:\"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe\")))\nindex: so-*\nname: Security Support Provider (SSP) Added to LSA Configuration\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6553,'Issue',363,9,'{{collapse(View Sigma)\n\n\ntitle: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: experimental\ndescription: Detects the addition of a SSP to the registry. Upon a reboot or API call,\n SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n- https://attack.mitre.org/techniques/T1101/\n- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\ntags:\n- attack.persistence\n- attack.t1011\nauthor: iwillkeepwatch\ndate: 2019/01/18\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_registry:\n EventID: 13\n TargetObject:\n - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n exclusion_images:\n - Image: C:\\Windows\\system32\\msiexec.exe\n - Image: C:\\Windows\\syswow64\\MsiExec.exe\n condition: selection_registry and not exclusion_images\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(6554,'Issue',363,15,'T1011'),(6555,'Issue',364,1,'Suspicious ADSI-Cache Usage By Unknown Tool'),(6556,'Issue',364,2,'xknow @xknow_infosec'),(6557,'Issue',364,8,'https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://github.com/fox-it/LDAPFragger'),(6558,'Issue',364,10,'high'),(6559,'Issue',364,13,'community'),(6560,'Issue',364,14,'windows'),(6562,'Issue',364,11,'8268e4aa6'),(6563,'Issue',364,12,'75bf09fa-1dd7-4d18-9af9-dd9e492562eb'),(6564,'Issue',364,16,'win-sysmon'),(6565,'Issue',364,17,''),(6566,'Issue',364,7,''),(6567,'Issue',364,3,'detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.'),(6568,'Issue',364,4,''),(6569,'Issue',364,5,'_False Positives_\nOther legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.'),(6570,'Issue',364,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (process.executable.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))\nindex: so-*\nname: Suspicious ADSI-Cache Usage By Unknown Tool\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6571,'Issue',364,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious ADSI-Cache Usage By Unknown Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\ndescription: detects the usage of ADSI (LDAP) operations by tools. This may also detect\n tools like LDAPFragger.\nstatus: experimental\ndate: 2019/03/24\nauthor: xknow @xknow_infosec\nreferences:\n- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n- https://github.com/fox-it/LDAPFragger\ntags:\n- attack.t1041\n- attack.persistence\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 11\n TargetFilename: \'*\\Local\\Microsoft\\Windows\\SchCache\\*.sch\'\n selection_2:\n Image|contains:\n - C:\\windows\\system32\\svchost.exe\n - C:\\windows\\system32\\dllhost.exe\n - C:\\windows\\system32\\mmc.exe\n - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity\n by MMC, Powershell, Windows etc.\nlevel: high\n\n
\n}}'),(6572,'Issue',364,15,'T1041'),(6573,'Issue',365,1,'Suspicious desktop.ini Action'),(6574,'Issue',365,2,'Maxime Thiebaut (@0xThiebaut)'),(6575,'Issue',365,8,'https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/'),(6576,'Issue',365,10,'medium'),(6577,'Issue',365,13,'community'),(6578,'Issue',365,14,'windows'),(6580,'Issue',365,11,'370bd2225'),(6581,'Issue',365,12,'81315b50-6b60-4d8f-9928-3466e1022515'),(6582,'Issue',365,16,'win-sysmon'),(6583,'Issue',365,17,''),(6584,'Issue',365,7,''),(6585,'Issue',365,3,'Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.'),(6586,'Issue',365,4,''),(6587,'Issue',365,5,'_False Positives_\nOperations performed through Windows SCCM or equivalent'),(6588,'Issue',365,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (process.executable:(\"C\\:\\\\Windows\\\\explorer.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\mmc.exe\"))))\nindex: so-*\nname: Suspicious desktop.ini Action\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6589,'Issue',365,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious desktop.ini Action\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: experimental\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged\n to alter how Explorer displays a folder\'s content (i.e. renaming files) without\n changing them on disk.\nreferences:\n- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/03/19\ntags:\n- attack.persistence\n- attack.t1023\nlogsource:\n product: windows\n service: sysmon\ndetection:\n filter:\n Image:\n - C:\\Windows\\explorer.exe\n - C:\\Windows\\System32\\msiexec.exe\n - C:\\Windows\\System32\\mmc.exe\n selection:\n EventID: 11\n TargetFilename|endswith: \\desktop.ini\n condition: selection and not filter\nfalsepositives:\n- Operations performed through Windows SCCM or equivalent\nlevel: medium\n\n
\n}}'),(6590,'Issue',365,15,'T1023'),(6591,'Issue',366,1,'Suspicious RUN Key from Download'),(6592,'Issue',366,2,'Florian Roth'),(6593,'Issue',366,8,'https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/'),(6594,'Issue',366,10,'high'),(6595,'Issue',366,13,'community'),(6596,'Issue',366,14,'windows'),(6598,'Issue',366,11,'4a98c6777'),(6599,'Issue',366,12,'9c5037d1-c568-49b3-88c7-9846a5bdc2be'),(6600,'Issue',366,16,'win-sysmon'),(6601,'Issue',366,17,''),(6602,'Issue',366,7,''),(6603,'Issue',366,3,'Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories'),(6604,'Issue',366,4,''),(6605,'Issue',366,5,'_False Positives_\nSoftware installers downloaded and used by users'),(6606,'Issue',366,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND process.executable.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND event_data.TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)\nindex: so-*\nname: Suspicious RUN Key from Download\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6607,'Issue',366,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious RUN Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: experimental\ndescription: Detects the suspicious RUN keys created by software located in Download\n or temporary Outlook/Internet Explorer directories\nreferences:\n- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.persistence\n- attack.t1060\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n Image:\n - \'*\\Downloads\\\\*\'\n - \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n - \'*\\Local Settings\\Temporary Internet Files\\\\*\'\n TargetObject: \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n condition: selection\nfalsepositives:\n- Software installers downloaded and used by users\nlevel: high\n\n
\n}}'),(6608,'Issue',366,15,'T1060'),(6609,'Issue',367,1,'Suspicious Driver Load from Temp'),(6610,'Issue',367,2,'Florian Roth'),(6611,'Issue',367,8,'none'),(6612,'Issue',367,10,'medium'),(6613,'Issue',367,13,'community'),(6614,'Issue',367,14,'windows'),(6616,'Issue',367,11,'d9e3b1335'),(6617,'Issue',367,12,'2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75'),(6618,'Issue',367,16,'win-sysmon'),(6619,'Issue',367,17,''),(6620,'Issue',367,7,''),(6621,'Issue',367,3,'Detects a driver load from a temporary directory'),(6622,'Issue',367,4,''),(6623,'Issue',367,5,'_False Positives_\nthere is a relevant set of false positives depending on applications in the environment'),(6624,'Issue',367,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"6\" AND event_data.ImageLoaded.keyword:*\\\\Temp\\\\*)\nindex: so-*\nname: Suspicious Driver Load from Temp\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6625,'Issue',367,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Driver Load from Temp\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\ndescription: Detects a driver load from a temporary directory\nauthor: Florian Roth\ndate: 2017/02/12\ntags:\n- attack.persistence\n- attack.t1050\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 6\n ImageLoaded: \'*\\Temp\\\\*\'\n condition: selection\nfalsepositives:\n- there is a relevant set of false positives depending on applications in the environment\nlevel: medium\n\n
\n}}'),(6626,'Issue',367,15,'T1050'),(6627,'Issue',368,1,'Suspicious File Characteristics Due to Missing Fields'),(6628,'Issue',368,2,'Markus Neis'),(6629,'Issue',368,8,'https://securelist.com/muddywater/88059/\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection'),(6630,'Issue',368,10,'medium'),(6631,'Issue',368,13,'community'),(6632,'Issue',368,14,'windows'),(6634,'Issue',368,11,'c82bedced'),(6635,'Issue',368,12,'9637e8a5-7131-4f7f-bdc7-2b05d8670c43'),(6636,'Issue',368,16,'win-sysmon'),(6637,'Issue',368,17,''),(6638,'Issue',368,7,''),(6639,'Issue',368,3,'Detects Executables without FileVersion,Description,Product,Company likely created with py2exe'),(6640,'Issue',368,4,''),(6641,'Issue',368,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(6642,'Issue',368,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.description:\"\\?\" AND (event_data.FileVersion:\"\\?\" OR process.pe.product:\"\\?\" OR event_data.Company:\"\\?\"))\nindex: so-*\nname: Suspicious File Characteristics Due to Missing Fields\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6643,'Issue',368,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\ndescription: Detects Executables without FileVersion,Description,Product,Company likely\n created with py2exe\nstatus: experimental\nreferences:\n- https://securelist.com/muddywater/88059/\n- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis\ndate: 2018/11/22\nmodified: 2019/11/09\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection1:\n Description: \\?\n FileVersion: \\?\n selection2:\n Description: \\?\n Product: \\?\n selection3:\n Description: \\?\n Company: \\?\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6644,'Issue',368,15,'T1064'),(6645,'Issue',369,1,'Possible Process Hollowing Image Loading'),(6646,'Issue',369,2,'Markus Neis'),(6647,'Issue',369,8,'https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html'),(6648,'Issue',369,10,'high'),(6649,'Issue',369,13,'community'),(6650,'Issue',369,14,'windows'),(6652,'Issue',369,11,'5e6ed7268'),(6653,'Issue',369,12,'e32ce4f5-46c6-4c47-ba69-5de3c9193cd7'),(6654,'Issue',369,16,'win-sysmon'),(6655,'Issue',369,17,''),(6656,'Issue',369,7,''),(6657,'Issue',369,3,'Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz'),(6658,'Issue',369,4,''),(6659,'Issue',369,5,'_False Positives_\nVery likely, needs more tuning'),(6660,'Issue',369,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\notepad.exe) AND event_data.ImageLoaded.keyword:(*\\\\samlib.dll OR *\\\\WinSCard.dll))\nindex: so-*\nname: Possible Process Hollowing Image Loading\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6661,'Issue',369,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: experimental\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.\n through process hollowing by Mimikatz\nreferences:\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\ntags:\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\notepad.exe\'\n ImageLoaded:\n - \'*\\samlib.dll\'\n - \'*\\WinSCard.dll\'\n condition: selection\nfalsepositives:\n- Very likely, needs more tuning\nlevel: high\n\n
\n}}'),(6662,'Issue',369,15,'T1073'),(6663,'Issue',370,1,'DLL Load via LSASS'),(6664,'Issue',370,2,'Florian Roth'),(6665,'Issue',370,8,'https://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://twitter.com/SBousseaden/status/1183745981189427200'),(6666,'Issue',370,10,'high'),(6667,'Issue',370,13,'community'),(6668,'Issue',370,14,'windows'),(6670,'Issue',370,11,'351d4d774'),(6671,'Issue',370,12,'b3503044-60ce-4bf4-bbcb-e3db98788823'),(6672,'Issue',370,16,'win-sysmon'),(6673,'Issue',370,17,''),(6674,'Issue',370,7,''),(6675,'Issue',370,3,'Detects a method to load DLL via LSASS process using an undocumented Registry key'),(6676,'Issue',370,4,''),(6677,'Issue',370,5,'_False Positives_\nUnknown'),(6678,'Issue',370,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))\nindex: so-*\nname: DLL Load via LSASS\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6679,'Issue',370,9,'{{collapse(View Sigma)\n\n\ntitle: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: experimental\ndescription: Detects a method to load DLL via LSASS process using an undocumented\n Registry key\nauthor: Florian Roth\ndate: 2019/10/16\nreferences:\n- https://blog.xpnsec.com/exploring-mimikatz-part-1/\n- https://twitter.com/SBousseaden/status/1183745981189427200\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID:\n - 12\n - 13\n TargetObject:\n - \'*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*\'\n - \'*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*\'\n condition: selection\ntags:\n- attack.execution\n- attack.t1177\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6680,'Issue',370,15,'T1177'),(6681,'Issue',371,1,'dotNET DLL Loaded Via Office Applications'),(6682,'Issue',371,2,'Antonlovesdnb'),(6683,'Issue',371,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6684,'Issue',371,10,'high'),(6685,'Issue',371,13,'community'),(6686,'Issue',371,14,'windows'),(6688,'Issue',371,11,'0080b54ee'),(6689,'Issue',371,12,'ff0f2b05-09db-4095-b96d-1b75ca24894a'),(6690,'Issue',371,16,'win-sysmon'),(6691,'Issue',371,17,''),(6692,'Issue',371,7,''),(6693,'Issue',371,3,'Detects any assembly DLL being loaded by an Office Product'),(6694,'Issue',371,4,''),(6695,'Issue',371,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6696,'Issue',371,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\assembly\\*))\nindex: so-*\nname: dotNET DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6697,'Issue',371,9,'{{collapse(View Sigma)\n\n\ntitle: dotNET DLL Loaded Via Office Applications\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: experimental\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*C:\\Windows\\assembly\\*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6698,'Issue',371,15,'T1193'),(6699,'Issue',372,1,'CLR DLL Loaded Via Office Applications'),(6700,'Issue',372,2,'Antonlovesdnb'),(6701,'Issue',372,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6702,'Issue',372,10,'high'),(6703,'Issue',372,13,'community'),(6704,'Issue',372,14,'windows'),(6706,'Issue',372,11,'7105151cd'),(6707,'Issue',372,12,'d13c43f0-f66b-4279-8b2c-5912077c1780'),(6708,'Issue',372,16,'win-sysmon'),(6709,'Issue',372,17,''),(6710,'Issue',372,7,''),(6711,'Issue',372,3,'Detects CLR DLL being loaded by an Office Product'),(6712,'Issue',372,4,''),(6713,'Issue',372,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6714,'Issue',372,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\clr.dll*))\nindex: so-*\nname: CLR DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6715,'Issue',372,9,'{{collapse(View Sigma)\n\n\ntitle: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: experimental\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe\'\n - \'*\\powerpnt.exe\'\n - \'*\\excel.exe\'\n - \'*\\outlook.exe\'\n ImageLoaded:\n - \'*\\clr.dll*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6716,'Issue',372,15,'T1193'),(6717,'Issue',373,1,'GAC DLL Loaded Via Office Applications'),(6718,'Issue',373,2,'Antonlovesdnb'),(6719,'Issue',373,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6720,'Issue',373,10,'high'),(6721,'Issue',373,13,'community'),(6722,'Issue',373,14,'windows'),(6724,'Issue',373,11,'e450b3ce2'),(6725,'Issue',373,12,'90217a70-13fc-48e4-b3db-0d836c5824ac'),(6726,'Issue',373,16,'win-sysmon'),(6727,'Issue',373,17,''),(6728,'Issue',373,7,''),(6729,'Issue',373,3,'Detects any GAC DLL being loaded by an Office Product'),(6730,'Issue',373,4,''),(6731,'Issue',373,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6732,'Issue',373,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL*))\nindex: so-*\nname: GAC DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6733,'Issue',373,9,'{{collapse(View Sigma)\n\n\ntitle: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: experimental\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6734,'Issue',373,15,'T1193'),(6735,'Issue',374,1,'Active Directory Parsing DLL Loaded Via Office Applications'),(6736,'Issue',374,2,'Antonlovesdnb'),(6737,'Issue',374,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6738,'Issue',374,10,'high'),(6739,'Issue',374,13,'community'),(6740,'Issue',374,14,'windows'),(6742,'Issue',374,11,'203be1d6b'),(6743,'Issue',374,12,'a2a3b925-7bb0-433b-b508-db9003263cc4'),(6744,'Issue',374,16,'win-sysmon'),(6745,'Issue',374,17,''),(6746,'Issue',374,7,''),(6747,'Issue',374,3,'Detects DSParse DLL being loaded by an Office Product'),(6748,'Issue',374,4,''),(6749,'Issue',374,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6750,'Issue',374,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\dsparse.dll*))\nindex: so-*\nname: Active Directory Parsing DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6751,'Issue',374,9,'{{collapse(View Sigma)\n\n\ntitle: Active Directory Parsing DLL Loaded Via Office Applications\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: experimental\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe\'\n - \'*\\powerpnt.exe\'\n - \'*\\excel.exe\'\n - \'*\\outlook.exe\'\n ImageLoaded:\n - \'*\\dsparse.dll*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6752,'Issue',374,15,'T1193'),(6753,'Issue',375,1,'Active Directory Kerberos DLL Loaded Via Office Applications'),(6754,'Issue',375,2,'Antonlovesdnb'),(6755,'Issue',375,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6756,'Issue',375,10,'high'),(6757,'Issue',375,13,'community'),(6758,'Issue',375,14,'windows'),(6760,'Issue',375,11,'3ce399676'),(6761,'Issue',375,12,'7417e29e-c2e7-4cf6-a2e8-767228c64837'),(6762,'Issue',375,16,'win-sysmon'),(6763,'Issue',375,17,''),(6764,'Issue',375,7,''),(6765,'Issue',375,3,'Detects Kerberos DLL being loaded by an Office Product'),(6766,'Issue',375,4,''),(6767,'Issue',375,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6768,'Issue',375,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\kerberos.dll*))\nindex: so-*\nname: Active Directory Kerberos DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6769,'Issue',375,9,'{{collapse(View Sigma)\n\n\ntitle: Active Directory Kerberos DLL Loaded Via Office Applications\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: experimental\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*\\kerberos.dll*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6770,'Issue',375,15,'T1193'),(6771,'Issue',376,1,'PowerShell Rundll32 Remote Thread Creation'),(6772,'Issue',376,2,'Florian Roth'),(6773,'Issue',376,8,'https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html'),(6774,'Issue',376,10,'high'),(6775,'Issue',376,13,'community'),(6776,'Issue',376,14,'windows'),(6778,'Issue',376,11,'037897459'),(6779,'Issue',376,12,'99b97608-3e21-4bfe-8217-2a127c396a0e'),(6780,'Issue',376,16,'win-sysmon'),(6781,'Issue',376,17,''),(6782,'Issue',376,7,''),(6783,'Issue',376,3,'Detects PowerShell remote thread creation in Rundll32.exe'),(6784,'Issue',376,4,''),(6785,'Issue',376,5,'_False Positives_\nUnkown'),(6786,'Issue',376,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:*\\\\powershell.exe AND event_data.TargetImage.keyword:*\\\\rundll32.exe)\nindex: so-*\nname: PowerShell Rundll32 Remote Thread Creation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6787,'Issue',376,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Rundll32 Remote Thread Creation\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nstatus: experimental\ndescription: Detects PowerShell remote thread creation in Rundll32.exe\nauthor: Florian Roth\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\ndate: 2018/06/25\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n SourceImage: \'*\\powershell.exe\'\n TargetImage: \'*\\rundll32.exe\'\n condition: selection\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\n- attack.t1086\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(6788,'Issue',376,15,'T1085'),(6789,'Issue',376,15,'T1086'),(6790,'Issue',377,1,'Suspicious PROCEXP152.sys File Created In TMP'),(6791,'Issue',377,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6792,'Issue',377,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6793,'Issue',377,10,'medium'),(6794,'Issue',377,13,'community'),(6795,'Issue',377,14,'windows'),(6797,'Issue',377,11,'9af1e153b'),(6798,'Issue',377,12,'3da70954-0f2c-4103-adff-b7440368f50e'),(6799,'Issue',377,16,'win-sysmon'),(6800,'Issue',377,17,''),(6801,'Issue',377,7,''),(6802,'Issue',377,3,'Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.'),(6803,'Issue',377,4,''),(6804,'Issue',377,5,'_False Positives_\nOther legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don\'t rely on it.'),(6805,'Issue',377,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*\\\\PROCEXP152.sys) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*))))\nindex: so-*\nname: Suspicious PROCEXP152.sys File Created In TMP\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6806,'Issue',377,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\ndescription: Detects the creation of the PROCEXP152.sys file in the application-data\n local temporary folder. This driver is used by Sysinternals Process Explorer but\n also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n which uses KDU.\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 11\n TargetFilename: \'*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys\'\n selection_2:\n Image|contains:\n - \'*\\procexp64.exe\'\n - \'*\\procexp.exe\'\n - \'*\\procmon64.exe\'\n - \'*\\procmon.exe\'\n condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools using this driver and filename (like Sysinternals). Note -\n Clever attackers may easily bypass this detection by just renaming the driver filename.\n Therefore just Medium-level and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6807,'Issue',377,15,'T1089'),(6808,'Issue',378,1,'Suspicious Program Location with Network Connections'),(6809,'Issue',378,2,'Florian Roth'),(6810,'Issue',378,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6811,'Issue',378,10,'high'),(6812,'Issue',378,13,'community'),(6813,'Issue',378,14,'windows'),(6814,'Issue',378,15,''),(6815,'Issue',378,11,'58575f239'),(6816,'Issue',378,12,'7b434893-c57d-4f41-908d-6a17bf1ae98f'),(6817,'Issue',378,16,'win-sysmon'),(6818,'Issue',378,17,''),(6819,'Issue',378,7,''),(6820,'Issue',378,3,'Detects programs with network connections running in suspicious files system locations'),(6821,'Issue',378,4,''),(6822,'Issue',378,5,'_False Positives_\nunknown'),(6823,'Issue',378,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR *\\\\Users\\\\Contacts\\\\* OR *\\\\Users\\\\Searches\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Suspicious Program Location with Network Connections\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6824,'Issue',378,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Program Location with Network Connections\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: experimental\ndescription: Detects programs with network connections running in suspicious files\n system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n product: windows\n service: sysmon\n definition: Use the following config to generate the necessary Event ID 3 Network\n Connection events\ndetection:\n selection:\n EventID: 3\n Image:\n - \'*\\$Recycle.bin\'\n - \'*\\Users\\All Users\\\\*\'\n - \'*\\Users\\Default\\\\*\'\n - \'*\\Users\\Public\\\\*\'\n - \'*\\Users\\Contacts\\\\*\'\n - \'*\\Users\\Searches\\\\*\'\n - C:\\Perflogs\\\\*\n - \'*\\config\\systemprofile\\\\*\'\n - \'*\\Windows\\Fonts\\\\*\'\n - \'*\\Windows\\IME\\\\*\'\n - \'*\\Windows\\addins\\\\*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6825,'Issue',379,1,'Suspicious Outbound RDP Connections'),(6826,'Issue',379,2,'Markus Neis - Swisscom'),(6827,'Issue',379,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708'),(6828,'Issue',379,10,'high'),(6829,'Issue',379,13,'community'),(6830,'Issue',379,14,'windows'),(6832,'Issue',379,11,'9f1b0b238'),(6833,'Issue',379,12,'ed74fe75-7594-4b4b-ae38-e38e3fd2eb23'),(6834,'Issue',379,16,'win-sysmon'),(6835,'Issue',379,17,''),(6836,'Issue',379,7,''),(6837,'Issue',379,3,'Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement'),(6838,'Issue',379,4,''),(6839,'Issue',379,5,'_False Positives_\nOther Remote Desktop RDP tools'),(6840,'Issue',379,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"3389\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))\nindex: so-*\nname: Suspicious Outbound RDP Connections\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6841,'Issue',379,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Outbound RDP Connections\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: experimental\ndescription: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible\n lateral movement\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis - Swisscom\ndate: 2019/05/15\ntags:\n- attack.lateral_movement\n- attack.t1210\n- car.2013-07-002\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n DestinationPort: 3389\n Initiated: \'true\'\n filter:\n Image:\n - \'*\\mstsc.exe\'\n - \'*\\RTSApp.exe\'\n - \'*\\RTS2App.exe\'\n - \'*\\RDCMan.exe\'\n - \'*\\ws_TunnelService.exe\'\n - \'*\\RSSensor.exe\'\n - \'*\\RemoteDesktopManagerFree.exe\'\n - \'*\\RemoteDesktopManager.exe\'\n - \'*\\RemoteDesktopManager64.exe\'\n - \'*\\mRemoteNG.exe\'\n - \'*\\mRemote.exe\'\n - \'*\\Terminals.exe\'\n - \'*\\spiceworks-finder.exe\'\n - \'*\\FSDiscovery.exe\'\n - \'*\\FSAssessment.exe\'\n - \'*\\MobaRTE.exe\'\n - \'*\\chrome.exe\'\n - \'*\\thor.exe\'\n - \'*\\thor64.exe\'\n condition: selection and not filter\nfalsepositives:\n- Other Remote Desktop RDP tools\nlevel: high\n\n
\n}}'),(6842,'Issue',379,15,'T1210'),(6843,'Issue',380,1,'Registry Persistence via Explorer Run Key'),(6844,'Issue',380,2,'Florian Roth'),(6845,'Issue',380,8,'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/'),(6846,'Issue',380,10,'high'),(6847,'Issue',380,13,'community'),(6848,'Issue',380,14,'windows'),(6850,'Issue',380,11,'d976ce159'),(6851,'Issue',380,12,'b7916c2a-fa2f-4795-9477-32b731f70f11'),(6852,'Issue',380,16,'win-sysmon'),(6853,'Issue',380,17,''),(6854,'Issue',380,7,''),(6855,'Issue',380,3,'Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder'),(6856,'Issue',380,4,''),(6857,'Issue',380,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nImage\nParentImage'),(6858,'Issue',380,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND event_data.Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\ProgramData\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\*))\nindex: so-*\nname: Registry Persistence via Explorer Run Key\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6859,'Issue',380,9,'{{collapse(View Sigma)\n\n\ntitle: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: experimental\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer\n and pointing to a suspicious folder\nauthor: Florian Roth\ndate: 2018/07/18\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject: \'*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\'\n Details:\n - C:\\Windows\\Temp\\\\*\n - C:\\ProgramData\\\\*\n - \'*\\AppData\\\\*\'\n - C:\\$Recycle.bin\\\\*\n - C:\\Temp\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\Default\\\\*\n condition: selection\ntags:\n- attack.persistence\n- attack.t1060\n- capec.270\nfields:\n- Image\n- ParentImage\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6860,'Issue',380,15,'T1060'),(6861,'Issue',381,1,'New RUN Key Pointing to Suspicious Folder'),(6862,'Issue',381,2,'Florian Roth, Markus Neis'),(6863,'Issue',381,8,'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'),(6864,'Issue',381,10,'high'),(6865,'Issue',381,13,'community'),(6866,'Issue',381,14,'windows'),(6868,'Issue',381,11,'321e02b21'),(6869,'Issue',381,12,'02ee49e2-e294-4d0f-9278-f5b3212fc588'),(6870,'Issue',381,16,'win-sysmon'),(6871,'Issue',381,17,''),(6872,'Issue',381,7,''),(6873,'Issue',381,3,'Detects suspicious new RUN key element pointing to an executable in a suspicious folder'),(6874,'Issue',381,4,''),(6875,'Issue',381,5,'_False Positives_\nSoftware using the AppData folders for updates\n\n_Interesting Log Fields_\nImage'),(6876,'Issue',381,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND event_data.Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*)) AND (NOT (event_data.Details.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\*))))\nindex: so-*\nname: New RUN Key Pointing to Suspicious Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6877,'Issue',381,9,'{{collapse(View Sigma)\n\n\ntitle: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a\n suspicious folder\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth, Markus Neis\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2018/08/25\nmodified: 2020/02/26\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject:\n - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*\'\n Details:\n - \'*C:\\Windows\\Temp\\\\*\'\n - \'*\\AppData\\\\*\'\n - \'%AppData%\\\\*\'\n - \'*C:\\$Recycle.bin\\\\*\'\n - \'*C:\\Temp\\\\*\'\n - \'*C:\\Users\\Public\\\\*\'\n - \'%Public%\\\\*\'\n - \'*C:\\Users\\Default\\\\*\'\n - \'*C:\\Users\\Desktop\\\\*\'\n - wscript*\n - cscript*\n filter:\n Details|contains:\n - \\AppData\\Local\\Microsoft\\OneDrive\\\n condition: selection and not filter\nfields:\n- Image\nfalsepositives:\n- Software using the AppData folders for updates\nlevel: high\n\n
\n}}'),(6878,'Issue',381,15,'T1060'),(6879,'Issue',382,1,'Suspicious Service Installed'),(6880,'Issue',382,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6881,'Issue',382,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6882,'Issue',382,10,'medium'),(6883,'Issue',382,13,'community'),(6884,'Issue',382,14,'windows'),(6886,'Issue',382,11,'9842ac371'),(6887,'Issue',382,12,'f2485272-a156-4773-82d7-1d178bc4905b'),(6888,'Issue',382,16,'win-sysmon'),(6889,'Issue',382,17,''),(6890,'Issue',382,7,''),(6891,'Issue',382,3,'Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)'),(6892,'Issue',382,4,''),(6893,'Issue',382,5,'_False Positives_\nOther legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don\'t rely on it.'),(6894,'Issue',382,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath\")) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*)))) AND (NOT (event_data.Details.keyword:(*\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS*))))\nindex: so-*\nname: Suspicious Service Installed\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6895,'Issue',382,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\ndescription: Detects installation of NalDrv or PROCEXP152 services via registry-keys\n to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n which uses KDU (https://github.com/hfiref0x/KDU)\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 13\n TargetObject:\n - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n selection_2:\n Image|contains:\n - \'*\\procexp64.exe\'\n - \'*\\procexp.exe\'\n - \'*\\procmon64.exe\'\n - \'*\\procmon.exe\'\n selection_3:\n Details|contains:\n - \'*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS\'\n condition: selection_1 and not selection_2 and not selection_3\nfalsepositives:\n- Other legimate tools using this service names and drivers. Note - clever attackers\n may easily bypass this detection by just renaming the services. Therefore just Medium-level\n and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6896,'Issue',382,15,'T1089'),(6897,'Issue',383,1,'VBA DLL Loaded Via Microsoft Word'),(6898,'Issue',383,2,'Antonlovesdnb'),(6899,'Issue',383,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6900,'Issue',383,10,'high'),(6901,'Issue',383,13,'community'),(6902,'Issue',383,14,'windows'),(6904,'Issue',383,11,'53eb4530b'),(6905,'Issue',383,12,'e6ce8457-68b1-485b-9bdd-3c2b5d679aa9'),(6906,'Issue',383,16,'win-sysmon'),(6907,'Issue',383,17,''),(6908,'Issue',383,7,''),(6909,'Issue',383,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros'),(6910,'Issue',383,4,''),(6911,'Issue',383,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6912,'Issue',383,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\VBE7.DLL* OR *\\\\VBEUI.DLL* OR *\\\\VBE7INTL.DLL*))\nindex: so-*\nname: VBA DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6913,'Issue',383,9,'{{collapse(View Sigma)\n\n\ntitle: VBA DLL Loaded Via Microsoft Word\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*\\VBE7.DLL*\'\n - \'*\\VBEUI.DLL*\'\n - \'*\\VBE7INTL.DLL*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6914,'Issue',383,15,'T1193'),(6915,'Issue',384,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word'),(6916,'Issue',384,2,'Michael R. (@nahamike01)'),(6917,'Issue',384,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\nhttps://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf'),(6918,'Issue',384,10,'high'),(6919,'Issue',384,13,'community'),(6920,'Issue',384,14,'windows'),(6922,'Issue',384,11,'b23e2aa5c'),(6923,'Issue',384,12,'a457f232-7df9-491d-898f-b5aabd2cbe2f'),(6924,'Issue',384,16,'win-sysmon'),(6925,'Issue',384,17,''),(6926,'Issue',384,7,''),(6927,'Issue',384,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands'),(6928,'Issue',384,4,''),(6929,'Issue',384,5,'_False Positives_\nPossible. Requires further testing.'),(6930,'Issue',384,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\wbemdisp.dll OR *\\\\wbemsvc.dll))\nindex: so-*\nname: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6931,'Issue',384,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe\'\n - \'*\\powerpnt.exe\'\n - \'*\\excel.exe\'\n - \'*\\outlook.exe\'\n ImageLoaded:\n - \'*\\wmiutils.dll\'\n - \'*\\wbemcomn.dll\'\n - \'*\\wbemprox.dll\'\n - \'*\\wbemdisp.dll\'\n - \'*\\wbemsvc.dll\'\n condition: selection\nfalsepositives:\n- Possible. Requires further testing.\nlevel: high\n\n
\n}}'),(6932,'Issue',384,15,'T1047'),(6933,'Issue',385,1,'Suspicious Keyboard Layout Load'),(6934,'Issue',385,2,'Florian Roth'),(6935,'Issue',385,8,'https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'),(6936,'Issue',385,10,'medium'),(6937,'Issue',385,13,'community'),(6938,'Issue',385,14,'windows'),(6939,'Issue',385,15,''),(6940,'Issue',385,11,'496ab3e58'),(6941,'Issue',385,12,'34aa0252-6039-40ff-951f-939fd6ce47d8'),(6942,'Issue',385,16,'win-sysmon'),(6943,'Issue',385,17,''),(6944,'Issue',385,7,''),(6945,'Issue',385,3,'Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only'),(6946,'Issue',385,4,''),(6947,'Issue',385,5,'_False Positives_\nAdministrators or users that actually use the selected keyboard layouts (heavily depends on the organisation\'s user base)'),(6948,'Issue',385,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND event_data.Details.keyword:(*00000429* OR *00050429* OR *0000042a*))\nindex: so-*\nname: Suspicious Keyboard Layout Load\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6949,'Issue',385,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\ndescription: Detects the keyboard preload installation with a suspicious keyboard\n layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems\n maintained by US staff only\nreferences:\n- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth\ndate: 2019/10/12\nmodified: 2019/10/15\nlogsource:\n product: windows\n service: sysmon\n definition: \'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload\n subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\'\ndetection:\n selection_registry:\n EventID: 13\n TargetObject:\n - \'*\\Keyboard Layout\\Preload\\*\'\n - \'*\\Keyboard Layout\\Substitutes\\*\'\n Details|contains:\n - 429\n - 50429\n - 0000042a\n condition: selection_registry\nfalsepositives:\n- Administrators or users that actually use the selected keyboard layouts (heavily\n depends on the organisation\'s user base)\nlevel: medium\n\n
\n}}'),(6950,'Issue',386,1,'Suspicious Outbound Kerberos Connection'),(6951,'Issue',386,2,'Ilyas Ochkov, oscd.community'),(6952,'Issue',386,8,'https://github.com/GhostPack/Rubeus8'),(6953,'Issue',386,10,'high'),(6954,'Issue',386,13,'community'),(6955,'Issue',386,14,'windows'),(6957,'Issue',386,11,'b61a1dd2a'),(6958,'Issue',386,12,'e54979bd-c5f9-4d6c-967b-a04b19ac4c74'),(6959,'Issue',386,16,'win-sysmon'),(6960,'Issue',386,17,''),(6961,'Issue',386,7,''),(6962,'Issue',386,3,'Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.'),(6963,'Issue',386,4,''),(6964,'Issue',386,5,'_False Positives_\nOther browsers'),(6965,'Issue',386,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"88\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))\nindex: so-*\nname: Suspicious Outbound Kerberos Connection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6966,'Issue',386,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nstatus: experimental\ndescription: Detects suspicious outbound network activity via kerberos default port\n indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n- https://github.com/GhostPack/Rubeus8\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\ntags:\n- attack.lateral_movement\n- attack.t1208\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n DestinationPort: 88\n Initiated: \'true\'\n filter:\n Image|endswith:\n - \\lsass.exe\n - \\opera.exe\n - \\chrome.exe\n - \\firefox.exe\n condition: selection and not filter\nfalsepositives:\n- Other browsers\nlevel: high\n\n
\n}}'),(6967,'Issue',386,15,'T1208'),(6968,'Issue',387,1,'Suspicious Remote Thread Created'),(6969,'Issue',387,2,'Perez Diego (@darkquassar), oscd.community'),(6970,'Issue',387,8,'Personal research, statistical analysis\nhttps://lolbas-project.github.io'),(6971,'Issue',387,10,'high'),(6972,'Issue',387,13,'community'),(6973,'Issue',387,14,'windows'),(6975,'Issue',387,11,'d107c9166'),(6976,'Issue',387,12,'66d31e5f-52d6-40a4-9615-002d3789a119'),(6977,'Issue',387,16,'win-sysmon'),(6978,'Issue',387,17,''),(6979,'Issue',387,7,''),(6980,'Issue',387,3,'Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.'),(6981,'Issue',387,4,''),(6982,'Issue',387,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage'),(6983,'Issue',387,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (event_data.SourceImage.keyword:*Visual\\ Studio*)))\nindex: so-*\nname: Suspicious Remote Thread Created\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6984,'Issue',387,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Remote Thread Created\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\ndescription: Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\",\n however, this is still largely observed in the wild. This rule aims to detect suspicious\n processes (those we would not expect to behave in this way like word.exe or outlook.exe)\n creating remote threads on other processes. It is a generalistic rule, but it should\n have a low FP ratio due to the selected range of processes.\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n for process injection for .NET in-memory offensive tools.\nstatus: experimental\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- Personal research, statistical analysis\n- https://lolbas-project.github.io\nlogsource:\n product: windows\n service: sysmon\ntags:\n- attack.privilege_escalation\n- attack.t1055\ndetection:\n selection:\n EventID: 8\n SourceImage|endswith:\n - \\bash.exe\n - \\cvtres.exe\n - \\defrag.exe\n - \\dnx.exe\n - \\esentutl.exe\n - \\excel.exe\n - \\expand.exe\n - \\explorer.exe\n - \\find.exe\n - \\findstr.exe\n - \\forfiles.exe\n - \\git.exe\n - \\gpupdate.exe\n - \\hh.exe\n - \\iexplore.exe\n - \\installutil.exe\n - \\lync.exe\n - \\makecab.exe\n - \\mDNSResponder.exe\n - \\monitoringhost.exe\n - \\msbuild.exe\n - \\mshta.exe\n - \\msiexec.exe\n - \\mspaint.exe\n - \\outlook.exe\n - \\ping.exe\n - \\powerpnt.exe\n - \\powershell.exe\n - \\provtool.exe\n - \\python.exe\n - \\regsvr32.exe\n - \\robocopy.exe\n - \\runonce.exe\n - \\sapcimc.exe\n - \\schtasks.exe\n - \\smartscreen.exe\n - \\spoolsv.exe\n - \\tstheme.exe\n - \\userinit.exe\n - \\vssadmin.exe\n - \\vssvc.exe\n - \\w3wp.exe*\n - \\winlogon.exe\n - \\winscp.exe\n - \\wmic.exe\n - \\word.exe\n - \\wscript.exe\n filter:\n SourceImage|contains: Visual Studio\n condition: selection AND NOT filter\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nlevel: high\nfalsepositives:\n- Unknown\n\n
\n}}'),(6985,'Issue',387,15,'T1055'),(6986,'Issue',388,1,'Svchost DLL Search Order Hijack'),(6987,'Issue',388,2,'SBousseaden'),(6988,'Issue',388,8,'https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992'),(6989,'Issue',388,10,'high'),(6990,'Issue',388,13,'community'),(6991,'Issue',388,14,'windows'),(6993,'Issue',388,11,'6ca7b2b85'),(6994,'Issue',388,12,'602a1f13-c640-4d73-b053-be9a2fa58b77'),(6995,'Issue',388,16,'win-sysmon'),(6996,'Issue',388,17,''),(6997,'Issue',388,7,''),(6998,'Issue',388,3,'IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.'),(6999,'Issue',388,4,''),(7000,'Issue',388,5,'_False Positives_\nPentest'),(7001,'Issue',388,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded:(\"C\\:\\\\Windows\\\\WinSxS\\*\"))))\nindex: so-*\nname: Svchost DLL Search Order Hijack\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7002,'Issue',388,9,'{{collapse(View Sigma)\n\n\ntitle: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: experimental\ndescription: IKEEXT and SessionEnv service, as they call LoadLibrary on files that\n do not exist within C:\\Windows\\System32\\ by default. An attacker can place their\n malicious logic within the PROCESS_ATTACH block of their library and restart the\n aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote\n machine.\nreferences:\n- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\ntags:\n- attack.persistence\n- attack.defense_evasion\n- attack.t1073\n- attack.t1038\n- attack.t1112\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\svchost.exe\'\n ImageLoaded:\n - \'*\\tsmsisrv.dll\'\n - \'*\\tsvipsrv.dll\'\n - \'*\\wlbsctrl.dll\'\n filter:\n EventID: 7\n Image:\n - \'*\\svchost.exe\'\n ImageLoaded:\n - C:\\Windows\\WinSxS\\*\n condition: selection and not filter\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(7003,'Issue',388,15,'T1073'),(7004,'Issue',388,15,'T1038'),(7005,'Issue',388,15,'T1112'),(7006,'Issue',389,1,'Hijack Legit RDP Session to Move Laterally'),(7007,'Issue',389,2,'Samir Bousseaden'),(7008,'Issue',389,8,'none'),(7009,'Issue',389,10,'high'),(7010,'Issue',389,13,'community'),(7011,'Issue',389,14,'windows'),(7012,'Issue',389,15,''),(7013,'Issue',389,11,'edf49a6c5'),(7014,'Issue',389,12,'52753ea4-b3a0-4365-910d-36cff487b789'),(7015,'Issue',389,16,'win-sysmon'),(7016,'Issue',389,17,''),(7017,'Issue',389,7,''),(7018,'Issue',389,3,'Detects the usage of tsclient share to place a backdoor on the RDP source machine\'s startup folder'),(7019,'Issue',389,4,''),(7020,'Issue',389,5,'_False Positives_\nunknown'),(7021,'Issue',389,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\Startup\\\\*)\nindex: so-*\nname: Hijack Legit RDP Session to Move Laterally\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7022,'Issue',389,9,'{{collapse(View Sigma)\n\n\ntitle: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: experimental\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source\n machine\'s startup folder\ndate: 2019/02/21\nauthor: Samir Bousseaden\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n Image: \'*\\mstsc.exe\'\n TargetFileName: \'*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7023,'Issue',390,1,'UAC Bypass via Event Viewer'),(7024,'Issue',390,2,'Florian Roth'),(7025,'Issue',390,8,'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100'),(7026,'Issue',390,10,'critical'),(7027,'Issue',390,13,'community'),(7028,'Issue',390,14,'windows'),(7030,'Issue',390,11,'266938263'),(7031,'Issue',390,12,'7c81fec3-1c1d-43b0-996a-46753041b1b6'),(7032,'Issue',390,16,'win-sysmon'),(7033,'Issue',390,17,''),(7034,'Issue',390,7,''),(7035,'Issue',390,3,'Detects UAC bypass method using Windows event viewer'),(7036,'Issue',390,4,''),(7037,'Issue',390,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7038,'Issue',390,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND process.parent.executable.keyword:*\\\\eventvwr.exe) AND (NOT (process.executable.keyword:*\\\\mmc.exe)))))\nindex: so-*\nname: UAC Bypass via Event Viewer\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7039,'Issue',390,9,'{{collapse(View Sigma)\n\n\ntitle: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: experimental\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n product: windows\n service: sysmon\ndetection:\n methregistry:\n EventID: 13\n TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\n methprocess:\n EventID: 1\n ParentImage: \'*\\eventvwr.exe\'\n filterprocess:\n Image: \'*\\mmc.exe\'\n condition: methregistry or ( methprocess and not filterprocess )\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7040,'Issue',390,15,'T1088'),(7041,'Issue',391,1,'UAC Bypass via Sdclt'),(7042,'Issue',391,2,'Omer Yampel'),(7043,'Issue',391,8,'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'),(7044,'Issue',391,10,'high'),(7045,'Issue',391,13,'community'),(7046,'Issue',391,14,'windows'),(7048,'Issue',391,11,'269c211ef'),(7049,'Issue',391,12,'5b872a46-3b90-45c1-8419-f675db8053aa'),(7050,'Issue',391,16,'win-sysmon'),(7051,'Issue',391,17,''),(7052,'Issue',391,7,''),(7053,'Issue',391,3,'Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'),(7054,'Issue',391,4,''),(7055,'Issue',391,5,'_False Positives_\nunknown'),(7056,'Issue',391,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)\nindex: so-*\nname: UAC Bypass via Sdclt\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7057,'Issue',391,9,'{{collapse(View Sigma)\n\n\ntitle: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: experimental\ndescription: Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\nreferences:\n- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nauthor: Omer Yampel\ndate: 2017/03/17\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7058,'Issue',391,15,'T1088'),(7059,'Issue',392,1,'Unsigned Image Loaded Into LSASS Process'),(7060,'Issue',392,2,'Teymur Kheirkhabarov, oscd.community'),(7061,'Issue',392,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(7062,'Issue',392,10,'medium'),(7063,'Issue',392,13,'community'),(7064,'Issue',392,14,'windows'),(7066,'Issue',392,11,'23f5b5af8'),(7067,'Issue',392,12,'857c8db3-c89b-42fb-882b-f681c7cf4da2'),(7068,'Issue',392,16,'win-sysmon'),(7069,'Issue',392,17,''),(7070,'Issue',392,7,''),(7071,'Issue',392,3,'Loading unsigned image (DLL, EXE) into LSASS process'),(7072,'Issue',392,4,''),(7073,'Issue',392,5,'_False Positives_\nValid user connecting using RDP'),(7074,'Issue',392,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:*\\\\lsass.exe AND Signed:\"false\")\nindex: so-*\nname: Unsigned Image Loaded Into LSASS Process\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7075,'Issue',392,9,'{{collapse(View Sigma)\n\n\ntitle: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image|endswith: \\lsass.exe\n Signed: \'false\'\n condition: selection\nfalsepositives:\n- Valid user connecting using RDP\nstatus: experimental\nlevel: medium\n\n
\n}}'),(7076,'Issue',392,15,'T1003'),(7077,'Issue',393,1,'Windows Webshell Creation'),(7078,'Issue',393,2,'Beyu Denis, oscd.community'),(7079,'Issue',393,8,'PT ESC rule and personal experience'),(7080,'Issue',393,10,'critical'),(7081,'Issue',393,13,'community'),(7082,'Issue',393,14,'windows'),(7084,'Issue',393,11,'2f30d8784'),(7085,'Issue',393,12,'39f1f9f2-9636-45de-98f6-a4046aa8e4b9'),(7086,'Issue',393,16,'win-sysmon'),(7087,'Issue',393,17,''),(7088,'Issue',393,7,''),(7089,'Issue',393,3,'Possible webshell file creation on a static web site'),(7090,'Issue',393,4,''),(7091,'Issue',393,5,'_False Positives_\nLegitimate administrator or developer creating legitimate executable files in a web application folder'),(7092,'Issue',393,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event_data.TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND event_data.TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (event_data.TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND event_data.TargetFilename.keyword:*.ph*))) OR (event_data.TargetFilename.keyword:*.jsp OR (event_data.TargetFilename.keyword:*\\\\cgi\\-bin\\* AND event_data.TargetFilename.keyword:*.pl*))))\nindex: so-*\nname: Windows Webshell Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7093,'Issue',393,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Webshell Creation\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: experimental\ndescription: Possible webshell file creation on a static web site\nreferences:\n- PT ESC rule and personal experience\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1100\nlevel: critical\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 11\n selection_2:\n TargetFilename|contains: \\inetpub\\wwwroot\\\n selection_3:\n TargetFilename|contains:\n - .asp\n - .ashx\n - .ph\n selection_4:\n TargetFilename|contains:\n - \\www\\\n - \\htdocs\\\n - \\html\\\n selection_5:\n TargetFilename|contains: .ph\n selection_6:\n - TargetFilename|endswith: .jsp\n - TargetFilename|contains|all:\n - \\cgi-bin\\\n - .pl\n condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n selection_4 and selection_5 ) or selection_1 and selection_6\nfalsepositives:\n- Legitimate administrator or developer creating legitimate executable files in a\n web application folder\n\n
\n}}'),(7094,'Issue',393,15,'T1100'),(7095,'Issue',394,1,'Microsoft Binary Github Communication'),(7096,'Issue',394,2,'Michael Haag (idea), Florian Roth (rule)'),(7097,'Issue',394,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7098,'Issue',394,10,'high'),(7099,'Issue',394,13,'community'),(7100,'Issue',394,14,'windows'),(7102,'Issue',394,11,'04a41c5fb'),(7103,'Issue',394,12,'635dbb88-67b3-4b41-9ea5-a3af2dd88153'),(7104,'Issue',394,16,'win-sysmon'),(7105,'Issue',394,17,''),(7106,'Issue',394,7,''),(7107,'Issue',394,3,'Detects an executable in the Windows folder accessing github.com'),(7108,'Issue',394,4,''),(7109,'Issue',394,5,'_False Positives_\nUnknown\n@subTee in your network'),(7110,'Issue',394,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Github Communication\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7111,'Issue',394,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Michael Haag (idea), Florian Roth (rule)\ndate: 2017/08/24\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Initiated: \'true\'\n DestinationHostname:\n - \'*.github.com\'\n - \'*.githubusercontent.com\'\n Image: C:\\Windows\\\\*\n condition: selection\nfalsepositives:\n- Unknown\n- \'@subTee in your network\'\nlevel: high\n\n
\n}}'),(7112,'Issue',394,15,'T1105'),(7113,'Issue',395,1,'Microsoft Binary Suspicious Communication Endpoint'),(7114,'Issue',395,2,'Florian Roth'),(7115,'Issue',395,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7116,'Issue',395,10,'high'),(7117,'Issue',395,13,'community'),(7118,'Issue',395,14,'windows'),(7120,'Issue',395,11,'847f9c649'),(7121,'Issue',395,12,'e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97'),(7122,'Issue',395,16,'win-sysmon'),(7123,'Issue',395,17,''),(7124,'Issue',395,7,''),(7125,'Issue',395,3,'Detects an executable in the Windows folder accessing suspicious domains'),(7126,'Issue',395,4,''),(7127,'Issue',395,5,'_False Positives_\nUnknown'),(7128,'Issue',395,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Suspicious Communication Endpoint\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7129,'Issue',395,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Binary Suspicious Communication Endpoint\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing suspicious domains\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Florian Roth\ndate: 2018/08/30\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Initiated: \'true\'\n DestinationHostname:\n - \'*dl.dropboxusercontent.com\'\n - \'*.pastebin.com\'\n - \'*.githubusercontent.com\'\n Image: C:\\Windows\\\\*\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7130,'Issue',395,15,'T1105'),(7131,'Issue',396,1,'Registry Persistence Mechanisms'),(7132,'Issue',396,2,'Karneades'),(7133,'Issue',396,8,'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'),(7134,'Issue',396,10,'critical'),(7135,'Issue',396,13,'community'),(7136,'Issue',396,14,'windows'),(7138,'Issue',396,11,'b6d5e6bc2'),(7139,'Issue',396,12,'36803969-5421-41ec-b92f-8500f79c23b0'),(7140,'Issue',396,16,'win-sysmon'),(7141,'Issue',396,17,''),(7142,'Issue',396,7,''),(7143,'Issue',396,3,'Detects persistence registry keys'),(7144,'Issue',396,4,''),(7145,'Issue',396,5,'_False Positives_\nunknown'),(7146,'Issue',396,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\*\\\\GlobalFlag OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND event_data.EventType:\"SetValue\")\nindex: so-*\nname: Registry Persistence Mechanisms\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7147,'Issue',396,9,'{{collapse(View Sigma)\n\n\ntitle: Registry Persistence Mechanisms\nid: 36803969-5421-41ec-b92f-8500f79c23b0\ndescription: Detects persistence registry keys\nreferences:\n- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\ndate: 2018/04/11\nauthor: Karneades\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_reg1:\n EventID: 13\n TargetObject:\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag\'\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode\'\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess\'\n EventType: SetValue\n condition: selection_reg1\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.defense_evasion\n- attack.t1183\n- car.2013-01-002\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7148,'Issue',396,15,'T1183'),(7149,'Issue',397,1,'WMI Event Subscription'),(7150,'Issue',397,2,'Tom Ueltschi (@c_APT_ure)'),(7151,'Issue',397,8,'https://attack.mitre.org/techniques/T1084/'),(7152,'Issue',397,10,'high'),(7153,'Issue',397,13,'community'),(7154,'Issue',397,14,'windows'),(7156,'Issue',397,11,'9dd7ef828'),(7157,'Issue',397,12,'0f06a3a5-6a09-413f-8743-e6cf35561297'),(7158,'Issue',397,16,'win-sysmon'),(7159,'Issue',397,17,''),(7160,'Issue',397,7,''),(7161,'Issue',397,3,'Detects creation of WMI event subscription persistence method'),(7162,'Issue',397,4,''),(7163,'Issue',397,5,'_False Positives_\nexclude legitimate (vetted) use of WMI event subscription in your network'),(7164,'Issue',397,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"19\" OR \"20\" OR \"21\"))\nindex: so-*\nname: WMI Event Subscription\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7165,'Issue',397,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: experimental\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n- https://attack.mitre.org/techniques/T1084/\ntags:\n- attack.t1084\n- attack.persistence\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019/01/12\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selector:\n EventID:\n - 19\n - 20\n - 21\n condition: selector\nfalsepositives:\n- exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: high\n\n
\n}}'),(7166,'Issue',397,15,'T1084'),(7167,'Issue',398,1,'WMI Modules Loaded'),(7168,'Issue',398,2,'Roberto Rodriguez @Cyb3rWard0g'),(7169,'Issue',398,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md'),(7170,'Issue',398,10,'high'),(7171,'Issue',398,13,'community'),(7172,'Issue',398,14,'windows'),(7174,'Issue',398,11,'eaf1ac318'),(7175,'Issue',398,12,'671bb7e3-a020-4824-a00e-2ee5b55f385e'),(7176,'Issue',398,16,'win-sysmon'),(7177,'Issue',398,17,''),(7178,'Issue',398,7,''),(7179,'Issue',398,3,'Detects non wmiprvse loading WMI modules'),(7180,'Issue',398,4,''),(7181,'Issue',398,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(7182,'Issue',398,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (process.executable.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))\nindex: so-*\nname: WMI Modules Loaded\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7183,'Issue',398,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Modules Loaded\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\ndescription: Detects non wmiprvse loading WMI modules\nstatus: experimental\ndate: 2019/08/10\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n ImageLoaded|endswith:\n - \\wmiclnt.dll\n - \\WmiApRpl.dll\n - \\wmiprov.dll\n - \\wmiutils.dll\n - \\wbemcomn.dll\n - \\wbemprox.dll\n - \\WMINet_Utils.dll\n - \\wbemsvc.dll\n - \\fastprox.dll\n filter:\n Image|endswith:\n - \\WmiPrvSe.exe\n - \\WmiPrvSE.exe\n - \\WmiAPsrv.exe\n - \\svchost.exe\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7184,'Issue',398,15,'T1047'),(7185,'Issue',399,1,'WMI Persistence - Command Line Event Consumer'),(7186,'Issue',399,2,'Thomas Patzke'),(7187,'Issue',399,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7188,'Issue',399,10,'high'),(7189,'Issue',399,13,'community'),(7190,'Issue',399,14,'windows'),(7192,'Issue',399,11,'9e9efa320'),(7193,'Issue',399,12,'05936ce2-ee05-4dae-9d03-9a391cf2d2c6'),(7194,'Issue',399,16,'win-sysmon'),(7195,'Issue',399,17,''),(7196,'Issue',399,7,''),(7197,'Issue',399,3,'Detects WMI command line event consumers'),(7198,'Issue',399,4,''),(7199,'Issue',399,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7200,'Issue',399,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable:\"C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\" AND event_data.ImageLoaded:\"wbemcons.dll\")\nindex: so-*\nname: WMI Persistence - Command Line Event Consumer\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7201,'Issue',399,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: experimental\ndescription: Detects WMI command line event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n ImageLoaded: wbemcons.dll\n condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7202,'Issue',399,15,'T1084'),(7203,'Issue',400,1,'WMI Persistence - Script Event Consumer File Write'),(7204,'Issue',400,2,'Thomas Patzke'),(7205,'Issue',400,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7206,'Issue',400,10,'high'),(7207,'Issue',400,13,'community'),(7208,'Issue',400,14,'windows'),(7210,'Issue',400,11,'9ec7edf07'),(7211,'Issue',400,12,'33f41cdd-35ac-4ba8-814b-c6a4244a1ad4'),(7212,'Issue',400,16,'win-sysmon'),(7213,'Issue',400,17,''),(7214,'Issue',400,7,''),(7215,'Issue',400,3,'Detects file writes of WMI script event consumer'),(7216,'Issue',400,4,''),(7217,'Issue',400,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7218,'Issue',400,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer File Write\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7219,'Issue',400,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: experimental\ndescription: Detects file writes of WMI script event consumer\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7220,'Issue',400,15,'T1084'),(7221,'Issue',401,1,'Suspicious Scripting in a WMI Consumer'),(7222,'Issue',401,2,'Florian Roth'),(7223,'Issue',401,8,'https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19'),(7224,'Issue',401,10,'high'),(7225,'Issue',401,13,'community'),(7226,'Issue',401,14,'windows'),(7228,'Issue',401,11,'5e0c4b4b2'),(7229,'Issue',401,12,'fe21810c-2a8c-478f-8dd3-5a287fb2a0e0'),(7230,'Issue',401,16,'win-sysmon'),(7231,'Issue',401,17,''),(7232,'Issue',401,7,''),(7233,'Issue',401,3,'Detects suspicious scripting in WMI Event Consumers'),(7234,'Issue',401,4,''),(7235,'Issue',401,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7236,'Issue',401,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))\nindex: so-*\nname: Suspicious Scripting in a WMI Consumer\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7237,'Issue',401,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: experimental\ndescription: Detects suspicious scripting in WMI Event Consumers\nauthor: Florian Roth\nreferences:\n- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\ndate: 2019/04/15\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 20\n Destination:\n - \'*new-object system.net.webclient).downloadstring(*\'\n - \'*new-object system.net.webclient).downloadfile(*\'\n - \'*new-object net.webclient).downloadstring(*\'\n - \'*new-object net.webclient).downloadfile(*\'\n - \'* iex(*\'\n - \'*WScript.shell*\'\n - \'* -nop *\'\n - \'* -noprofile *\'\n - \'* -decode *\'\n - \'* -enc *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(7238,'Issue',401,15,'T1086'),(7239,'Issue',402,1,'APT29'),(7240,'Issue',402,2,'Florian Roth'),(7241,'Issue',402,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'),(7242,'Issue',402,10,'critical'),(7243,'Issue',402,13,'community'),(7244,'Issue',402,14,'windows'),(7246,'Issue',402,11,'3eea01490'),(7247,'Issue',402,12,'033fe7d6-66d1-4240-ac6b-28908009c71f'),(7248,'Issue',402,16,'win-proc'),(7249,'Issue',402,17,''),(7250,'Issue',402,7,''),(7251,'Issue',402,3,'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'),(7252,'Issue',402,4,''),(7253,'Issue',402,5,'_False Positives_\nunknown'),(7254,'Issue',402,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*)\nindex: so-*\nname: APT29\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7255,'Issue',402,9,'{{collapse(View Sigma)\n\n\ntitle: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\ndescription: This method detects a suspicious powershell command line combination\n as used by APT29 in a campaign against US think tanks\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\ntags:\n- attack.execution\n- attack.g0016\n- attack.t1086\nauthor: Florian Roth\ndate: 2018/12/04\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*-noni -ep bypass $*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7256,'Issue',402,15,'T1086'),(7257,'Issue',403,1,'Baby Shark Activity'),(7258,'Issue',403,2,'Florian Roth'),(7259,'Issue',403,8,'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(7260,'Issue',403,10,'high'),(7261,'Issue',403,13,'community'),(7262,'Issue',403,14,'windows'),(7264,'Issue',403,11,'e1e3ed75c'),(7265,'Issue',403,12,'2b30fa36-3a18-402f-a22d-bf4ce2189f35'),(7266,'Issue',403,16,'win-proc'),(7267,'Issue',403,17,''),(7268,'Issue',403,7,''),(7269,'Issue',403,3,'Detects activity that could be related to Baby Shark malware'),(7270,'Issue',403,4,''),(7271,'Issue',403,5,'_False Positives_\nunknown'),(7272,'Issue',403,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe))\nindex: so-*\nname: Baby Shark Activity\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7273,'Issue',403,9,'{{collapse(View Sigma)\n\n\ntitle: Baby Shark Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: experimental\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1086\n- attack.discovery\n- attack.t1012\n- attack.defense_evasion\n- attack.t1170\nlogsource:\n category: process_creation\n product: windows\nauthor: Florian Roth\ndate: 2019/02/24\ndetection:\n selection:\n CommandLine:\n - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n - powershell.exe mshta.exe http*\n - cmd.exe /c taskkill /im cmd.exe\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7274,'Issue',403,15,'T1059'),(7275,'Issue',403,15,'T1086'),(7276,'Issue',403,15,'T1012'),(7277,'Issue',403,15,'T1170'),(7278,'Issue',404,1,'Judgement Panda Credential Access Activity'),(7279,'Issue',404,2,'Florian Roth'),(7280,'Issue',404,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7281,'Issue',404,10,'critical'),(7282,'Issue',404,13,'community'),(7283,'Issue',404,14,'windows'),(7285,'Issue',404,11,'ebeeba7dd'),(7286,'Issue',404,12,'b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee'),(7287,'Issue',404,16,'win-proc'),(7288,'Issue',404,17,''),(7289,'Issue',404,7,''),(7290,'Issue',404,3,'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'),(7291,'Issue',404,4,''),(7292,'Issue',404,5,'_False Positives_\nunknown'),(7293,'Issue',404,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\xcopy.exe AND process.command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process.executable.keyword:*\\\\adexplorer.exe AND process.command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*)))\nindex: so-*\nname: Judgement Panda Credential Access Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7294,'Issue',404,9,'{{collapse(View Sigma)\n\n\ntitle: Judgement Panda Credential Access Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\ndescription: Detects Russian group activity as described in Global Threat Report 2019\n by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.credential_access\n- attack.t1081\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: \'*\\xcopy.exe\'\n CommandLine: \'* /S /E /C /Q /H \\\\*\'\n selection2:\n Image: \'*\\adexplorer.exe\'\n CommandLine: \'* -snapshot \"\" c:\\users\\\\*\'\n condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7295,'Issue',404,15,'T1081'),(7296,'Issue',404,15,'T1003'),(7297,'Issue',405,1,'BlueMashroom DLL Load'),(7298,'Issue',405,2,'Florian Roth'),(7299,'Issue',405,8,'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'),(7300,'Issue',405,10,'critical'),(7301,'Issue',405,13,'community'),(7302,'Issue',405,14,'windows'),(7304,'Issue',405,11,'8bb8cf273'),(7305,'Issue',405,12,'bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0'),(7306,'Issue',405,16,'win-proc'),(7307,'Issue',405,17,''),(7308,'Issue',405,7,''),(7309,'Issue',405,3,'Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report'),(7310,'Issue',405,4,''),(7311,'Issue',405,5,'_False Positives_\nUnlikely'),(7312,'Issue',405,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*))\nindex: so-*\nname: BlueMashroom DLL Load\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7313,'Issue',405,9,'{{collapse(View Sigma)\n\n\ntitle: BlueMashroom DLL Load\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: experimental\ndescription: Detects a suspicious DLL loading from AppData Local path as described\n in BlueMashroom report\nreferences:\n- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software\ntags:\n- attack.defense_evasion\n- attack.t1117\nauthor: Florian Roth\ndate: 2019/10/02\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\regsvr32*\\AppData\\Local\\\\*\'\n - \'*\\AppData\\Local\\\\*,DllEntry*\'\n condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7314,'Issue',405,15,'T1117'),(7315,'Issue',406,1,'WMIExec VBS Script'),(7316,'Issue',406,2,'Florian Roth'),(7317,'Issue',406,8,'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'),(7318,'Issue',406,10,'critical'),(7319,'Issue',406,13,'community'),(7320,'Issue',406,14,'windows'),(7322,'Issue',406,11,'5b1ed0159'),(7323,'Issue',406,12,'966e4016-627f-44f7-8341-f394905c361f'),(7324,'Issue',406,16,'win-proc'),(7325,'Issue',406,17,''),(7326,'Issue',406,7,''),(7327,'Issue',406,3,'Detects suspicious file execution by wscript and cscript'),(7328,'Issue',406,4,''),(7329,'Issue',406,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7330,'Issue',406,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cscript.exe AND process.command_line.keyword:*.vbs\\ \\/shell\\ *)\nindex: so-*\nname: WMIExec VBS Script\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7331,'Issue',406,9,'{{collapse(View Sigma)\n\n\ntitle: WMIExec VBS Script\nid: 966e4016-627f-44f7-8341-f394905c361f\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Florian Roth\ndate: 2017/04/07\nreferences:\n- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\ntags:\n- attack.execution\n- attack.g0045\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\cscript.exe\'\n CommandLine: \'*.vbs /shell *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7332,'Issue',406,15,'T1064'),(7333,'Issue',407,1,'CrackMapExecWin'),(7334,'Issue',407,2,'Markus Neis'),(7335,'Issue',407,8,'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'),(7336,'Issue',407,10,'critical'),(7337,'Issue',407,13,'community'),(7338,'Issue',407,14,'windows'),(7339,'Issue',407,15,''),(7340,'Issue',407,11,'3fa886226'),(7341,'Issue',407,12,'04d9079e-3905-4b70-ad37-6bdf11304965'),(7342,'Issue',407,16,'win-proc'),(7343,'Issue',407,17,''),(7344,'Issue',407,7,''),(7345,'Issue',407,3,'Detects CrackMapExecWin Activity as Described by NCSC'),(7346,'Issue',407,4,''),(7347,'Issue',407,5,'_False Positives_\nNone'),(7348,'Issue',407,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\crackmapexec.exe))\nindex: so-*\nname: CrackMapExecWin\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7349,'Issue',407,9,'{{collapse(View Sigma)\n\n\ntitle: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nstatus: experimental\nreferences:\n- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\ntags:\n- attack.g0035\nauthor: Markus Neis\ndate: 2018/04/08\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\crackmapexec.exe\'\n condition: selection\nfalsepositives:\n- None\nlevel: critical\n\n
\n}}'),(7350,'Issue',408,1,'Elise Backdoor'),(7351,'Issue',408,2,'Florian Roth'),(7352,'Issue',408,8,'https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting'),(7353,'Issue',408,10,'critical'),(7354,'Issue',408,13,'community'),(7355,'Issue',408,14,'windows'),(7356,'Issue',408,15,''),(7357,'Issue',408,11,'c59e20ad4'),(7358,'Issue',408,12,'e507feb7-5f73-4ef6-a970-91bb6f6d744f'),(7359,'Issue',408,16,'win-proc'),(7360,'Issue',408,17,''),(7361,'Issue',408,7,''),(7362,'Issue',408,3,'Detects Elise backdoor acitivty as used by APT32'),(7363,'Issue',408,4,''),(7364,'Issue',408,5,'_False Positives_\nUnknown'),(7365,'Issue',408,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process.command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process.command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting))\nindex: so-*\nname: Elise Backdoor\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7366,'Issue',408,9,'{{collapse(View Sigma)\n\n\ntitle: Elise Backdoor\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: experimental\ndescription: Detects Elise backdoor acitivty as used by APT32\nreferences:\n- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\ntags:\n- attack.g0030\n- attack.g0050\n- attack.s0081\nauthor: Florian Roth\ndate: 2018/01/31\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: C:\\Windows\\SysWOW64\\cmd.exe\n CommandLine: \'*\\Windows\\Caches\\NavShExt.dll *\'\n selection2:\n CommandLine: \'*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting\'\n condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7367,'Issue',409,1,'Emissary Panda Malware SLLauncher'),(7368,'Issue',409,2,'Florian Roth'),(7369,'Issue',409,8,'https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://twitter.com/cyb3rops/status/1168863899531132929'),(7370,'Issue',409,10,'critical'),(7371,'Issue',409,13,'community'),(7372,'Issue',409,14,'windows'),(7373,'Issue',409,15,''),(7374,'Issue',409,11,'5e4b7990b'),(7375,'Issue',409,12,'9aa01d62-7667-4d3b-acb8-8cb5103e2014'),(7376,'Issue',409,16,'win-proc'),(7377,'Issue',409,17,''),(7378,'Issue',409,7,''),(7379,'Issue',409,3,'Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27'),(7380,'Issue',409,4,''),(7381,'Issue',409,5,'_False Positives_\nUnknown'),(7382,'Issue',409,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\sllauncher.exe AND process.executable.keyword:*\\\\svchost.exe)\nindex: so-*\nname: Emissary Panda Malware SLLauncher\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7383,'Issue',409,9,'{{collapse(View Sigma)\n\n\ntitle: Emissary Panda Malware SLLauncher\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: experimental\ndescription: Detects the execution of DLL side-loading malware used by threat group\n Emissary Panda aka APT27\nreferences:\n- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n- https://twitter.com/cyb3rops/status/1168863899531132929\nauthor: Florian Roth\ndate: 2018/09/03\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\sllauncher.exe\'\n Image: \'*\\svchost.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7384,'Issue',410,1,'Equation Group DLL_U Load'),(7385,'Issue',410,2,'Florian Roth'),(7386,'Issue',410,8,'https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://securelist.com/apt-slingshot/84312/\nhttps://twitter.com/cyb3rops/status/972186477512839170'),(7387,'Issue',410,10,'critical'),(7388,'Issue',410,13,'community'),(7389,'Issue',410,14,'windows'),(7391,'Issue',410,11,'8d87ab96d'),(7392,'Issue',410,12,'d465d1d8-27a2-4cca-9621-a800f37cf72e'),(7393,'Issue',410,16,'win-proc'),(7394,'Issue',410,17,''),(7395,'Issue',410,7,''),(7396,'Issue',410,3,'Detects a specific tool and export used by EquationGroup'),(7397,'Issue',410,4,''),(7398,'Issue',410,5,'_False Positives_\nUnknown'),(7399,'Issue',410,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*,dll_u) OR process.command_line.keyword:*\\ \\-export\\ dll_u\\ *))\nindex: so-*\nname: Equation Group DLL_U Load\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7400,'Issue',410,9,'{{collapse(View Sigma)\n\n\ntitle: Equation Group DLL_U Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nauthor: Florian Roth\ndate: 2019/03/04\ndescription: Detects a specific tool and export used by EquationGroup\nreferences:\n- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n- https://securelist.com/apt-slingshot/84312/\n- https://twitter.com/cyb3rops/status/972186477512839170\ntags:\n- attack.execution\n- attack.g0020\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: \'*\\rundll32.exe\'\n CommandLine: \'*,dll_u\'\n selection2:\n CommandLine: \'* -export dll_u *\'\n condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7401,'Issue',410,15,'T1059'),(7402,'Issue',410,15,'T1085'),(7403,'Issue',411,1,'Hurricane Panda Activity'),(7404,'Issue',411,2,'Florian Roth'),(7405,'Issue',411,8,'https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/'),(7406,'Issue',411,10,'high'),(7407,'Issue',411,13,'community'),(7408,'Issue',411,14,'windows'),(7410,'Issue',411,11,'70b43689e'),(7411,'Issue',411,12,'0eb2107b-a596-422e-b123-b389d5594ed7'),(7412,'Issue',411,16,'win-proc'),(7413,'Issue',411,17,''),(7414,'Issue',411,7,''),(7415,'Issue',411,3,'Detects Hurricane Panda Activity'),(7416,'Issue',411,4,''),(7417,'Issue',411,5,'_False Positives_\nUnknown'),(7418,'Issue',411,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*))\nindex: so-*\nname: Hurricane Panda Activity\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7419,'Issue',411,9,'{{collapse(View Sigma)\n\n\ntitle: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nauthor: Florian Roth\ndate: 2019/03/04\nstatus: experimental\ndescription: Detects Hurricane Panda Activity\nreferences:\n- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\ntags:\n- attack.privilege_escalation\n- attack.g0009\n- attack.t1068\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* localgroup administrators admin /add\'\n - \'*\\Win64.exe*\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7420,'Issue',411,15,'T1068'),(7421,'Issue',412,1,'Judgement Panda Exfil Activity'),(7422,'Issue',412,2,'Florian Roth'),(7423,'Issue',412,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7424,'Issue',412,10,'critical'),(7425,'Issue',412,13,'community'),(7426,'Issue',412,14,'windows'),(7428,'Issue',412,11,'7b23cf39c'),(7429,'Issue',412,12,'03e2746e-2b31-42f1-ab7a-eb39365b2422'),(7430,'Issue',412,16,'win-proc'),(7431,'Issue',412,17,''),(7432,'Issue',412,7,''),(7433,'Issue',412,3,'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'),(7434,'Issue',412,4,''),(7435,'Issue',412,5,'_False Positives_\nunknown'),(7436,'Issue',412,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process.executable:\"C\\:\\\\Users\\\\Public\\\\7za.exe\"))\nindex: so-*\nname: Judgement Panda Exfil Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7437,'Issue',412,9,'{{collapse(View Sigma)\n\n\ntitle: Judgement Panda Exfil Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\ndescription: Detects Judgement Panda activity as described in Global Threat Report\n 2019 by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.lateral_movement\n- attack.g0010\n- attack.credential_access\n- attack.t1098\n- attack.exfiltration\n- attack.t1002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*\\ldifde.exe -f -n *\'\n - \'*\\7za.exe a 1.7z *\'\n - \'* eprod.ldf\'\n - \'*\\aaaa\\procdump64.exe*\'\n - \'*\\aaaa\\netsess.exe*\'\n - \'*\\aaaa\\7za.exe*\'\n - \'*copy .\\1.7z \\\\*\'\n - \'*copy \\\\client\\c$\\aaaa\\\\*\'\n selection2:\n Image: C:\\Users\\Public\\7za.exe\n condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7438,'Issue',412,15,'T1098'),(7439,'Issue',412,15,'T1002'),(7440,'Issue',413,1,'Mustang Panda Dropper'),(7441,'Issue',413,2,'Florian Roth'),(7442,'Issue',413,8,'https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'),(7443,'Issue',413,10,'high'),(7444,'Issue',413,13,'community'),(7445,'Issue',413,14,'windows'),(7446,'Issue',413,15,''),(7447,'Issue',413,11,'aad32826a'),(7448,'Issue',413,12,'2d87d610-d760-45ee-a7e6-7a6f2a65de00'),(7449,'Issue',413,16,'win-proc'),(7450,'Issue',413,17,''),(7451,'Issue',413,7,''),(7452,'Issue',413,3,'Detects specific process parameters as used by Mustang Panda droppers'),(7453,'Issue',413,4,''),(7454,'Issue',413,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7455,'Issue',413,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR process.executable.keyword:(*Temp\\\\winwsh.exe)))\nindex: so-*\nname: Mustang Panda Dropper\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7456,'Issue',413,9,'{{collapse(View Sigma)\n\n\ntitle: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: experimental\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*Temp\\wtask.exe /create*\'\n - \'*%windir:~-3,1%%PUBLIC:~-9,1%*\'\n - \'*/E:vbscript * C:\\Users\\*.txt\" /F\'\n - \'*/tn \"Security Script *\'\n - \'*%windir:~-1,1%*\'\n selection2:\n Image:\n - \'*Temp\\winwsh.exe\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7457,'Issue',414,1,'Sofacy Trojan Loader Activity'),(7458,'Issue',414,2,'Florian Roth'),(7459,'Issue',414,8,'https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\nhttps://twitter.com/ClearskySec/status/960924755355369472'),(7460,'Issue',414,10,'critical'),(7461,'Issue',414,13,'community'),(7462,'Issue',414,14,'windows'),(7464,'Issue',414,11,'6b2144b03'),(7465,'Issue',414,12,'ba778144-5e3d-40cf-8af9-e28fb1df1e20'),(7466,'Issue',414,16,'win-proc'),(7467,'Issue',414,17,''),(7468,'Issue',414,7,''),(7469,'Issue',414,3,'Detects Trojan loader acitivty as used by APT28'),(7470,'Issue',414,4,''),(7471,'Issue',414,5,'_False Positives_\nUnknown'),(7472,'Issue',414,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1))\nindex: so-*\nname: Sofacy Trojan Loader Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7473,'Issue',414,9,'{{collapse(View Sigma)\n\n\ntitle: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nauthor: Florian Roth\nstatus: experimental\ndate: 2018/03/01\ndescription: Detects Trojan loader acitivty as used by APT28\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n- https://twitter.com/ClearskySec/status/960924755355369472\ntags:\n- attack.g0007\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\n- car.2013-10-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - rundll32.exe %APPDATA%\\\\*.dat\",*\n - rundll32.exe %APPDATA%\\\\*.dll\",#1\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7474,'Issue',414,15,'T1059'),(7475,'Issue',414,15,'T1085'),(7476,'Issue',415,1,'Ps.exe Renamed SysInternals Tool'),(7477,'Issue',415,2,'Florian Roth'),(7478,'Issue',415,8,'https://www.us-cert.gov/ncas/alerts/TA17-293A'),(7479,'Issue',415,10,'high'),(7480,'Issue',415,13,'community'),(7481,'Issue',415,14,'windows'),(7483,'Issue',415,11,'0ec020dd0'),(7484,'Issue',415,12,'18da1007-3f26-470f-875d-f77faf1cab31'),(7485,'Issue',415,16,'win-proc'),(7486,'Issue',415,17,''),(7487,'Issue',415,7,''),(7488,'Issue',415,3,'Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report'),(7489,'Issue',415,4,''),(7490,'Issue',415,5,'_False Positives_\nRenamed SysInternals tool'),(7491,'Issue',415,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:\"ps.exe\\ \\-accepteula\")\nindex: so-*\nname: Ps.exe Renamed SysInternals Tool\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7492,'Issue',415,9,'{{collapse(View Sigma)\n\n\ntitle: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe\n as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n- https://www.us-cert.gov/ncas/alerts/TA17-293A\ntags:\n- attack.defense_evasion\n- attack.g0035\n- attack.t1036\n- car.2013-05-009\nauthor: Florian Roth\ndate: 2017/10/22\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: ps.exe -accepteula\n condition: selection\nfalsepositives:\n- Renamed SysInternals tool\nlevel: high\n\n
\n}}'),(7493,'Issue',415,15,'T1036'),(7494,'Issue',416,1,'TropicTrooper Campaign November 2018'),(7495,'Issue',416,2,'@41thexplorer, Microsoft Defender ATP'),(7496,'Issue',416,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/'),(7497,'Issue',416,10,'high'),(7498,'Issue',416,13,'community'),(7499,'Issue',416,14,'windows'),(7501,'Issue',416,11,'95510b4d4'),(7502,'Issue',416,12,'8c7090c3-e0a0-4944-bd08-08c3a0cecf79'),(7503,'Issue',416,16,'win-proc'),(7504,'Issue',416,17,''),(7505,'Issue',416,7,''),(7506,'Issue',416,3,'Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia'),(7507,'Issue',416,4,''),(7508,'Issue',416,5,'_False Positives_\n Unknown'),(7509,'Issue',416,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*)\nindex: so-*\nname: TropicTrooper Campaign November 2018\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7510,'Issue',416,9,'{{collapse(View Sigma)\n\n\ntitle: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nauthor: \'@41thexplorer, Microsoft Defender ATP\'\nstatus: stable\ndate: 2019/11/12\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations\n in the energy and food and beverage sectors in Asia\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\ntags:\n- attack.execution\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*\'\n condition: selection\nlevel: high\n\n
\n}}'),(7511,'Issue',416,15,'T1085'),(7512,'Issue',417,1,'Winnti Malware HK University Campaign'),(7513,'Issue',417,2,'Florian Roth, Markus Neis'),(7514,'Issue',417,8,'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/'),(7515,'Issue',417,10,'critical'),(7516,'Issue',417,13,'community'),(7517,'Issue',417,14,'windows'),(7519,'Issue',417,11,'c6c18314b'),(7520,'Issue',417,12,'3121461b-5aa0-4a41-b910-66d25524edbb'),(7521,'Issue',417,16,'win-proc'),(7522,'Issue',417,17,''),(7523,'Issue',417,7,''),(7524,'Issue',417,3,'Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities'),(7525,'Issue',417,4,''),(7526,'Issue',417,5,'_False Positives_\nUnlikely'),(7527,'Issue',417,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND process.executable.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM* AND process.executable.keyword:*\\\\wmplayer.exe) OR (process.parent.executable.keyword:*\\\\Test.exe AND process.executable.keyword:*\\\\wmplayer.exe) OR process.executable:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND process.executable.keyword:*\\\\SearchFilterHost.exe)))\nindex: so-*\nname: Winnti Malware HK University Campaign\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7528,'Issue',417,9,'{{collapse(View Sigma)\n\n\ntitle: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: experimental\ndescription: Detects specific process characteristics of Winnti malware noticed in\n Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.g0044\nauthor: Florian Roth, Markus Neis\ndate: 2020/02/01\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n ParentImage|contains:\n - C:\\Windows\\Temp\n - \\hpqhvind.exe\n Image|startswith: C:\\ProgramData\\DRM\n selection2:\n ParentImage|startswith: C:\\ProgramData\\DRM\n Image|endswith: \\wmplayer.exe\n selection3:\n ParentImage|endswith: \\Test.exe\n Image|endswith: \\wmplayer.exe\n selection4:\n Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n selection5:\n ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n Image|endswith: \\SearchFilterHost.exe\n condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7529,'Issue',417,15,'T1073'),(7530,'Issue',418,1,'ZxShell Malware'),(7531,'Issue',418,2,'Florian Roth'),(7532,'Issue',418,8,'https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100'),(7533,'Issue',418,10,'critical'),(7534,'Issue',418,13,'community'),(7535,'Issue',418,14,'windows'),(7537,'Issue',418,11,'948a1b3c3'),(7538,'Issue',418,12,'f0b70adb-0075-43b0-9745-e82a1c608fcc'),(7539,'Issue',418,16,'win-proc'),(7540,'Issue',418,17,''),(7541,'Issue',418,7,''),(7542,'Issue',418,3,'Detects a ZxShell start by the called and well-known function name'),(7543,'Issue',418,4,''),(7544,'Issue',418,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7545,'Issue',418,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX))\nindex: so-*\nname: ZxShell Malware\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7546,'Issue',418,9,'{{collapse(View Sigma)\n\n\ntitle: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\ndescription: Detects a ZxShell start by the called and well-known function name\nauthor: Florian Roth\ndate: 2017/07/20\nreferences:\n- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\ntags:\n- attack.g0001\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Command:\n - rundll32.exe *,zxFunction*\n - rundll32.exe *,RemoteDiskXXXXX\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7547,'Issue',418,15,'T1059'),(7548,'Issue',418,15,'T1085'),(7549,'Issue',419,1,'Hiding Files with Attrib.exe'),(7550,'Issue',419,2,'Sami Ruohonen'),(7551,'Issue',419,8,'none'),(7552,'Issue',419,10,'low'),(7553,'Issue',419,13,'community'),(7554,'Issue',419,14,'windows'),(7556,'Issue',419,11,'3ac07f0c1'),(7557,'Issue',419,12,'4281cb20-2994-4580-aa63-c8b86d019934'),(7558,'Issue',419,16,'win-proc'),(7559,'Issue',419,17,''),(7560,'Issue',419,7,''),(7561,'Issue',419,3,'Detects usage of attrib.exe to hide files from users.'),(7562,'Issue',419,4,''),(7563,'Issue',419,5,'_False Positives_\nigfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\nmsiexec.exe hiding desktop.ini\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7564,'Issue',419,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\ \\+h\\ *) AND (NOT (((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\desktop.ini\\ * OR (process.parent.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND process.parent.command_line.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat))))))\nindex: so-*\nname: Hiding Files with Attrib.exe\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7565,'Issue',419,9,'{{collapse(View Sigma)\n\n\ntitle: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: experimental\ndescription: Detects usage of attrib.exe to hide files from users.\nauthor: Sami Ruohonen\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\attrib.exe\'\n CommandLine: \'* +h *\'\n ini:\n CommandLine: \'*\\desktop.ini *\'\n intel:\n ParentImage: \'*\\cmd.exe\'\n CommandLine: +R +H +S +A \\\\*.cui\n ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n condition: selection and not (ini or intel)\nfields:\n- CommandLine\n- ParentCommandLine\n- User\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1158\nfalsepositives:\n- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe\n and igfxCUIService.exe is the parent of the cmd.exe)\n- msiexec.exe hiding desktop.ini\nlevel: low\n\n
\n}}'),(7566,'Issue',419,15,'T1158'),(7567,'Issue',420,1,'Modification of Boot Configuration'),(7568,'Issue',420,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(7569,'Issue',420,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html'),(7570,'Issue',420,10,'high'),(7571,'Issue',420,13,'community'),(7572,'Issue',420,14,'windows'),(7574,'Issue',420,11,'af9bb527e'),(7575,'Issue',420,12,'1444443e-6757-43e4-9ea4-c8fc705f79a2'),(7576,'Issue',420,16,'win-proc'),(7577,'Issue',420,17,''),(7578,'Issue',420,7,''),(7579,'Issue',420,3,'Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.'),(7580,'Issue',420,4,''),(7581,'Issue',420,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7582,'Issue',420,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\bcdedit.exe AND process.command_line:\"set\") AND ((process.command_line.keyword:*bootstatuspolicy* AND process.command_line.keyword:*ignoreallfailures*) OR (process.command_line.keyword:*recoveryenabled* AND process.command_line.keyword:*no*)))\nindex: so-*\nname: Modification of Boot Configuration\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7583,'Issue',420,9,'{{collapse(View Sigma)\n\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data.\n This tactic is sometimes used as by malware or an attacker as a destructive technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n- attack.impact\n- attack.t1490\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image|endswith: \\bcdedit.exe\n CommandLine: set\n selection2:\n - CommandLine|contains|all:\n - bootstatuspolicy\n - ignoreallfailures\n - CommandLine|contains|all:\n - recoveryenabled\n - no\n condition: selection1 and selection2\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7584,'Issue',420,15,'T1490'),(7585,'Issue',421,1,'SquiblyTwo'),(7586,'Issue',421,2,'Markus Neis / Florian Roth'),(7587,'Issue',421,8,'https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://twitter.com/mattifestation/status/986280382042595328'),(7588,'Issue',421,10,'medium'),(7589,'Issue',421,13,'community'),(7590,'Issue',421,14,'windows'),(7592,'Issue',421,11,'0eab446eb'),(7593,'Issue',421,12,'8d63dadf-b91b-4187-87b6-34a1114577ea'),(7594,'Issue',421,16,'win-proc'),(7595,'Issue',421,17,''),(7596,'Issue',421,7,''),(7597,'Issue',421,3,'Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash'),(7598,'Issue',421,4,''),(7599,'Issue',421,5,'_False Positives_\nUnknown'),(7600,'Issue',421,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (event_data.Imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process.command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*))))\nindex: so-*\nname: SquiblyTwo\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7601,'Issue',421,9,'{{collapse(View Sigma)\n\n\ntitle: SquiblyTwo\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nstatus: experimental\ndescription: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for\n imphash\nreferences:\n- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n- https://twitter.com/mattifestation/status/986280382042595328\ntags:\n- attack.defense_evasion\n- attack.t1047\nauthor: Markus Neis / Florian Roth\ndate: 2019/01/16\nfalsepositives:\n- Unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\wmic.exe\'\n CommandLine:\n - wmic * *format:\\\"http*\n - wmic * /format:\'http\n - wmic * /format:http*\n selection2:\n Imphash:\n - 1B1A3F43BF37B5BFE60751F2EE2F326E\n - 37777A96245A3C74EB217308F3546F4C\n - 9D87C9D67CE724033C0B40CC4CA1B206\n CommandLine:\n - \'* *format:\\\"http*\'\n - \"* /format:\'http\"\n - \'* /format:http*\'\n condition: 1 of them\n\n
\n}}'),(7602,'Issue',421,15,'T1047'),(7603,'Issue',422,1,'Change Default File Association'),(7604,'Issue',422,2,'Timur Zinniatullin, oscd.community'),(7605,'Issue',422,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml'),(7606,'Issue',422,10,'low'),(7607,'Issue',422,13,'community'),(7608,'Issue',422,14,'windows'),(7610,'Issue',422,11,'d63bbd05e'),(7611,'Issue',422,12,'3d3aa6cd-6272-44d6-8afc-7e88dfef7061'),(7612,'Issue',422,16,'win-proc'),(7613,'Issue',422,17,''),(7614,'Issue',422,7,''),(7615,'Issue',422,3,'When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.'),(7616,'Issue',422,4,''),(7617,'Issue',422,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7618,'Issue',422,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*assoc*)\nindex: so-*\nname: Change Default File Association\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7619,'Issue',422,9,'{{collapse(View Sigma)\n\n\ntitle: Change Default File Association\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nstatus: experimental\ndescription: When a file is opened, the default program used to open the file (also\n called the file association or handler) is checked. File association selections\n are stored in the Windows Registry and can be edited by users, administrators, or\n programs that have Registry access or by administrators using the built-in assoc\n utility. Applications can modify the file association for a given file extension\n to call an arbitrary program when a file with the given extension is opened.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - cmd\n - /c\n - assoc\n condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.persistence\n- attack.t1042\n\n
\n}}'),(7620,'Issue',422,15,'T1042'),(7621,'Issue',423,1,'Cmdkey Cached Credentials Recon'),(7622,'Issue',423,2,'jmallette'),(7623,'Issue',423,8,'https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx'),(7624,'Issue',423,10,'low'),(7625,'Issue',423,13,'community'),(7626,'Issue',423,14,'windows'),(7628,'Issue',423,11,'38a2cfd6c'),(7629,'Issue',423,12,'07f8bdc2-c9b3-472a-9817-5a670b872f53'),(7630,'Issue',423,16,'win-proc'),(7631,'Issue',423,17,''),(7632,'Issue',423,7,''),(7633,'Issue',423,3,'Detects usage of cmdkey to look for cached credentials'),(7634,'Issue',423,4,''),(7635,'Issue',423,5,'_False Positives_\nLegitimate administrative tasks.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7636,'Issue',423,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\ \\/list\\ *)\nindex: so-*\nname: Cmdkey Cached Credentials Recon\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7637,'Issue',423,9,'{{collapse(View Sigma)\n\n\ntitle: Cmdkey Cached Credentials Recon\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: experimental\ndescription: Detects usage of cmdkey to look for cached credentials\nreferences:\n- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nauthor: jmallette\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\cmdkey.exe\'\n CommandLine: \'* /list *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\n- User\nfalsepositives:\n- Legitimate administrative tasks.\nlevel: low\n\n
\n}}'),(7638,'Issue',423,15,'T1003'),(7639,'Issue',424,1,'CMSTP UAC Bypass via COM Object Access'),(7640,'Issue',424,2,'Nik Seetharaman'),(7641,'Issue',424,8,'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://twitter.com/hFireF0X/status/897640081053364225'),(7642,'Issue',424,10,'high'),(7643,'Issue',424,13,'community'),(7644,'Issue',424,14,'windows'),(7646,'Issue',424,11,'bdaa50dae'),(7647,'Issue',424,12,'4b60e6f2-bf39-47b4-b4ea-398e33cfe253'),(7648,'Issue',424,16,'win-proc'),(7649,'Issue',424,17,''),(7650,'Issue',424,7,''),(7651,'Issue',424,3,'Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects'),(7652,'Issue',424,4,''),(7653,'Issue',424,5,'_False Positives_\nLegitimate CMSTP use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nHashes'),(7654,'Issue',424,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\DllHost.exe AND process.parent.command_line.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))\nindex: so-*\nname: CMSTP UAC Bypass via COM Object Access\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7655,'Issue',424,9,'{{collapse(View Sigma)\n\n\ntitle: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile\n Installer Autoelevate-capable COM Objects\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.execution\n- attack.t1088\n- attack.t1191\n- attack.g0069\n- car.2019-04-001\nauthor: Nik Seetharaman\nmodified: 2019/07/31\ndate: 2019/01/16\nreferences:\n- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n- https://twitter.com/hFireF0X/status/897640081053364225\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n ParentCommandLine: \'*\\DllHost.exe\'\n selection2:\n ParentCommandLine:\n - \'*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\'\n - \'*{3E000D72-A845-4CD9-BD83-80C07C3B881F}\'\n condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\nfalsepositives:\n- Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(7656,'Issue',424,15,'T1088'),(7657,'Issue',424,15,'T1191'),(7658,'Issue',425,1,'Control Panel Items'),(7659,'Issue',425,2,'Kyaw Min Thein'),(7660,'Issue',425,8,'none'),(7661,'Issue',425,10,'critical'),(7662,'Issue',425,13,'community'),(7663,'Issue',425,14,'windows'),(7665,'Issue',425,11,'10df22d5c'),(7666,'Issue',425,12,'0ba863e6-def5-4e50-9cea-4dd8c7dc46a4'),(7667,'Issue',425,16,'win-proc'),(7668,'Issue',425,17,''),(7669,'Issue',425,7,''),(7670,'Issue',425,3,'Detects the use of a control panel item (.cpl) outside of the System32 folder'),(7671,'Issue',425,4,''),(7672,'Issue',425,5,'_False Positives_\nUnknown'),(7673,'Issue',425,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*.cpl AND (NOT (process.command_line.keyword:(*\\\\System32\\\\* OR *%System%*))))\nindex: so-*\nname: Control Panel Items\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7674,'Issue',425,9,'{{collapse(View Sigma)\n\n\ntitle: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: experimental\ndescription: Detects the use of a control panel item (.cpl) outside of the System32\n folder\nreference:\n- https://attack.mitre.org/techniques/T1196/\ntags:\n- attack.execution\n- attack.t1196\n- attack.defense_evasion\nauthor: Kyaw Min Thein\ndate: 2019/08/27\nlevel: critical\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n CommandLine: \'*.cpl\'\n filter:\n CommandLine:\n - \'*\\System32\\\\*\'\n - \'*%System%*\'\n condition: selection and not filter\nfalsepositives:\n- Unknown\n\n
\n}}'),(7675,'Issue',425,15,'T1196'),(7676,'Issue',426,1,'Copying Sensitive Files with Credential Data'),(7677,'Issue',426,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(7678,'Issue',426,8,'https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/'),(7679,'Issue',426,10,'high'),(7680,'Issue',426,13,'community'),(7681,'Issue',426,14,'windows'),(7683,'Issue',426,11,'7971e8131'),(7684,'Issue',426,12,'e7be6119-fc37-43f0-ad4f-1f3f99be2f9f'),(7685,'Issue',426,16,'win-proc'),(7686,'Issue',426,17,''),(7687,'Issue',426,7,''),(7688,'Issue',426,3,'Files with well-known filenames (sensitive files with credential data) copying'),(7689,'Issue',426,4,''),(7690,'Issue',426,5,'_False Positives_\nCopying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator'),(7691,'Issue',426,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\esentutl.exe AND process.command_line.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR process.command_line.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*)))\nindex: so-*\nname: Copying Sensitive Files with Credential Data\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7692,'Issue',426,9,'{{collapse(View Sigma)\n\n\ntitle: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\ndescription: Files with well-known filenames (sensitive files with credential data)\n copying\nstatus: experimental\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\esentutl.exe\n CommandLine|contains:\n - vss\n - \' /m \'\n - \' /y \'\n - CommandLine|contains:\n - \\windows\\ntds\\ntds.dit\n - \\config\\sam\n - \\config\\security\n - \'\\config\\system \'\n - \\repair\\sam\n - \\repair\\system\n - \\repair\\security\n - \\config\\RegBack\\sam\n - \\config\\RegBack\\system\n - \\config\\RegBack\\security\n condition: selection\nfalsepositives:\n- Copying sensitive files for legitimate use (eg. backup) or forensic investigation\n by legitimate incident responder or forensic invetigator\nlevel: high\n\n
\n}}'),(7693,'Issue',426,15,'T1003'),(7694,'Issue',427,1,'Fireball Archer Install'),(7695,'Issue',427,2,'Florian Roth'),(7696,'Issue',427,8,'https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100'),(7697,'Issue',427,10,'high'),(7698,'Issue',427,13,'community'),(7699,'Issue',427,14,'windows'),(7701,'Issue',427,11,'7652cf061'),(7702,'Issue',427,12,'3d4aebe0-6d29-45b2-a8a4-3dfde586a26d'),(7703,'Issue',427,16,'win-proc'),(7704,'Issue',427,17,''),(7705,'Issue',427,7,''),(7706,'Issue',427,3,'Detects Archer malware invocation via rundll32'),(7707,'Issue',427,4,''),(7708,'Issue',427,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7709,'Issue',427,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc)\nindex: so-*\nname: Fireball Archer Install\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7710,'Issue',427,9,'{{collapse(View Sigma)\n\n\ntitle: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: experimental\ndescription: Detects Archer malware invocation via rundll32\nauthor: Florian Roth\ndate: 2017/06/03\nreferences:\n- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\ntags:\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\rundll32.exe *,InstallArcherSvc\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7711,'Issue',427,15,'T1059'),(7712,'Issue',427,15,'T1085'),(7713,'Issue',428,1,'Data Compressed - rar.exe'),(7714,'Issue',428,2,'Timur Zinniatullin, E.M. Anhaus, oscd.community'),(7715,'Issue',428,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html'),(7716,'Issue',428,10,'low'),(7717,'Issue',428,13,'community'),(7718,'Issue',428,14,'windows'),(7720,'Issue',428,11,'d76dd00e5'),(7721,'Issue',428,12,'6f3e2987-db24-4c78-a860-b4f4095a7095'),(7722,'Issue',428,16,'win-proc'),(7723,'Issue',428,17,''),(7724,'Issue',428,7,''),(7725,'Issue',428,3,'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network'),(7726,'Issue',428,4,''),(7727,'Issue',428,5,'_False Positives_\nhighly likely if rar is default archiver in the monitored environment\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7728,'Issue',428,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\rar.exe AND process.command_line.keyword:*\\ a\\ *)\nindex: so-*\nname: Data Compressed - rar.exe\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7729,'Issue',428,9,'{{collapse(View Sigma)\n\n\ntitle: Data Compressed - rar.exe\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: experimental\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected\n prior to exfiltration in order to make it portable and minimize the amount of data\n sent over the network\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\rar.exe\n CommandLine|contains: \' a \'\n condition: selection\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- highly likely if rar is default archiver in the monitored environment\nlevel: low\ntags:\n- attack.exfiltration\n- attack.t1002\n\n
\n}}'),(7730,'Issue',428,15,'T1002'),(7731,'Issue',429,1,'Domain Trust Discovery'),(7732,'Issue',429,2,'Jakob Weinzettl, oscd.community'),(7733,'Issue',429,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml'),(7734,'Issue',429,10,'medium'),(7735,'Issue',429,13,'community'),(7736,'Issue',429,14,'windows'),(7738,'Issue',429,11,'16e2ea51f'),(7739,'Issue',429,12,'77815820-246c-47b8-9741-e0def3f57308'),(7740,'Issue',429,16,'win-proc'),(7741,'Issue',429,17,''),(7742,'Issue',429,7,''),(7743,'Issue',429,3,'Detects a discovery of domain trusts'),(7744,'Issue',429,4,''),(7745,'Issue',429,5,'_False Positives_\nAdministration of systems'),(7746,'Issue',429,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*\\-filter* AND process.command_line.keyword:*trustedDomain*) OR (process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7747,'Issue',429,9,'{{collapse(View Sigma)\n\n\ntitle: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: experimental\ndescription: Detects a discovery of domain trusts\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\dsquery.exe\n CommandLine|contains|all:\n - -filter\n - trustedDomain\n - Image|endswith: \\nltest.exe\n CommandLine|contains: domain_trusts\n condition: selection\nfalsepositives:\n- Administration of systems\nlevel: medium\n\n
\n}}'),(7748,'Issue',429,15,'T1482'),(7749,'Issue',430,1,'Encoded FromBase64String'),(7750,'Issue',430,2,'Florian Roth'),(7751,'Issue',430,8,'none'),(7752,'Issue',430,10,'critical'),(7753,'Issue',430,13,'community'),(7754,'Issue',430,14,'windows'),(7756,'Issue',430,11,'ad3c56884'),(7757,'Issue',430,12,'fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c'),(7758,'Issue',430,16,'win-proc'),(7759,'Issue',430,17,''),(7760,'Issue',430,7,''),(7761,'Issue',430,3,'Detects a base64 encoded FromBase64String keyword in a process command line'),(7762,'Issue',430,4,''),(7763,'Issue',430,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7764,'Issue',430,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*))\nindex: so-*\nname: Encoded FromBase64String\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7765,'Issue',430,9,'{{collapse(View Sigma)\n\n\ntitle: Encoded FromBase64String\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: experimental\ndescription: Detects a base64 encoded FromBase64String keyword in a process command\n line\nauthor: Florian Roth\ndate: 2019/08/24\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|base64offset|contains: ::FromBase64String\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7766,'Issue',430,15,'T1086'),(7767,'Issue',430,15,'T1140'),(7768,'Issue',431,1,'Encoded IEX'),(7769,'Issue',431,2,'Florian Roth'),(7770,'Issue',431,8,'none'),(7771,'Issue',431,10,'critical'),(7772,'Issue',431,13,'community'),(7773,'Issue',431,14,'windows'),(7775,'Issue',431,11,'111891242'),(7776,'Issue',431,12,'88f680b8-070e-402c-ae11-d2914f2257f1'),(7777,'Issue',431,16,'win-proc'),(7778,'Issue',431,17,''),(7779,'Issue',431,7,''),(7780,'Issue',431,3,'Detects a base64 encoded IEX command string in a process command line'),(7781,'Issue',431,4,''),(7782,'Issue',431,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7783,'Issue',431,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*))\nindex: so-*\nname: Encoded IEX\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7784,'Issue',431,9,'{{collapse(View Sigma)\n\n\ntitle: Encoded IEX\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: experimental\ndescription: Detects a base64 encoded IEX command string in a process command line\nauthor: Florian Roth\ndate: 2019/08/23\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|base64offset|contains:\n - IEX ([\n - iex ([\n - iex (New\n - IEX (New\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7785,'Issue',431,15,'T1086'),(7786,'Issue',431,15,'T1140'),(7787,'Issue',432,1,'Disable of ETW Trace'),(7788,'Issue',432,2,'@neu5ron, Florian Roth'),(7789,'Issue',432,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\nhttps://abuse.io/lockergoga.txt'),(7790,'Issue',432,10,'high'),(7791,'Issue',432,13,'community'),(7792,'Issue',432,14,'windows'),(7794,'Issue',432,11,'f0cec20a1'),(7795,'Issue',432,12,'a238b5d0-ce2d-4414-a676-7a531b3d13d6'),(7796,'Issue',432,16,'win-proc'),(7797,'Issue',432,17,''),(7798,'Issue',432,7,''),(7799,'Issue',432,3,'Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.'),(7800,'Issue',432,4,''),(7801,'Issue',432,5,'_False Positives_\nUnknown'),(7802,'Issue',432,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\ cl\\ *\\/Trace* OR process.command_line.keyword:*\\ clear\\-log\\ *\\/Trace* OR process.command_line.keyword:*\\ sl*\\ \\/e\\:false* OR process.command_line.keyword:*\\ set\\-log*\\ \\/e\\:false*))\nindex: so-*\nname: Disable of ETW Trace\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7803,'Issue',432,9,'{{collapse(View Sigma)\n\n\ntitle: Disable of ETW Trace\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\ndescription: Detects a command that clears or disables any ETW trace log which could\n indicate a logging evasion.\nstatus: experimental\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\n- https://abuse.io/lockergoga.txt\nauthor: \'@neu5ron, Florian Roth\'\ndate: 2019/03/22\ntags:\n- attack.execution\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_clear_1:\n CommandLine: \'* cl */Trace*\'\n selection_clear_2:\n CommandLine: \'* clear-log */Trace*\'\n selection_disable_1:\n CommandLine: \'* sl* /e:false*\'\n selection_disable_2:\n CommandLine: \'* set-log* /e:false*\'\n condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\nfalsepositives:\n- Unknown\n\n
\n}}'),(7804,'Issue',432,15,'T1070'),(7805,'Issue',433,1,'Exfiltration and Tunneling Tools Execution'),(7806,'Issue',433,2,'Daniil Yugoslavskiy, oscd.community'),(7807,'Issue',433,8,'none'),(7808,'Issue',433,10,'medium'),(7809,'Issue',433,13,'community'),(7810,'Issue',433,14,'windows'),(7812,'Issue',433,11,'800c545f1'),(7813,'Issue',433,12,'c75309a3-59f8-4a8d-9c2c-4c927ad50555'),(7814,'Issue',433,16,'win-proc'),(7815,'Issue',433,17,''),(7816,'Issue',433,7,''),(7817,'Issue',433,3,'Execution of well known tools for data exfiltration and tunneling'),(7818,'Issue',433,4,''),(7819,'Issue',433,5,'_False Positives_\nLegitimate Administrator using tools'),(7820,'Issue',433,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe))\nindex: so-*\nname: Exfiltration and Tunneling Tools Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7821,'Issue',433,9,'{{collapse(View Sigma)\n\n\ntitle: Exfiltration and Tunneling Tools Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\ndescription: Execution of well known tools for data exfiltration and tunneling\nstatus: experimental\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1020\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName|endswith:\n - \\plink.exe\n - \\socat.exe\n - \\stunnel.exe\n - \\httptunnel.exe\n condition: selection\nfalsepositives:\n- Legitimate Administrator using tools\nlevel: medium\n\n
\n}}'),(7822,'Issue',433,15,'T1020'),(7823,'Issue',434,1,'Exploit for CVE-2015-1641'),(7824,'Issue',434,2,'Florian Roth'),(7825,'Issue',434,8,'https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100'),(7826,'Issue',434,10,'critical'),(7827,'Issue',434,13,'community'),(7828,'Issue',434,14,'windows'),(7830,'Issue',434,11,'e2a1316d4'),(7831,'Issue',434,12,'7993792c-5ce2-4475-a3db-a3a5539827ef'),(7832,'Issue',434,16,'win-proc'),(7833,'Issue',434,17,''),(7834,'Issue',434,7,''),(7835,'Issue',434,3,'Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641'),(7836,'Issue',434,4,''),(7837,'Issue',434,5,'_False Positives_\nUnknown'),(7838,'Issue',434,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\MicroScMgmt.exe\\ )\nindex: so-*\nname: Exploit for CVE-2015-1641\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7839,'Issue',434,9,'{{collapse(View Sigma)\n\n\ntitle: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used\n in exploits for CVE-2015-1641\nreferences:\n- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\WINWORD.EXE\'\n Image: \'*\\MicroScMgmt.exe \'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7840,'Issue',434,15,'T1036'),(7841,'Issue',435,1,'Exploit for CVE-2017-0261'),(7842,'Issue',435,2,'Florian Roth'),(7843,'Issue',435,8,'https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html'),(7844,'Issue',435,10,'medium'),(7845,'Issue',435,13,'community'),(7846,'Issue',435,14,'windows'),(7848,'Issue',435,11,'65dbae284'),(7849,'Issue',435,12,'864403a1-36c9-40a2-a982-4c9a45f7d833'),(7850,'Issue',435,16,'win-proc'),(7851,'Issue',435,17,''),(7852,'Issue',435,7,''),(7853,'Issue',435,3,'Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262'),(7854,'Issue',435,4,''),(7855,'Issue',435,5,'_False Positives_\nSeveral false positives identified, check for suspicious file names or locations (e.g. Temp folders)'),(7856,'Issue',435,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\FLTLDR.exe*)\nindex: so-*\nname: Exploit for CVE-2017-0261\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7857,'Issue',435,9,'{{collapse(View Sigma)\n\n\ntitle: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\WINWORD.EXE\'\n Image: \'*\\FLTLDR.exe*\'\n condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n (e.g. Temp folders)\nlevel: medium\n\n
\n}}'),(7858,'Issue',435,15,'T1055'),(7859,'Issue',436,1,'Droppers Exploiting CVE-2017-11882'),(7860,'Issue',436,2,'Florian Roth'),(7861,'Issue',436,8,'https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw'),(7862,'Issue',436,10,'critical'),(7863,'Issue',436,13,'community'),(7864,'Issue',436,14,'windows'),(7866,'Issue',436,11,'dcfdfd6d6'),(7867,'Issue',436,12,'678eb5f4-8597-4be6-8be7-905e4234b53a'),(7868,'Issue',436,16,'win-proc'),(7869,'Issue',436,17,''),(7870,'Issue',436,7,''),(7871,'Issue',436,3,'Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe'),(7872,'Issue',436,4,''),(7873,'Issue',436,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine'),(7874,'Issue',436,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EQNEDT32.EXE)\nindex: so-*\nname: Droppers Exploiting CVE-2017-11882\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7875,'Issue',436,9,'{{collapse(View Sigma)\n\n\ntitle: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: experimental\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other\n sub processes like mshta.exe\nreferences:\n- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nauthor: Florian Roth\ndate: 2017/11/23\ntags:\n- attack.defense_evasion\n- attack.t1211\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\EQNEDT32.EXE\'\n condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7876,'Issue',436,15,'T1211'),(7877,'Issue',437,1,'Exploit for CVE-2017-8759'),(7878,'Issue',437,2,'Florian Roth'),(7879,'Issue',437,8,'https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100'),(7880,'Issue',437,10,'critical'),(7881,'Issue',437,13,'community'),(7882,'Issue',437,14,'windows'),(7884,'Issue',437,11,'d2eddb460'),(7885,'Issue',437,12,'fdd84c68-a1f6-47c9-9477-920584f94905'),(7886,'Issue',437,16,'win-proc'),(7887,'Issue',437,17,''),(7888,'Issue',437,7,''),(7889,'Issue',437,3,'Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759'),(7890,'Issue',437,4,''),(7891,'Issue',437,5,'_False Positives_\nUnknown'),(7892,'Issue',437,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\csc.exe)\nindex: so-*\nname: Exploit for CVE-2017-8759\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7893,'Issue',437,9,'{{collapse(View Sigma)\n\n\ntitle: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits\n for CVE-2017-8759\nreferences:\n- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\ntags:\n- attack.execution\n- attack.t1203\nauthor: Florian Roth\ndate: 2017/09/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\WINWORD.EXE\'\n Image: \'*\\csc.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7894,'Issue',437,15,'T1203'),(7895,'Issue',438,1,'Exploiting SetupComplete.cmd CVE-2019-1378'),(7896,'Issue',438,2,'Florian Roth'),(7897,'Issue',438,8,'https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua'),(7898,'Issue',438,10,'high'),(7899,'Issue',438,13,'community'),(7900,'Issue',438,14,'windows'),(7902,'Issue',438,11,'b2c8941b7'),(7903,'Issue',438,12,'1c373b6d-76ce-4553-997d-8c1da9a6b5f5'),(7904,'Issue',438,16,'win-proc'),(7905,'Issue',438,17,''),(7906,'Issue',438,7,''),(7907,'Issue',438,3,'Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378'),(7908,'Issue',438,4,''),(7909,'Issue',438,5,'_False Positives_\nUnknown'),(7910,'Issue',438,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))\nindex: so-*\nname: Exploiting SetupComplete.cmd CVE-2019-1378\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7911,'Issue',438,9,'{{collapse(View Sigma)\n\n\ntitle: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: experimental\ndescription: Detects exploitation attempt of privilege escalation vulnerability via\n SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378\nreferences:\n- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth\ndate: 2019/11/15\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine:\n - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd\'\n - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd\'\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\WinSxS\\\\*\n - C:\\Windows\\Setup\\\\*\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7912,'Issue',438,15,'T1055'),(7913,'Issue',439,1,'Exploiting CVE-2019-1388'),(7914,'Issue',439,2,'Florian Roth'),(7915,'Issue',439,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege'),(7916,'Issue',439,10,'critical'),(7917,'Issue',439,13,'community'),(7918,'Issue',439,14,'windows'),(7920,'Issue',439,11,'c6eb81dae'),(7921,'Issue',439,12,'02e0b2ea-a597-428e-b04a-af6a1a403e5c'),(7922,'Issue',439,16,'win-proc'),(7923,'Issue',439,17,''),(7924,'Issue',439,7,''),(7925,'Issue',439,3,'Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM'),(7926,'Issue',439,4,''),(7927,'Issue',439,5,'_False Positives_\nUnknown'),(7928,'Issue',439,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\consent.exe AND process.executable.keyword:*\\\\iexplore.exe AND process.command_line.keyword:*\\ http* AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (IntegrityLevel:\"System\" OR event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))\nindex: so-*\nname: Exploiting CVE-2019-1388\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7929,'Issue',439,9,'{{collapse(View Sigma)\n\n\ntitle: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: experimental\ndescription: Detects an explotation attempt in which the UAC consent dialogue is used\n to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth\ndate: 2019/11/20\ntags:\n- attack.privilege_escalation\n- attack.t1068\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\consent.exe\'\n Image: \'*\\iexplore.exe\'\n CommandLine: \'* http*\'\n rights1:\n IntegrityLevel: System\n rights2:\n User: NT AUTHORITY\\SYSTEM\n condition: selection and ( rights1 or rights2 )\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7930,'Issue',439,15,'T1068'),(7931,'Issue',440,1,'Exploited CVE-2020-10189 Zoho ManageEngine'),(7932,'Issue',440,2,'Florian Roth'),(7933,'Issue',440,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224'),(7934,'Issue',440,10,'critical'),(7935,'Issue',440,13,'community'),(7936,'Issue',440,14,'windows'),(7938,'Issue',440,11,'06cab2646'),(7939,'Issue',440,12,'846b866e-2a57-46ee-8e16-85fa92759be7'),(7940,'Issue',440,16,'win-proc'),(7941,'Issue',440,17,''),(7942,'Issue',440,7,''),(7943,'Issue',440,3,'Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189'),(7944,'Issue',440,4,''),(7945,'Issue',440,5,'_False Positives_\nUnknown'),(7946,'Issue',440,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Exploited CVE-2020-10189 Zoho ManageEngine\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7947,'Issue',440,9,'{{collapse(View Sigma)\n\n\ntitle: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: experimental\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization\n vulnerability reported as CVE-2020-10189\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n- https://nvd.nist.gov/vuln/detail/CVE-2020-10189\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\n- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.initial_access\n- attack.t1190\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n Image|endswith:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\bitsadmin.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7948,'Issue',440,15,'T1190'),(7949,'Issue',441,1,'File or Folder Permissions Modifications'),(7950,'Issue',441,2,'Jakob Weinzettl, oscd.community'),(7951,'Issue',441,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml'),(7952,'Issue',441,10,'medium'),(7953,'Issue',441,13,'community'),(7954,'Issue',441,14,'windows'),(7956,'Issue',441,11,'1c2d67989'),(7957,'Issue',441,12,'37ae075c-271b-459b-8d7b-55ad5f993dd8'),(7958,'Issue',441,16,'win-proc'),(7959,'Issue',441,17,''),(7960,'Issue',441,7,''),(7961,'Issue',441,3,'Detects a file or folder permissions modifications'),(7962,'Issue',441,4,''),(7963,'Issue',441,5,'_False Positives_\nUsers interacting with the files on their own (unlikely unless power users)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7964,'Issue',441,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND process.command_line.keyword:*\\/grant*) OR (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\-r*)))\nindex: so-*\nname: File or Folder Permissions Modifications\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7965,'Issue',441,9,'{{collapse(View Sigma)\n\n\ntitle: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: experimental\ndescription: Detects a file or folder permissions modifications\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1222\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - \\takeown.exe\n - \\cacls.exe\n - \\icacls.exe\n CommandLine|contains: /grant\n - Image|endswith: \\attrib.exe\n CommandLine|contains: -r\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Users interacting with the files on their own (unlikely unless power users)\nlevel: medium\n\n
\n}}'),(7966,'Issue',441,15,'T1222'),(7967,'Issue',442,1,'Grabbing Sensitive Hives via Reg Utility'),(7968,'Issue',442,2,'Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community'),(7969,'Issue',442,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md'),(7970,'Issue',442,10,'medium'),(7971,'Issue',442,13,'community'),(7972,'Issue',442,14,'windows'),(7974,'Issue',442,11,'310cc8a8a'),(7975,'Issue',442,12,'fd877b94-9bb5-4191-bb25-d79cbd93c167'),(7976,'Issue',442,16,'win-proc'),(7977,'Issue',442,17,''),(7978,'Issue',442,7,''),(7979,'Issue',442,3,'Dump sam, system or security hives using REG.exe utility'),(7980,'Issue',442,4,''),(7981,'Issue',442,5,'_False Positives_\nDumping hives for legitimate purpouse i.e. backup or forensic investigation'),(7982,'Issue',442,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\reg.exe AND process.command_line.keyword:(*save* OR *export*) AND process.command_line.keyword:(*hklm* OR *hkey_local_machine*) AND process.command_line.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))\nindex: so-*\nname: Grabbing Sensitive Hives via Reg Utility\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7983,'Issue',442,9,'{{collapse(View Sigma)\n\n\ntitle: Grabbing Sensitive Hives via Reg Utility\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\ndescription: Dump sam, system or security hives using REG.exe utility\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n NewProcessName: \'*\\reg.exe\'\n CommandLine|contains:\n - save\n - export\n selection_2:\n CommandLine|contains:\n - hklm\n - hkey_local_machine\n selection_3:\n CommandLine|endswith:\n - \\system\n - \\sam\n - \\security\n condition: selection_1 and selection_2 and selection_3\nfalsepositives:\n- Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(7984,'Issue',442,15,'T1003'),(7985,'Issue',443,1,'Bloodhound and Sharphound Hack Tool'),(7986,'Issue',443,2,'Florian Roth'),(7987,'Issue',443,8,'https://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/SharpHound'),(7988,'Issue',443,10,'high'),(7989,'Issue',443,13,'community'),(7990,'Issue',443,14,'windows'),(7992,'Issue',443,11,'6b42c6f56'),(7993,'Issue',443,12,'f376c8a7-a2d0-4ddc-aa0c-16c17236d962'),(7994,'Issue',443,16,'win-proc'),(7995,'Issue',443,17,''),(7996,'Issue',443,7,''),(7997,'Issue',443,3,'Detects command line parameters used by Bloodhound and Sharphound hack tools'),(7998,'Issue',443,4,''),(7999,'Issue',443,5,'_False Positives_\nOther programs that use these command line option and accepts an \'All\' parameter'),(8000,'Issue',443,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process.command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process.command_line.keyword:*\\ \\-JsonFolder\\ * AND process.command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process.command_line.keyword:*\\ DCOnly\\ * AND process.command_line.keyword:*\\ \\-\\-NoSaveCache\\ *)))\nindex: so-*\nname: Bloodhound and Sharphound Hack Tool\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8001,'Issue',443,9,'{{collapse(View Sigma)\n\n\ntitle: Bloodhound and Sharphound Hack Tool\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack\n tools\nauthor: Florian Roth\nreferences:\n- https://github.com/BloodHoundAD/BloodHound\n- https://github.com/BloodHoundAD/SharpHound\ndate: 2019/12/20\nmodified: 2019/12/21\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image|contains:\n - \\Bloodhound.exe\n - \\SharpHound.exe\n selection2:\n CommandLine|contains:\n - \' -CollectionMethod All \'\n - \'.exe -c All -d \'\n - Invoke-Bloodhound\n - Get-BloodHoundData\n selection3:\n CommandLine|contains|all:\n - \' -JsonFolder \'\n - \' -ZipFileName \'\n selection4:\n CommandLine|contains|all:\n - \' DCOnly \'\n - \' --NoSaveCache \'\n condition: 1 of them\nfalsepositives:\n- Other programs that use these command line option and accepts an \'All\' parameter\nlevel: high\n\n
\n}}'),(8002,'Issue',443,15,'T1087'),(8003,'Issue',444,1,'Koadic Execution'),(8004,'Issue',444,2,'wagga'),(8005,'Issue',444,8,'https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/'),(8006,'Issue',444,10,'high'),(8007,'Issue',444,13,'community'),(8008,'Issue',444,14,'windows'),(8010,'Issue',444,11,'fa9937192'),(8011,'Issue',444,12,'5cddf373-ef00-4112-ad72-960ac29bac34'),(8012,'Issue',444,16,'win-proc'),(8013,'Issue',444,17,''),(8014,'Issue',444,7,''),(8015,'Issue',444,3,'Detects command line parameters used by Koadic hack tool'),(8016,'Issue',444,4,''),(8017,'Issue',444,5,'_False Positives_\nPentest\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8018,'Issue',444,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *))\nindex: so-*\nname: Koadic Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8019,'Issue',444,9,'{{collapse(View Sigma)\n\n\ntitle: Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: experimental\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\n- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\ntags:\n- attack.execution\n- attack.t1170\ndate: 2020/01/12\nauthor: wagga\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*cmd.exe* /q /c chcp *\'\n condition: selection1\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(8020,'Issue',444,15,'T1170'),(8021,'Issue',445,1,'Rubeus Hack Tool'),(8022,'Issue',445,2,'Florian Roth'),(8023,'Issue',445,8,'https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/'),(8024,'Issue',445,10,'critical'),(8025,'Issue',445,13,'community'),(8026,'Issue',445,14,'windows'),(8028,'Issue',445,11,'ad40ec27e'),(8029,'Issue',445,12,'7ec2c172-dceb-4c10-92c9-87c1881b7e18'),(8030,'Issue',445,16,'win-proc'),(8031,'Issue',445,17,''),(8032,'Issue',445,7,''),(8033,'Issue',445,3,'Detects command line parameters used by Rubeus hack tool'),(8034,'Issue',445,4,''),(8035,'Issue',445,5,'_False Positives_\nunlikely'),(8036,'Issue',445,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*))\nindex: so-*\nname: Rubeus Hack Tool\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8037,'Issue',445,9,'{{collapse(View Sigma)\n\n\ntitle: Rubeus Hack Tool\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\ndescription: Detects command line parameters used by Rubeus hack tool\nauthor: Florian Roth\nreferences:\n- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* asreproast *\'\n - \'* dump /service:krbtgt *\'\n - \'* kerberoast *\'\n - \'* createnetonly /program:*\'\n - \'* ptt /ticket:*\'\n - \'* /impersonateuser:*\'\n - \'* renew /ticket:*\'\n - \'* asktgt /user:*\'\n - \'* harvest /interval:*\'\n condition: selection\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8038,'Issue',445,15,'T1003'),(8039,'Issue',446,1,'SecurityXploded Tool'),(8040,'Issue',446,2,'Florian Roth'),(8041,'Issue',446,8,'https://securityxploded.com/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/'),(8042,'Issue',446,10,'critical'),(8043,'Issue',446,13,'community'),(8044,'Issue',446,14,'windows'),(8046,'Issue',446,11,'21368bb4b'),(8047,'Issue',446,12,'7679d464-4f74-45e2-9e01-ac66c5eb041a'),(8048,'Issue',446,16,'win-proc'),(8049,'Issue',446,17,''),(8050,'Issue',446,7,''),(8051,'Issue',446,3,'Detects the execution of SecurityXploded Tools'),(8052,'Issue',446,4,''),(8053,'Issue',446,5,'_False Positives_\nunlikely'),(8054,'Issue',446,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (event_data.Company:\"SecurityXploded\" OR process.executable.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe))\nindex: so-*\nname: SecurityXploded Tool\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8055,'Issue',446,9,'{{collapse(View Sigma)\n\n\ntitle: SecurityXploded Tool\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\ndescription: Detects the execution of SecurityXploded Tools\nauthor: Florian Roth\nreferences:\n- https://securityxploded.com/\n- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Company: SecurityXploded\n selection2:\n Image|endswith: PasswordDump.exe\n selection3:\n OriginalFilename|endswith: PasswordDump.exe\n condition: 1 of them\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8056,'Issue',446,15,'T1003'),(8057,'Issue',447,1,'HH.exe Execution'),(8058,'Issue',447,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community'),(8059,'Issue',447,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html'),(8060,'Issue',447,10,'high'),(8061,'Issue',447,13,'community'),(8062,'Issue',447,14,'windows'),(8064,'Issue',447,11,'0cb0c3bd8'),(8065,'Issue',447,12,'68c8acb4-1b60-4890-8e82-3ddf7a6dba84'),(8066,'Issue',447,16,'win-proc'),(8067,'Issue',447,17,''),(8068,'Issue',447,7,''),(8069,'Issue',447,3,'Identifies usage of hh.exe executing recently modified .chm files.'),(8070,'Issue',447,4,''),(8071,'Issue',447,5,'_False Positives_\nunlike\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8072,'Issue',447,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\hh.exe AND process.command_line.keyword:*.chm*)\nindex: so-*\nname: HH.exe Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8073,'Issue',447,9,'{{collapse(View Sigma)\n\n\ntitle: HH.exe Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\ndescription: Identifies usage of hh.exe executing recently modified .chm files.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1223\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\hh.exe\n CommandLine|contains: .chm\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- unlike\nlevel: high\n\n
\n}}'),(8074,'Issue',447,15,'T1223'),(8075,'Issue',448,1,'HTML Help Shell Spawn'),(8076,'Issue',448,2,'Maxim Pavlunin'),(8077,'Issue',448,8,'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/'),(8078,'Issue',448,10,'high'),(8079,'Issue',448,13,'community'),(8080,'Issue',448,14,'windows'),(8082,'Issue',448,11,'6ba3a1ad3'),(8083,'Issue',448,12,'52cad028-0ff0-4854-8f67-d25dfcbc78b4'),(8084,'Issue',448,16,'win-proc'),(8085,'Issue',448,17,''),(8086,'Issue',448,7,''),(8087,'Issue',448,3,'Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)'),(8088,'Issue',448,4,''),(8089,'Issue',448,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8090,'Issue',448,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable:\"C\\:\\\\Windows\\\\hh.exe\" AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))\nindex: so-*\nname: HTML Help Shell Spawn\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8091,'Issue',448,9,'{{collapse(View Sigma)\n\n\ntitle: HTML Help Shell Spawn\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: experimental\ndescription: Detects a suspicious child process of a Microsoft HTML Help system when\n executing compiled HTML files (.chm)\nreferences:\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nauthor: Maxim Pavlunin\ndate: 2020/04/01\nmodified: 2020/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1223\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: C:\\Windows\\hh.exe\n Image|endswith:\n - \\cmd.exe\n - \\powershell.exe\n - \\wscript.exe\n - \\cscript.exe\n - \\regsvr32.exe\n - \\wmic.exe\n - \\rundll32.exe\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8092,'Issue',448,15,'T1223'),(8093,'Issue',449,1,'Suspicious HWP Sub Processes'),(8094,'Issue',449,2,'Florian Roth'),(8095,'Issue',449,8,'https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://blog.alyac.co.kr/1901\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)'),(8096,'Issue',449,10,'high'),(8097,'Issue',449,13,'community'),(8098,'Issue',449,14,'windows'),(8100,'Issue',449,11,'45f9c4d54'),(8101,'Issue',449,12,'023394c4-29d5-46ab-92b8-6a534c6f447b'),(8102,'Issue',449,16,'win-proc'),(8103,'Issue',449,17,''),(8104,'Issue',449,7,''),(8105,'Issue',449,3,'Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation'),(8106,'Issue',449,4,''),(8107,'Issue',449,5,'_False Positives_\nUnknown'),(8108,'Issue',449,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\Hwp.exe AND process.executable.keyword:*\\\\gbb.exe)\nindex: so-*\nname: Suspicious HWP Sub Processes\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8109,'Issue',449,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that\n could indicate an exploitation\nstatus: experimental\nreferences:\n- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n- https://twitter.com/cyberwar_15/status/1187287262054076416\n- https://blog.alyac.co.kr/1901\n- https://en.wikipedia.org/wiki/Hangul_(word_processor)\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.initial_access\n- attack.t1059\n- attack.t1202\n- attack.t1193\n- attack.g0032\nauthor: Florian Roth\ndate: 2019/10/24\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\Hwp.exe\'\n Image: \'*\\gbb.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8110,'Issue',449,15,'T1059'),(8111,'Issue',449,15,'T1202'),(8112,'Issue',449,15,'T1193'),(8113,'Issue',450,1,'Impacket Lateralization Detection'),(8114,'Issue',450,2,'Ecco'),(8115,'Issue',450,8,'https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py'),(8116,'Issue',450,10,'critical'),(8117,'Issue',450,13,'community'),(8118,'Issue',450,14,'windows'),(8120,'Issue',450,11,'bfb0c817e'),(8121,'Issue',450,12,'10c14723-61c7-4c75-92ca-9af245723ad2'),(8122,'Issue',450,16,'win-proc'),(8123,'Issue',450,17,''),(8124,'Issue',450,7,''),(8125,'Issue',450,3,'Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework'),(8126,'Issue',450,4,''),(8127,'Issue',450,5,'_False Positives_\npentesters\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8128,'Issue',450,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND process.command_line.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (process.parent.command_line.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND process.command_line.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1))))\nindex: so-*\nname: Impacket Lateralization Detection\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8129,'Issue',450,9,'{{collapse(View Sigma)\n\n\ntitle: Impacket Lateralization Detection\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nstatus: experimental\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\nauthor: Ecco\ndate: 2019/09/03\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_other:\n ParentImage:\n - \'*\\wmiprvse.exe\'\n - \'*\\mmc.exe\'\n - \'*\\explorer.exe\'\n - \'*\\services.exe\'\n CommandLine:\n - \'*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*\'\n selection_atexec:\n ParentCommandLine:\n - \'*svchost.exe -k netsvcs\'\n - taskeng.exe*\n CommandLine:\n - cmd.exe /C *Windows\\\\Temp\\\\*&1\n condition: (1 of selection_*)\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.lateral_movement\n- attack.t1047\n- attack.t1175\nfalsepositives:\n- pentesters\nlevel: critical\n\n
\n}}'),(8130,'Issue',450,15,'T1047'),(8131,'Issue',450,15,'T1175'),(8132,'Issue',451,1,'Indirect Command Execution'),(8133,'Issue',451,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8134,'Issue',451,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html'),(8135,'Issue',451,10,'low'),(8136,'Issue',451,13,'community'),(8137,'Issue',451,14,'windows'),(8139,'Issue',451,11,'4448f85f5'),(8140,'Issue',451,12,'fa47597e-90e9-41cd-ab72-c3b74cfb0d02'),(8141,'Issue',451,16,'win-proc'),(8142,'Issue',451,17,''),(8143,'Issue',451,7,''),(8144,'Issue',451,3,'Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe'),(8145,'Issue',451,4,''),(8146,'Issue',451,5,'_False Positives_\nNeed to use extra processing with \'unique_count\' / \'filter\' to focus on outliers as opposed to commonly seen artifacts\nLegit usage of scripts\n\n_Interesting Log Fields_\nComputerName\nUser\nParentCommandLine\nCommandLine'),(8147,'Issue',451,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe))\nindex: so-*\nname: Indirect Command Execution\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8148,'Issue',451,9,'{{collapse(View Sigma)\n\n\ntitle: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\ndescription: Detect indirect command execution via Program Compatibility Assistant\n pcalua.exe or forfiles.exe\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1202\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - \\pcalua.exe\n - \\forfiles.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\nfalsepositives:\n- Need to use extra processing with \'unique_count\' / \'filter\' to focus on outliers\n as opposed to commonly seen artifacts\n- Legit usage of scripts\nlevel: low\n\n
\n}}'),(8149,'Issue',451,15,'T1202'),(8150,'Issue',452,1,'Suspicious Debugger Registration Cmdline'),(8151,'Issue',452,2,'Florian Roth'),(8152,'Issue',452,8,'https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/'),(8153,'Issue',452,10,'high'),(8154,'Issue',452,13,'community'),(8155,'Issue',452,14,'windows'),(8157,'Issue',452,11,'8447d556d'),(8158,'Issue',452,12,'ae215552-081e-44c7-805f-be16f975c8a2'),(8159,'Issue',452,16,'win-proc'),(8160,'Issue',452,17,''),(8161,'Issue',452,7,''),(8162,'Issue',452,3,'Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).'),(8163,'Issue',452,4,''),(8164,'Issue',452,5,'_False Positives_\nPenetration Tests'),(8165,'Issue',452,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*))\nindex: so-*\nname: Suspicious Debugger Registration Cmdline\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8166,'Issue',452,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: experimental\ndescription: Detects the registration of a debugger for a program that is available\n in the logon screen (sticky key backdoor).\nreferences:\n- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1015\nauthor: Florian Roth\ndate: 2019/09/06\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\CurrentVersion\\Image File Execution Options\\sethc.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\utilman.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\osk.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\magnify.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\narrator.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*\'\n condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(8167,'Issue',452,15,'T1015'),(8168,'Issue',453,1,'Interactive AT Job'),(8169,'Issue',453,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8170,'Issue',453,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html'),(8171,'Issue',453,10,'high'),(8172,'Issue',453,13,'community'),(8173,'Issue',453,14,'windows'),(8175,'Issue',453,11,'deff452c1'),(8176,'Issue',453,12,'60fc936d-2eb0-4543-8a13-911c750a1dfc'),(8177,'Issue',453,16,'win-proc'),(8178,'Issue',453,17,''),(8179,'Issue',453,7,''),(8180,'Issue',453,3,'Detect an interactive AT job, which may be used as a form of privilege escalation'),(8181,'Issue',453,4,''),(8182,'Issue',453,5,'_False Positives_\nUnlikely (at.exe deprecated as of Windows 8)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8183,'Issue',453,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\at.exe AND process.command_line.keyword:*interactive*)\nindex: so-*\nname: Interactive AT Job\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8184,'Issue',453,9,'{{collapse(View Sigma)\n\n\ntitle: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\ndescription: Detect an interactive AT job, which may be used as a form of privilege\n escalation\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.privilege_escalation\n- attack.t1053\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\at.exe\n CommandLine|contains: interactive\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\n\n
\n}}'),(8185,'Issue',453,15,'T1053'),(8186,'Issue',454,1,'Invoke-Obfuscation Obfuscated IEX Invocation'),(8187,'Issue',454,2,'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'),(8188,'Issue',454,8,'none'),(8189,'Issue',454,10,'high'),(8190,'Issue',454,13,'community'),(8191,'Issue',454,14,'windows'),(8193,'Issue',454,11,'6d2baff57'),(8194,'Issue',454,12,'4bf943c6-5146-4273-98dd-e958fd1e3abf'),(8195,'Issue',454,16,'win-proc'),(8196,'Issue',454,17,''),(8197,'Issue',454,7,''),(8198,'Issue',454,3,'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888'),(8199,'Issue',454,4,''),(8200,'Issue',454,5,'_False Positives_\nUnknown'),(8201,'Issue',454,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (process.command_line:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR process.command_line:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR process.command_line:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR process.command_line:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR process.command_line:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR process.command_line:/\\$VerbosePreference\\.ToString\\(/ OR process.command_line:/\\String\\]\\s*\\$VerbosePreference/)\nindex: so-*\nname: Invoke-Obfuscation Obfuscated IEX Invocation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8202,'Issue',454,9,'{{collapse(View Sigma)\n\n\ntitle: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated\n by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: experimental\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1027\nlogsource:\n product: windows\n service: process_creation\ndetection:\n selection:\n - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8203,'Issue',454,15,'T1027'),(8204,'Issue',455,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing'),(8205,'Issue',455,2,'Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)'),(8206,'Issue',455,8,'https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(8207,'Issue',455,10,'critical'),(8208,'Issue',455,13,'community'),(8209,'Issue',455,14,'windows'),(8211,'Issue',455,11,'1425eee14'),(8212,'Issue',455,12,'8065b1b4-1778-4427-877f-6bf948b26d38'),(8213,'Issue',455,16,'win-proc'),(8214,'Issue',455,17,''),(8215,'Issue',455,7,''),(8216,'Issue',455,3,'Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level'),(8217,'Issue',455,4,''),(8218,'Issue',455,5,'_False Positives_\nUnknown'),(8219,'Issue',455,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ParentIntegrityLevel:\"Medium\" AND IntegrityLevel:\"System\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")\nindex: so-*\nname: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8220,'Issue',455,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n with non-SYSTEM privileges and Medium integrity level\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n- attack.privilege_escalation\n- attack.t1068\nstatus: experimental\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentIntegrityLevel: Medium\n IntegrityLevel: System\n User: NT AUTHORITY\\SYSTEM\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8221,'Issue',455,15,'T1068'),(8222,'Issue',456,1,'MSHTA Spwaned by SVCHOST'),(8223,'Issue',456,2,'Markus Neis'),(8224,'Issue',456,8,'https://codewhitesec.blogspot.com/2018/07/lethalhta.html'),(8225,'Issue',456,10,'high'),(8226,'Issue',456,13,'community'),(8227,'Issue',456,14,'windows'),(8229,'Issue',456,11,'f443dd9d3'),(8230,'Issue',456,12,'ed5d72a6-f8f4-479d-ba79-02f6a80d7471'),(8231,'Issue',456,16,'win-proc'),(8232,'Issue',456,17,''),(8233,'Issue',456,7,''),(8234,'Issue',456,3,'Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report'),(8235,'Issue',456,4,''),(8236,'Issue',456,5,'_False Positives_\nUnknown'),(8237,'Issue',456,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\svchost.exe AND process.executable.keyword:*\\\\mshta.exe)\nindex: so-*\nname: MSHTA Spwaned by SVCHOST\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8238,'Issue',456,9,'{{collapse(View Sigma)\n\n\ntitle: MSHTA Spwaned by SVCHOST\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: experimental\ndescription: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described\n in report\nreferences:\n- https://codewhitesec.blogspot.com/2018/07/lethalhta.html\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\nauthor: Markus Neis\ndate: 2018/06/07\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\svchost.exe\'\n Image: \'*\\mshta.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8239,'Issue',456,15,'T1170'),(8240,'Issue',457,1,'Local Accounts Discovery'),(8241,'Issue',457,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8242,'Issue',457,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml'),(8243,'Issue',457,10,'low'),(8244,'Issue',457,13,'community'),(8245,'Issue',457,14,'windows'),(8247,'Issue',457,11,'94d1a7cce'),(8248,'Issue',457,12,'502b42de-4306-40b4-9596-6f590c81f073'),(8249,'Issue',457,16,'win-proc'),(8250,'Issue',457,17,''),(8251,'Issue',457,7,''),(8252,'Issue',457,3,'Local accounts, System Owner/User discovery using operating systems utilities'),(8253,'Issue',457,4,''),(8254,'Issue',457,5,'_False Positives_\nLegitimate administrator or user enumerates local users for legitimate reason\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8255,'Issue',457,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((process.executable.keyword:*\\\\whoami.exe OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*useraccount* AND process.command_line.keyword:*get*) OR process.executable.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\/list*) OR (process.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*dir\\ * AND process.command_line.keyword:*\\\\Users\\*)) AND (NOT (process.command_line.keyword:(*\\ rmdir\\ *)))) OR ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user*) AND (NOT (process.command_line.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*))))))\nindex: so-*\nname: Local Accounts Discovery\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8256,'Issue',457,9,'{{collapse(View Sigma)\n\n\ntitle: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: experimental\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: \\whoami.exe\n - Image|endswith: \\wmic.exe\n CommandLine|contains|all:\n - useraccount\n - get\n - Image|endswith:\n - \\quser.exe\n - \\qwinsta.exe\n - Image|endswith: \\cmdkey.exe\n CommandLine|contains: /list\n - Image|endswith: \\cmd.exe\n CommandLine|contains|all:\n - /c\n - \'dir \'\n - \\Users\\\n filter_1:\n CommandLine|contains:\n - \' rmdir \'\n selection_2:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: user\n filter_2:\n CommandLine|contains:\n - /domain\n - /add\n - /delete\n - /active\n - /expires\n - /passwordreq\n - /scriptpath\n - /times\n - /workstations\n condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\ntags:\n- attack.discovery\n- attack.t1033\n- attack.t1087\n\n
\n}}'),(8257,'Issue',457,15,'T1033'),(8258,'Issue',457,15,'T1087'),(8259,'Issue',458,1,'LSASS Memory Dumping'),(8260,'Issue',458,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(8261,'Issue',458,8,'https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml'),(8262,'Issue',458,10,'high'),(8263,'Issue',458,13,'community'),(8264,'Issue',458,14,'windows'),(8266,'Issue',458,11,'80532cee2'),(8267,'Issue',458,12,'ffa6861c-4461-4f59-8a41-578c39f3f23e'),(8268,'Issue',458,16,'win-proc'),(8269,'Issue',458,17,''),(8270,'Issue',458,7,''),(8271,'Issue',458,3,'Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.'),(8272,'Issue',458,4,''),(8273,'Issue',458,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8274,'Issue',458,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.command_line.keyword:*lsass* AND process.command_line.keyword:*.dmp*) AND (NOT (process.executable.keyword:*\\\\werfault.exe))) OR (process.executable.keyword:*\\\\procdump* AND process.executable.keyword:*.exe AND process.command_line.keyword:*lsass*)))\nindex: so-*\nname: LSASS Memory Dumping\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8275,'Issue',458,9,'{{collapse(View Sigma)\n\n\ntitle: LSASS Memory Dumping\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\ndescription: Detect creation of dump files containing the memory space of lsass.exe,\n which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe\n to export the memory space of lsass.exe which contains sensitive credentials.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\n- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine|contains|all:\n - lsass\n - .dmp\n selection2:\n Image|endswith: \\werfault.exe\n selection3:\n Image|contains: \\procdump\n Image|endswith: .exe\n CommandLine|contains: lsass\n condition: selection1 and not selection2 or selection3\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(8276,'Issue',458,15,'T1003'),(8277,'Issue',459,1,'Dridex Process Pattern'),(8278,'Issue',459,2,'Florian Roth'),(8279,'Issue',459,8,'https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3'),(8280,'Issue',459,10,'critical'),(8281,'Issue',459,13,'community'),(8282,'Issue',459,14,'windows'),(8284,'Issue',459,11,'89a943e8b'),(8285,'Issue',459,12,'e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e'),(8286,'Issue',459,16,'win-proc'),(8287,'Issue',459,17,''),(8288,'Issue',459,7,''),(8289,'Issue',459,3,'Detects typical Dridex process patterns'),(8290,'Issue',459,4,''),(8291,'Issue',459,5,'_False Positives_\nUnlikely'),(8292,'Issue',459,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (process.parent.executable.keyword:*\\\\svchost.exe* AND process.command_line.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view))))\nindex: so-*\nname: Dridex Process Pattern\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8293,'Issue',459,9,'{{collapse(View Sigma)\n\n\ntitle: Dridex Process Pattern\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: experimental\ndescription: Detects typical Dridex process patterns\nreferences:\n- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nauthor: Florian Roth\ndate: 2019/01/10\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine: \'*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*\'\n selection2:\n ParentImage: \'*\\svchost.exe*\'\n CommandLine:\n - \'*whoami.exe /all\'\n - \'*net.exe view\'\n condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8294,'Issue',459,15,'T1055'),(8295,'Issue',460,1,'DTRACK Process Creation'),(8296,'Issue',460,2,'Florian Roth'),(8297,'Issue',460,8,'https://securelist.com/my-name-is-dtrack/93338/\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/'),(8298,'Issue',460,10,'critical'),(8299,'Issue',460,13,'community'),(8300,'Issue',460,14,'windows'),(8301,'Issue',460,15,''),(8302,'Issue',460,11,'1265efdfc'),(8303,'Issue',460,12,'f1531fa4-5b84-4342-8f68-9cf3fdbd83d4'),(8304,'Issue',460,16,'win-proc'),(8305,'Issue',460,17,''),(8306,'Issue',460,7,''),(8307,'Issue',460,3,'Detects specific process parameters as seen in DTRACK infections'),(8308,'Issue',460,4,''),(8309,'Issue',460,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8310,'Issue',460,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ echo\\ EEEE\\ \\ *)\nindex: so-*\nname: DTRACK Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8311,'Issue',460,9,'{{collapse(View Sigma)\n\n\ntitle: DTRACK Process Creation\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: experimental\ndescription: Detects specific process parameters as seen in DTRACK infections\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://securelist.com/my-name-is-dtrack/93338/\n- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'* echo EEEE > *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8312,'Issue',461,1,'Emotet Process Creation'),(8313,'Issue',461,2,'Florian Roth'),(8314,'Issue',461,8,'https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/'),(8315,'Issue',461,10,'critical'),(8316,'Issue',461,13,'community'),(8317,'Issue',461,14,'windows'),(8318,'Issue',461,15,''),(8319,'Issue',461,11,'22693b62c'),(8320,'Issue',461,12,'d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18'),(8321,'Issue',461,16,'win-proc'),(8322,'Issue',461,17,''),(8323,'Issue',461,7,''),(8324,'Issue',461,3,'Detects all Emotet like process executions that are not covered by the more generic rules'),(8325,'Issue',461,4,''),(8326,'Issue',461,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8327,'Issue',461,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*))\nindex: so-*\nname: Emotet Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8328,'Issue',461,9,'{{collapse(View Sigma)\n\n\ntitle: Emotet Process Creation\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: experimental\ndescription: Detects all Emotet like process executions that are not covered by the\n more generic rules\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/16\nreferences:\n- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -e* PAA*\'\n - \'*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*\'\n - \'*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*\'\n - \'*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*\'\n - \'*IgAoACcAKgAnACkAOwAkA*\'\n - \'*IAKAAnACoAJwApADsAJA*\'\n - \'*iACgAJwAqACcAKQA7ACQA*\'\n - \'*JABGAGwAeAByAGgAYwBmAGQ*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8329,'Issue',462,1,'Formbook Process Creation'),(8330,'Issue',462,2,'Florian Roth'),(8331,'Issue',462,8,'https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/'),(8332,'Issue',462,10,'critical'),(8333,'Issue',462,13,'community'),(8334,'Issue',462,14,'windows'),(8335,'Issue',462,15,''),(8336,'Issue',462,11,'a76fc01e3'),(8337,'Issue',462,12,'032f5fb3-d959-41a5-9263-4173c802dc2b'),(8338,'Issue',462,16,'win-proc'),(8339,'Issue',462,17,''),(8340,'Issue',462,7,''),(8341,'Issue',462,3,'Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.'),(8342,'Issue',462,4,''),(8343,'Issue',462,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8344,'Issue',462,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND process.command_line.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))\nindex: so-*\nname: Formbook Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8345,'Issue',462,9,'{{collapse(View Sigma)\n\n\ntitle: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: experimental\ndescription: Detects Formbook like process executions that inject code into a set\n of files in the System32 folder, which executes a special command command line to\n delete the dropper from the AppData Temp folder. We avoid false positives by excluding\n all parent process with command line parameters.\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/31\nreferences:\n- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine:\n - C:\\Windows\\System32\\\\*.exe\n - C:\\Windows\\SysWOW64\\\\*.exe\n CommandLine:\n - \'* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe\'\n - \'* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n - \'* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8346,'Issue',463,1,'NotPetya Ransomware Activity'),(8347,'Issue',463,2,'Florian Roth, Tom Ueltschi'),(8348,'Issue',463,8,'https://securelist.com/schroedingers-petya/78870/\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100'),(8349,'Issue',463,10,'critical'),(8350,'Issue',463,13,'community'),(8351,'Issue',463,14,'windows'),(8353,'Issue',463,11,'f1d5345d2'),(8354,'Issue',463,12,'79aeeb41-8156-4fac-a0cd-076495ab82a1'),(8355,'Issue',463,16,'win-proc'),(8356,'Issue',463,17,''),(8357,'Issue',463,7,''),(8358,'Issue',463,3,'Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil'),(8359,'Issue',463,4,''),(8360,'Issue',463,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8361,'Issue',463,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*))\nindex: so-*\nname: NotPetya Ransomware Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8362,'Issue',463,9,'{{collapse(View Sigma)\n\n\ntitle: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: experimental\ndescription: Detects NotPetya ransomware activity in which the extracted passwords\n are passed back to the main module via named pipe, the file system journal of drive\n C is deleted and windows eventlogs are cleared using wevtutil\nauthor: Florian Roth, Tom Ueltschi\ndate: 2019/01/16\nreferences:\n- https://securelist.com/schroedingers-petya/78870/\n- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\ntags:\n- attack.execution\n- attack.credential_access\n- attack.defense_evasion\n- attack.t1085\n- attack.t1070\n- attack.t1003\n- car.2016-04-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n pipe_com:\n CommandLine: \'*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*\'\n rundll32_dash1:\n Image: \'*\\rundll32.exe\'\n CommandLine: \'*.dat,#1\'\n perfc_keyword:\n - \'*\\perfc.dat*\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Admin activity\nlevel: critical\n\n
\n}}'),(8363,'Issue',463,15,'T1085'),(8364,'Issue',463,15,'T1070'),(8365,'Issue',463,15,'T1003'),(8366,'Issue',464,1,'QBot Process Creation'),(8367,'Issue',464,2,'Florian Roth'),(8368,'Issue',464,8,'https://twitter.com/killamjr/status/1179034907932315648\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/'),(8369,'Issue',464,10,'critical'),(8370,'Issue',464,13,'community'),(8371,'Issue',464,14,'windows'),(8372,'Issue',464,15,''),(8373,'Issue',464,11,'046681e0b'),(8374,'Issue',464,12,'4fcac6eb-0287-4090-8eea-2602e4c20040'),(8375,'Issue',464,16,'win-proc'),(8376,'Issue',464,17,''),(8377,'Issue',464,7,''),(8378,'Issue',464,3,'Detects QBot like process executions'),(8379,'Issue',464,4,''),(8380,'Issue',464,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8381,'Issue',464,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:*\\\\WinRAR.exe AND process.executable.keyword:*\\\\wscript.exe) OR process.command_line.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *))\nindex: so-*\nname: QBot Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8382,'Issue',464,9,'{{collapse(View Sigma)\n\n\ntitle: QBot Process Creation\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: experimental\ndescription: Detects QBot like process executions\nauthor: Florian Roth\ndate: 2019/10/01\nreferences:\n- https://twitter.com/killamjr/status/1179034907932315648\n- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n ParentImage: \'*\\WinRAR.exe\'\n Image: \'*\\wscript.exe\'\n selection2:\n CommandLine: \'* /c ping.exe -n 6 127.0.0.1 & type *\'\n condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8383,'Issue',465,1,'Ryuk Ransomware'),(8384,'Issue',465,2,'Florian Roth'),(8385,'Issue',465,8,'https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/'),(8386,'Issue',465,10,'critical'),(8387,'Issue',465,13,'community'),(8388,'Issue',465,14,'windows'),(8389,'Issue',465,15,''),(8390,'Issue',465,11,'78f7434fc'),(8391,'Issue',465,12,'c37510b8-2107-4b78-aa32-72f251e7a844'),(8392,'Issue',465,16,'win-proc'),(8393,'Issue',465,17,''),(8394,'Issue',465,7,''),(8395,'Issue',465,3,'Detects Ryuk ransomware activity'),(8396,'Issue',465,4,''),(8397,'Issue',465,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8398,'Issue',465,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND process.command_line.keyword:*C\\:\\\\users\\\\Public\\*)\nindex: so-*\nname: Ryuk Ransomware\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8399,'Issue',465,9,'{{collapse(View Sigma)\n\n\ntitle: Ryuk Ransomware\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nstatus: experimental\ndescription: Detects Ryuk ransomware activity\nauthor: Florian Roth\ndate: 2019/12/16\nreferences:\n- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - Microsoft\\Windows\\CurrentVersion\\Run\n - C:\\users\\Public\\\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8400,'Issue',466,1,'WScript or CScript Dropper'),(8401,'Issue',466,2,'Margaritis Dimitrios (idea), Florian Roth (rule)'),(8402,'Issue',466,8,'none'),(8403,'Issue',466,10,'high'),(8404,'Issue',466,13,'community'),(8405,'Issue',466,14,'windows'),(8407,'Issue',466,11,'163533995'),(8408,'Issue',466,12,'cea72823-df4d-4567-950c-0b579eaf0846'),(8409,'Issue',466,16,'win-proc'),(8410,'Issue',466,17,''),(8411,'Issue',466,7,''),(8412,'Issue',466,3,'Detects wscript/cscript executions of scripts located in user directories'),(8413,'Issue',466,4,''),(8414,'Issue',466,5,'_False Positives_\nWinzip\nOther self-extractors\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8415,'Issue',466,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (process.parent.executable.keyword:*\\\\winzip*)))\nindex: so-*\nname: WScript or CScript Dropper\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8416,'Issue',466,9,'{{collapse(View Sigma)\n\n\ntitle: WScript or CScript Dropper\nid: cea72823-df4d-4567-950c-0b579eaf0846\nstatus: experimental\ndescription: Detects wscript/cscript executions of scripts located in user directories\nauthor: Margaritis Dimitrios (idea), Florian Roth (rule)\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n CommandLine:\n - \'* C:\\Users\\\\*.jse *\'\n - \'* C:\\Users\\\\*.vbe *\'\n - \'* C:\\Users\\\\*.js *\'\n - \'* C:\\Users\\\\*.vba *\'\n - \'* C:\\Users\\\\*.vbs *\'\n - \'* C:\\ProgramData\\\\*.jse *\'\n - \'* C:\\ProgramData\\\\*.vbe *\'\n - \'* C:\\ProgramData\\\\*.js *\'\n - \'* C:\\ProgramData\\\\*.vba *\'\n - \'* C:\\ProgramData\\\\*.vbs *\'\n falsepositive:\n ParentImage: \'*\\winzip*\'\n condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Winzip\n- Other self-extractors\nlevel: high\n\n
\n}}'),(8417,'Issue',466,15,'T1064'),(8418,'Issue',467,1,'Trickbot Malware Recon Activity'),(8419,'Issue',467,2,'David Burkett'),(8420,'Issue',467,8,'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/'),(8421,'Issue',467,10,'critical'),(8422,'Issue',467,13,'community'),(8423,'Issue',467,14,'windows'),(8425,'Issue',467,11,'1482df18d'),(8426,'Issue',467,12,'410ad193-a728-4107-bc79-4419789fcbf8'),(8427,'Issue',467,16,'win-proc'),(8428,'Issue',467,17,''),(8429,'Issue',467,7,''),(8430,'Issue',467,3,'Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.'),(8431,'Issue',467,4,''),(8432,'Issue',467,5,'_False Positives_\nRare System Admin Activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8433,'Issue',467,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\nltest.exe) AND process.command_line:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))\nindex: so-*\nname: Trickbot Malware Recon Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8434,'Issue',467,9,'{{collapse(View Sigma)\n\n\ntitle: Trickbot Malware Recon Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nstatus: experimental\ndescription: Trickbot enumerates domain/network topology and executes certain commands\n automatically every few minutes. This detectors attempts to identify that activity\n based off a command rarely observed in an enterprise network.\nreferences:\n- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1482\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\nltest.exe\'\n CommandLine:\n - /domain_trusts /all_trusts\n - /domain_trusts\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Rare System Admin Activity\nlevel: critical\n\n
\n}}'),(8435,'Issue',467,15,'T1482'),(8436,'Issue',468,1,'WannaCry Ransomware'),(8437,'Issue',468,2,'Florian Roth (rule), Tom U. @c_APT_ure (collection)'),(8438,'Issue',468,8,'https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(8439,'Issue',468,10,'critical'),(8440,'Issue',468,13,'community'),(8441,'Issue',468,14,'windows'),(8442,'Issue',468,15,''),(8443,'Issue',468,11,'39c3b0af5'),(8444,'Issue',468,12,'41d40bff-377a-43e2-8e1b-2e543069e079'),(8445,'Issue',468,16,'win-proc'),(8446,'Issue',468,17,''),(8447,'Issue',468,7,''),(8448,'Issue',468,3,'Detects WannaCry ransomware activity'),(8449,'Issue',468,4,''),(8450,'Issue',468,5,'_False Positives_\nDiskpart.exe usage to manage partitions on the local hard drive\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8451,'Issue',468,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR process.command_line.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*)))\nindex: so-*\nname: WannaCry Ransomware\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8452,'Issue',468,9,'{{collapse(View Sigma)\n\n\ntitle: WannaCry Ransomware\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: experimental\ndescription: Detects WannaCry ransomware activity\nreferences:\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (rule), Tom U. @c_APT_ure (collection)\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\tasksche.exe\'\n - \'*\\mssecsvc.exe\'\n - \'*\\taskdl.exe\'\n - \'*\\@WanaDecryptor@*\'\n - \'*\\WanaDecryptor*\'\n - \'*\\taskhsvc.exe\'\n - \'*\\taskse.exe\'\n - \'*\\111.exe\'\n - \'*\\lhdfrgui.exe\'\n - \'*\\diskpart.exe\'\n - \'*\\linuxnew.exe\'\n - \'*\\wannacry.exe\'\n selection2:\n CommandLine:\n - \'*icacls * /grant Everyone:F /T /C /Q*\'\n - \'*bcdedit /set {default} recoveryenabled no*\'\n - \'*wbadmin delete catalog -quiet*\'\n - \'*@Please_Read_Me@.txt*\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Diskpart.exe usage to manage partitions on the local hard drive\nlevel: critical\n\n
\n}}'),(8453,'Issue',469,1,'MavInject Process Injection'),(8454,'Issue',469,2,'Florian Roth'),(8455,'Issue',469,8,'https://twitter.com/gN3mes1s/status/941315826107510784\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://twitter.com/Hexacorn/status/776122138063409152'),(8456,'Issue',469,10,'critical'),(8457,'Issue',469,13,'community'),(8458,'Issue',469,14,'windows'),(8460,'Issue',469,11,'313d39562'),(8461,'Issue',469,12,'17eb8e57-9983-420d-ad8a-2c4976c22eb8'),(8462,'Issue',469,16,'win-proc'),(8463,'Issue',469,17,''),(8464,'Issue',469,7,''),(8465,'Issue',469,3,'Detects process injection using the signed Windows tool Mavinject32.exe'),(8466,'Issue',469,4,''),(8467,'Issue',469,5,'_False Positives_\nunknown'),(8468,'Issue',469,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/INJECTRUNNING\\ *)\nindex: so-*\nname: MavInject Process Injection\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8469,'Issue',469,9,'{{collapse(View Sigma)\n\n\ntitle: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: experimental\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/941315826107510784\n- https://reaqta.com/2017/12/mavinject-microsoft-injector/\n- https://twitter.com/Hexacorn/status/776122138063409152\nauthor: Florian Roth\ndate: 2018/12/12\ntags:\n- attack.t1055\n- attack.t1218\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'* /INJECTRUNNING *\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(8470,'Issue',469,15,'T1055'),(8471,'Issue',469,15,'T1218'),(8472,'Issue',470,1,'Meterpreter or Cobalt Strike Getsystem Service Start'),(8473,'Issue',470,2,'Teymur Kheirkhabarov'),(8474,'Issue',470,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/'),(8475,'Issue',470,10,'high'),(8476,'Issue',470,13,'community'),(8477,'Issue',470,14,'windows'),(8479,'Issue',470,11,'faf8435b3'),(8480,'Issue',470,12,'15619216-e993-4721-b590-4c520615a67d'),(8481,'Issue',470,16,'win-proc'),(8482,'Issue',470,17,''),(8483,'Issue',470,7,''),(8484,'Issue',470,3,'Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting'),(8485,'Issue',470,4,''),(8486,'Issue',470,5,'_False Positives_\nCommandlines containing components like cmd accidentally\nJobs and services started with cmd\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8487,'Issue',470,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\services.exe AND (process.command_line.keyword:(*cmd* OR *comspec*) OR (process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*%COMSPEC%* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*rundll32* AND process.command_line.keyword:*.dll,a* AND process.command_line.keyword:*\\/p\\:*))) AND (NOT (process.command_line.keyword:*MpCmdRun*)))\nindex: so-*\nname: Meterpreter or Cobalt Strike Getsystem Service Start\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8488,'Issue',470,9,'{{collapse(View Sigma)\n\n\ntitle: Meterpreter or Cobalt Strike Getsystem Service Start\nid: 15619216-e993-4721-b590-4c520615a67d\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting\n a specific service starting\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n ParentImage|endswith: \\services.exe\n selection_2:\n - CommandLine|contains:\n - cmd\n - comspec\n - CommandLine|contains|all:\n - cmd\n - /c\n - echo\n - \\pipe\\\n - CommandLine|contains|all:\n - \'%COMSPEC%\'\n - /c\n - echo\n - \\pipe\\\n - CommandLine|contains|all:\n - rundll32\n - .dll,a\n - \'/p:\'\n filter1:\n CommandLine|contains: MpCmdRun\n condition: selection_1 and selection_2 and not filter1\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Commandlines containing components like cmd accidentally\n- Jobs and services started with cmd\nlevel: high\n\n
\n}}'),(8489,'Issue',470,15,'T1134'),(8490,'Issue',471,1,'Mimikatz Command Line'),(8491,'Issue',471,2,'Teymur Kheirkhabarov, oscd.community'),(8492,'Issue',471,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(8493,'Issue',471,10,'medium'),(8494,'Issue',471,13,'community'),(8495,'Issue',471,14,'windows'),(8497,'Issue',471,11,'f9e688b06'),(8498,'Issue',471,12,'a642964e-bead-4bed-8910-1bb4d63e3b4d'),(8499,'Issue',471,16,'win-proc'),(8500,'Issue',471,17,''),(8501,'Issue',471,7,''),(8502,'Issue',471,3,'Detection well-known mimikatz command line arguments'),(8503,'Issue',471,4,''),(8504,'Issue',471,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(8505,'Issue',471,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (process.command_line.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND process.command_line.keyword:(*\\:\\:*))))\nindex: so-*\nname: Mimikatz Command Line\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8506,'Issue',471,9,'{{collapse(View Sigma)\n\n\ntitle: Mimikatz Command Line\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\ndescription: Detection well-known mimikatz command line arguments\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n CommandLine|contains:\n - DumpCreds\n - invoke-mimikatz\n selection_2:\n CommandLine|contains:\n - rpc\n - token\n - crypto\n - dpapi\n - sekurlsa\n - kerberos\n - lsadump\n - privilege\n - process\n selection_3:\n CommandLine|contains:\n - \'::\'\n condition: selection_1 or selection_2 and selection_3\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: medium\nstatus: experimental\n\n
\n}}'),(8507,'Issue',471,15,'T1003'),(8508,'Issue',472,1,'MMC Spawning Windows Shell'),(8509,'Issue',472,2,'Karneades, Swisscom CSIRT'),(8510,'Issue',472,8,'none'),(8511,'Issue',472,10,'high'),(8512,'Issue',472,13,'community'),(8513,'Issue',472,14,'windows'),(8515,'Issue',472,11,'5af2839b3'),(8516,'Issue',472,12,'05a2ab7e-ce11-4b63-86db-ab32e763e11d'),(8517,'Issue',472,16,'win-proc'),(8518,'Issue',472,17,''),(8519,'Issue',472,7,''),(8520,'Issue',472,3,'Detects a Windows command line executable started from MMC.'),(8521,'Issue',472,4,''),(8522,'Issue',472,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nCommandLine\nImage\nParentCommandLine'),(8523,'Issue',472,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mmc.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MMC Spawning Windows Shell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8524,'Issue',472,9,'{{collapse(View Sigma)\n\n\ntitle: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: experimental\ndescription: Detects a Windows command line executable started from MMC.\nauthor: Karneades, Swisscom CSIRT\ndate: 2019/08/05\ntags:\n- attack.lateral_movement\n- attack.t1175\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\mmc.exe\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\reg.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\BITSADMIN*\'\n condition: selection\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\nlevel: high\n\n
\n}}'),(8525,'Issue',472,15,'T1175'),(8526,'Issue',473,1,'MSHTA Spawning Windows Shell'),(8527,'Issue',473,2,'Michael Haag'),(8528,'Issue',473,8,'https://www.trustedsec.com/july-2015/malicious-htas/'),(8529,'Issue',473,10,'high'),(8530,'Issue',473,13,'community'),(8531,'Issue',473,14,'windows'),(8533,'Issue',473,11,'16c1a6c19'),(8534,'Issue',473,12,'03cc0c25-389f-4bf8-b48d-11878079f1ca'),(8535,'Issue',473,16,'win-proc'),(8536,'Issue',473,17,''),(8537,'Issue',473,7,''),(8538,'Issue',473,3,'Detects a Windows command line executable started from MSHTA.'),(8539,'Issue',473,4,''),(8540,'Issue',473,5,'_False Positives_\nPrinter software / driver installations\nHP software\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8541,'Issue',473,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mshta.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MSHTA Spawning Windows Shell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8542,'Issue',473,9,'{{collapse(View Sigma)\n\n\ntitle: MSHTA Spawning Windows Shell\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: experimental\ndescription: Detects a Windows command line executable started from MSHTA.\nreferences:\n- https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\mshta.exe\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\reg.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\BITSADMIN*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\n- car.2013-02-003\n- car.2013-03-001\n- car.2014-04-003\nfalsepositives:\n- Printer software / driver installations\n- HP software\nlevel: high\n\n
\n}}'),(8543,'Issue',473,15,'T1170'),(8544,'Issue',474,1,'Quick Execution of a Series of Suspicious Commands'),(8545,'Issue',474,2,'juju4'),(8546,'Issue',474,8,'https://car.mitre.org/wiki/CAR-2013-04-002'),(8547,'Issue',474,10,'low'),(8548,'Issue',474,13,'community'),(8549,'Issue',474,14,'windows'),(8550,'Issue',474,15,''),(8551,'Issue',474,11,'9a5d32ef1'),(8552,'Issue',474,12,'61ab5496-748e-4818-a92f-de78e20fe7f1'),(8553,'Issue',474,16,'win-proc'),(8554,'Issue',474,17,''),(8555,'Issue',474,7,''),(8556,'Issue',474,3,'Detects multiple suspicious process in a limited timeframe'),(8557,'Issue',474,4,''),(8558,'Issue',474,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(8559,'Issue',474,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\"))\nindex: so-*\nmax_threshold: 5\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Quick Execution of a Series of Suspicious Commands\npriority: 4\nquery_key: MachineName.keyword\nrealert:\n minutes: 0\ntype: metric_aggregation\n
\n}}'),(8560,'Issue',474,9,'{{collapse(View Sigma)\n\n\ntitle: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\ndescription: Detects multiple suspicious process in a limited timeframe\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- car.2013-04-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - arp.exe\n - at.exe\n - attrib.exe\n - cscript.exe\n - dsquery.exe\n - hostname.exe\n - ipconfig.exe\n - mimikatz.exe\n - nbtstat.exe\n - net.exe\n - netsh.exe\n - nslookup.exe\n - ping.exe\n - quser.exe\n - qwinsta.exe\n - reg.exe\n - runas.exe\n - sc.exe\n - schtasks.exe\n - ssh.exe\n - systeminfo.exe\n - taskkill.exe\n - telnet.exe\n - tracert.exe\n - wscript.exe\n - xcopy.exe\n - pscp.exe\n - copy.exe\n - robocopy.exe\n - certutil.exe\n - vssadmin.exe\n - powershell.exe\n - wevtutil.exe\n - psexec.exe\n - bcedit.exe\n - wbadmin.exe\n - icacls.exe\n - diskpart.exe\n timeframe: 5m\n condition: selection | count() by MachineName > 5\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: low\n\n
\n}}'),(8561,'Issue',475,1,'Windows Network Enumeration'),(8562,'Issue',475,2,'Endgame, JHasenbusch (ported for oscd.community)'),(8563,'Issue',475,8,'https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml'),(8564,'Issue',475,10,'low'),(8565,'Issue',475,13,'community'),(8566,'Issue',475,14,'windows'),(8568,'Issue',475,11,'bbe12b620'),(8569,'Issue',475,12,'62510e69-616b-4078-b371-847da438cc03'),(8570,'Issue',475,16,'win-proc'),(8571,'Issue',475,17,''),(8572,'Issue',475,7,''),(8573,'Issue',475,3,'Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.'),(8574,'Issue',475,4,''),(8575,'Issue',475,5,'_False Positives_\nLegitimate use of net.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8576,'Issue',475,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*view*) AND (NOT (process.command_line.keyword:*\\\\*)))\nindex: so-*\nname: Windows Network Enumeration\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8577,'Issue',475,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Network Enumeration\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Identifies attempts to enumerate hosts in a network using the built-in\n Windows net.exe tool.\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.t1018\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: view\n filter:\n CommandLine|contains: \\\\\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of net.exe utility by legitimate user\nlevel: low\n\n
\n}}'),(8578,'Issue',475,15,'T1018'),(8579,'Issue',476,1,'Net.exe User Account Creation'),(8580,'Issue',476,2,'Endgame, JHasenbusch (adapted to sigma for oscd.community)'),(8581,'Issue',476,8,'https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml'),(8582,'Issue',476,10,'medium'),(8583,'Issue',476,13,'community'),(8584,'Issue',476,14,'windows'),(8586,'Issue',476,11,'c9bfceef1'),(8587,'Issue',476,12,'cd219ff3-fa99-45d4-8380-a7d15116c6dc'),(8588,'Issue',476,16,'win-proc'),(8589,'Issue',476,17,''),(8590,'Issue',476,7,''),(8591,'Issue',476,3,'Identifies creation of local users via the net.exe command'),(8592,'Issue',476,4,''),(8593,'Issue',476,5,'_False Positives_\nLegit user creation\nBetter use event ids for user creation rather than command line rules\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8594,'Issue',476,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user* AND process.command_line.keyword:*add*)\nindex: so-*\nname: Net.exe User Account Creation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8595,'Issue',476,9,'{{collapse(View Sigma)\n\n\ntitle: Net.exe User Account Creation\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nstatus: experimental\ndescription: Identifies creation of local users via the net.exe command\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml\nauthor: Endgame, JHasenbusch (adapted to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.persistence\n- attack.credential_access\n- attack.t1136\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains|all:\n - user\n - add\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legit user creation\n- Better use event ids for user creation rather than command line rules\nlevel: medium\n\n
\n}}'),(8596,'Issue',476,15,'T1136'),(8597,'Issue',477,1,'Netsh'),(8598,'Issue',477,2,'Markus Neis'),(8599,'Issue',477,8,'https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf'),(8600,'Issue',477,10,'medium'),(8601,'Issue',477,13,'community'),(8602,'Issue',477,14,'windows'),(8604,'Issue',477,11,'bdbaabb5e'),(8605,'Issue',477,12,'cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c'),(8606,'Issue',477,16,'win-proc'),(8607,'Issue',477,17,''),(8608,'Issue',477,7,''),(8609,'Issue',477,3,'Allow Incoming Connections by Port or Application on Windows Firewall'),(8610,'Issue',477,4,''),(8611,'Issue',477,5,'_False Positives_\nLegitimate administration'),(8612,'Issue',477,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*netsh\\ firewall\\ add*))\nindex: so-*\nname: Netsh\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8613,'Issue',477,9,'{{collapse(View Sigma)\n\n\ntitle: Netsh\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\ndescription: Allow Incoming Connections by Port or Application on Windows Firewall\nreferences:\n- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\n- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Markus Neis\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*netsh firewall add*\'\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8614,'Issue',477,15,'T1090'),(8615,'Issue',478,1,'Capture a Network Trace with netsh.exe'),(8616,'Issue',478,2,'Kutepov Anton, oscd.community'),(8617,'Issue',478,8,'https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/'),(8618,'Issue',478,10,'medium'),(8619,'Issue',478,13,'community'),(8620,'Issue',478,14,'windows'),(8622,'Issue',478,11,'0b2f94184'),(8623,'Issue',478,12,'d3c3861d-c504-4c77-ba55-224ba82d0118'),(8624,'Issue',478,16,'win-proc'),(8625,'Issue',478,17,''),(8626,'Issue',478,7,''),(8627,'Issue',478,3,'Detects capture a network trace via netsh.exe trace functionality'),(8628,'Issue',478,4,''),(8629,'Issue',478,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe trace functionality for legitimate reason'),(8630,'Issue',478,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*netsh* AND process.command_line.keyword:*trace* AND process.command_line.keyword:*start*)\nindex: so-*\nname: Capture a Network Trace with netsh.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8631,'Issue',478,9,'{{collapse(View Sigma)\n\n\ntitle: Capture a Network Trace with netsh.exe\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: experimental\ndescription: Detects capture a network trace via netsh.exe trace functionality\nreferences:\n- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/24\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - netsh\n - trace\n - start\n condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe trace functionality for legitimate\n reason\nlevel: medium\n\n
\n}}'),(8632,'Issue',478,15,'T1040'),(8633,'Issue',479,1,'Netsh Port Forwarding'),(8634,'Issue',479,2,'Florian Roth'),(8635,'Issue',479,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8636,'Issue',479,10,'medium'),(8637,'Issue',479,13,'community'),(8638,'Issue',479,14,'windows'),(8640,'Issue',479,11,'6c81001f0'),(8641,'Issue',479,12,'322ed9ec-fcab-4f67-9a34-e7c6aef43614'),(8642,'Issue',479,16,'win-proc'),(8643,'Issue',479,17,''),(8644,'Issue',479,7,''),(8645,'Issue',479,3,'Detects netsh commands that configure a port forwarding'),(8646,'Issue',479,4,''),(8647,'Issue',479,5,'_False Positives_\nLegitimate administration'),(8648,'Issue',479,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *))\nindex: so-*\nname: Netsh Port Forwarding\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8649,'Issue',479,9,'{{collapse(View Sigma)\n\n\ntitle: Netsh Port Forwarding\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\ndescription: Detects netsh commands that configure a port forwarding\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh interface portproxy add v4tov4 *\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8650,'Issue',479,15,'T1090'),(8651,'Issue',480,1,'Netsh RDP Port Forwarding'),(8652,'Issue',480,2,'Florian Roth'),(8653,'Issue',480,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8654,'Issue',480,10,'high'),(8655,'Issue',480,13,'community'),(8656,'Issue',480,14,'windows'),(8658,'Issue',480,11,'e26d39913'),(8659,'Issue',480,12,'782d6f3e-4c5d-4b8c-92a3-1d05fed72e63'),(8660,'Issue',480,16,'win-proc'),(8661,'Issue',480,17,''),(8662,'Issue',480,7,''),(8663,'Issue',480,3,'Detects netsh commands that configure a port forwarding of port 3389 used for RDP'),(8664,'Issue',480,4,''),(8665,'Issue',480,5,'_False Positives_\nLegitimate administration'),(8666,'Issue',480,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ i*\\ p*\\=3389\\ c*))\nindex: so-*\nname: Netsh RDP Port Forwarding\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8667,'Issue',480,9,'{{collapse(View Sigma)\n\n\ntitle: Netsh RDP Port Forwarding\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\ndescription: Detects netsh commands that configure a port forwarding of port 3389\n used for RDP\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.t1021\n- car.2013-07-002\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh i* p*=3389 c*\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: high\n\n
\n}}'),(8668,'Issue',480,15,'T1021'),(8669,'Issue',481,1,'Network Sniffing'),(8670,'Issue',481,2,'Timur Zinniatullin, oscd.community'),(8671,'Issue',481,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml'),(8672,'Issue',481,10,'low'),(8673,'Issue',481,13,'community'),(8674,'Issue',481,14,'windows'),(8676,'Issue',481,11,'94c26afa0'),(8677,'Issue',481,12,'ba1f7802-adc7-48b4-9ecb-81e227fddfd5'),(8678,'Issue',481,16,'win-proc'),(8679,'Issue',481,17,''),(8680,'Issue',481,7,''),(8681,'Issue',481,3,'Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.'),(8682,'Issue',481,4,''),(8683,'Issue',481,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8684,'Issue',481,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\tshark.exe AND process.command_line.keyword:*\\-i*) OR process.executable.keyword:*\\\\windump.exe))\nindex: so-*\nname: Network Sniffing\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8685,'Issue',481,9,'{{collapse(View Sigma)\n\n\ntitle: Network Sniffing\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: experimental\ndescription: Network sniffing refers to using the network interface on a system to\n monitor or capture information sent over a wired or wireless connection. An adversary\n may place a network interface into promiscuous mode to passively access data in\n transit over the network, or use span ports to capture a larger amount of data.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\tshark.exe\n CommandLine|contains: -i\n - Image|endswith: \\windump.exe\n condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.credential_access\n- attack.discovery\n- attack.t1040\n\n
\n}}'),(8686,'Issue',481,15,'T1040'),(8687,'Issue',482,1,'New Service Creation'),(8688,'Issue',482,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8689,'Issue',482,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml'),(8690,'Issue',482,10,'low'),(8691,'Issue',482,13,'community'),(8692,'Issue',482,14,'windows'),(8694,'Issue',482,11,'6d821e19d'),(8695,'Issue',482,12,'7fe71fc9-de3b-432a-8d57-8c809efc10ab'),(8696,'Issue',482,16,'win-proc'),(8697,'Issue',482,17,''),(8698,'Issue',482,7,''),(8699,'Issue',482,3,'Detects creation if a new service'),(8700,'Issue',482,4,''),(8701,'Issue',482,5,'_False Positives_\nLegitimate administrator or user creates a service for legitimate reason'),(8702,'Issue',482,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*create* AND process.command_line.keyword:*binpath*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*new\\-service*)))\nindex: so-*\nname: New Service Creation\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8703,'Issue',482,9,'{{collapse(View Sigma)\n\n\ntitle: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: experimental\ndescription: Detects creation if a new service\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1050\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\sc.exe\n CommandLine|contains|all:\n - create\n - binpath\n - Image|endswith: \\powershell.exe\n CommandLine|contains: new-service\n condition: selection\nfalsepositives:\n- Legitimate administrator or user creates a service for legitimate reason\nlevel: low\n\n
\n}}'),(8704,'Issue',482,15,'T1050'),(8705,'Issue',483,1,'Non Interactive PowerShell'),(8706,'Issue',483,2,'Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)'),(8707,'Issue',483,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md'),(8708,'Issue',483,10,'medium'),(8709,'Issue',483,13,'community'),(8710,'Issue',483,14,'windows'),(8712,'Issue',483,11,'1e5e14278'),(8713,'Issue',483,12,'f4bbd493-b796-416e-bbf2-121235348529'),(8714,'Issue',483,16,'win-proc'),(8715,'Issue',483,17,''),(8716,'Issue',483,7,''),(8717,'Issue',483,3,'Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.'),(8718,'Issue',483,4,''),(8719,'Issue',483,5,'_False Positives_\nLegitimate programs executing PowerShell scripts'),(8720,'Issue',483,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND (NOT (process.parent.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Non Interactive PowerShell\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8721,'Issue',483,9,'{{collapse(View Sigma)\n\n\ntitle: Non Interactive PowerShell\nid: f4bbd493-b796-416e-bbf2-121235348529\ndescription: Detects non-interactive PowerShell activity by looking at powershell.exe\n with not explorer.exe as a parent.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\powershell.exe\n filter:\n ParentImage|endswith: \\explorer.exe\n condition: selection and not filter\nfalsepositives:\n- Legitimate programs executing PowerShell scripts\nlevel: medium\n\n
\n}}'),(8722,'Issue',483,15,'T1086'),(8723,'Issue',484,1,'Microsoft Office Product Spawning Windows Shell'),(8724,'Issue',484,2,'Michael Haag, Florian Roth, Markus Neis'),(8725,'Issue',484,8,'https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(8726,'Issue',484,10,'high'),(8727,'Issue',484,13,'community'),(8728,'Issue',484,14,'windows'),(8730,'Issue',484,11,'6393d359f'),(8731,'Issue',484,12,'438025f9-5856-4663-83f7-52f878a70a50'),(8732,'Issue',484,16,'win-proc'),(8733,'Issue',484,17,''),(8734,'Issue',484,7,''),(8735,'Issue',484,3,'Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.'),(8736,'Issue',484,4,''),(8737,'Issue',484,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8738,'Issue',484,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))\nindex: so-*\nname: Microsoft Office Product Spawning Windows Shell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8739,'Issue',484,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word,\n Excel, Powerpoint, Publisher and Visio.\nreferences:\n- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- car.2013-02-003\n- car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018/04/06\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\WINWORD.EXE\'\n - \'*\\EXCEL.EXE\'\n - \'*\\POWERPNT.exe\'\n - \'*\\MSPUB.exe\'\n - \'*\\VISIO.exe\'\n - \'*\\OUTLOOK.EXE\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\scrcons.exe\'\n - \'*\\schtasks.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\hh.exe\'\n - \'*\\wmic.exe\'\n - \'*\\mshta.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\msiexec.exe\'\n - \'*\\forfiles.exe\'\n - \'*\\scriptrunner.exe\'\n - \'*\\mftrace.exe\'\n - \'*\\AppVLP.exe\'\n - \'*\\svchost.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8740,'Issue',484,15,'T1059'),(8741,'Issue',484,15,'T1202'),(8742,'Issue',485,1,'MS Office Product Spawning Exe in User Dir'),(8743,'Issue',485,2,'Jason Lynch'),(8744,'Issue',485,8,'sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign'),(8745,'Issue',485,10,'high'),(8746,'Issue',485,13,'community'),(8747,'Issue',485,14,'windows'),(8749,'Issue',485,11,'73473d045'),(8750,'Issue',485,12,'aa3a6f94-890e-4e22-b634-ffdfd54792cc'),(8751,'Issue',485,16,'win-proc'),(8752,'Issue',485,17,''),(8753,'Issue',485,7,''),(8754,'Issue',485,3,'Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio'),(8755,'Issue',485,4,''),(8756,'Issue',485,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8757,'Issue',485,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(C\\:\\\\users\\\\*.exe))\nindex: so-*\nname: MS Office Product Spawning Exe in User Dir\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8758,'Issue',485,9,'{{collapse(View Sigma)\n\n\ntitle: MS Office Product Spawning Exe in User Dir\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: experimental\ndescription: Detects an executable in the users directory started from Microsoft Word,\n Excel, Powerpoint, Publisher or Visio\nreferences:\n- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\n- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- FIN7\n- car.2013-05-002\nauthor: Jason Lynch\ndate: 2019/04/02\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\WINWORD.EXE\'\n - \'*\\EXCEL.EXE\'\n - \'*\\POWERPNT.exe\'\n - \'*\\MSPUB.exe\'\n - \'*\\VISIO.exe\'\n - \'*\\OUTLOOK.EXE\'\n Image:\n - C:\\users\\\\*.exe\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8759,'Issue',485,15,'T1059'),(8760,'Issue',485,15,'T1202'),(8761,'Issue',486,1,'Executable Used by PlugX in Uncommon Location'),(8762,'Issue',486,2,'Florian Roth'),(8763,'Issue',486,8,'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'),(8764,'Issue',486,10,'high'),(8765,'Issue',486,13,'community'),(8766,'Issue',486,14,'windows'),(8768,'Issue',486,11,'7c4ef5068'),(8769,'Issue',486,12,'aeab5ec5-be14-471a-80e8-e344418305c2'),(8770,'Issue',486,16,'win-proc'),(8771,'Issue',486,17,''),(8772,'Issue',486,7,''),(8773,'Issue',486,3,'Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location'),(8774,'Issue',486,4,''),(8775,'Issue',486,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8776,'Issue',486,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((((((((((((process.executable.keyword:*\\\\CamMute.exe AND (NOT (process.executable.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (process.executable.keyword:*\\\\chrome_frame_helper.exe AND (NOT (process.executable.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (process.executable.keyword:*\\\\dvcemumanager.exe AND (NOT (process.executable.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (process.executable.keyword:*\\\\Gadget.exe AND (NOT (process.executable.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (process.executable.keyword:*\\\\hcc.exe AND (NOT (process.executable.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (process.executable.keyword:*\\\\hkcmd.exe AND (NOT (process.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (process.executable.keyword:*\\\\Mc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (process.executable.keyword:*\\\\MsMpEng.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (process.executable.keyword:*\\\\msseces.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (process.executable.keyword:*\\\\OInfoP11.exe AND (NOT (process.executable.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (process.executable.keyword:*\\\\OleView.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (process.executable.keyword:*\\\\rc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*))))))\nindex: so-*\nname: Executable Used by PlugX in Uncommon Location\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8777,'Issue',486,9,'{{collapse(View Sigma)\n\n\ntitle: Executable Used by PlugX in Uncommon Location\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: experimental\ndescription: Detects the execution of an executable that is typically used by PlugX\n for DLL side loading started from an uncommon location\nreferences:\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth\ndate: 2017/06/12\ntags:\n- attack.s0013\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_cammute:\n Image: \'*\\CamMute.exe\'\n filter_cammute:\n Image: \'*\\Lenovo\\Communication Utility\\\\*\'\n selection_chrome_frame:\n Image: \'*\\chrome_frame_helper.exe\'\n filter_chrome_frame:\n Image: \'*\\Google\\Chrome\\application\\\\*\'\n selection_devemu:\n Image: \'*\\dvcemumanager.exe\'\n filter_devemu:\n Image: \'*\\Microsoft Device Emulator\\\\*\'\n selection_gadget:\n Image: \'*\\Gadget.exe\'\n filter_gadget:\n Image: \'*\\Windows Media Player\\\\*\'\n selection_hcc:\n Image: \'*\\hcc.exe\'\n filter_hcc:\n Image: \'*\\HTML Help Workshop\\\\*\'\n selection_hkcmd:\n Image: \'*\\hkcmd.exe\'\n filter_hkcmd:\n Image:\n - \'*\\System32\\\\*\'\n - \'*\\SysNative\\\\*\'\n - \'*\\SysWowo64\\\\*\'\n selection_mc:\n Image: \'*\\Mc.exe\'\n filter_mc:\n Image:\n - \'*\\Microsoft Visual Studio*\'\n - \'*\\Microsoft SDK*\'\n - \'*\\Windows Kit*\'\n selection_msmpeng:\n Image: \'*\\MsMpEng.exe\'\n filter_msmpeng:\n Image:\n - \'*\\Microsoft Security Client\\\\*\'\n - \'*\\Windows Defender\\\\*\'\n - \'*\\AntiMalware\\\\*\'\n selection_msseces:\n Image: \'*\\msseces.exe\'\n filter_msseces:\n Image:\n - \'*\\Microsoft Security Center\\\\*\'\n - \'*\\Microsoft Security Client\\\\*\'\n - \'*\\Microsoft Security Essentials\\\\*\'\n selection_oinfo:\n Image: \'*\\OInfoP11.exe\'\n filter_oinfo:\n Image: \'*\\Common Files\\Microsoft Shared\\\\*\'\n selection_oleview:\n Image: \'*\\OleView.exe\'\n filter_oleview:\n Image:\n - \'*\\Microsoft Visual Studio*\'\n - \'*\\Microsoft SDK*\'\n - \'*\\Windows Kit*\'\n - \'*\\Windows Resource Kit\\\\*\'\n selection_rc:\n Image: \'*\\rc.exe\'\n filter_rc:\n Image:\n - \'*\\Microsoft Visual Studio*\'\n - \'*\\Microsoft SDK*\'\n - \'*\\Windows Kit*\'\n - \'*\\Windows Resource Kit\\\\*\'\n - \'*\\Microsoft.NET\\\\*\'\n condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n and not filter_oleview ) or ( selection_rc and not filter_rc )\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8778,'Issue',486,15,'T1073'),(8779,'Issue',487,1,'Possible Applocker Bypass'),(8780,'Issue',487,2,'juju4'),(8781,'Issue',487,8,'https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\nhttps://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/'),(8782,'Issue',487,10,'low'),(8783,'Issue',487,13,'community'),(8784,'Issue',487,14,'windows'),(8786,'Issue',487,11,'d4a0bad42'),(8787,'Issue',487,12,'82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719'),(8788,'Issue',487,16,'win-proc'),(8789,'Issue',487,17,''),(8790,'Issue',487,7,''),(8791,'Issue',487,3,'Detects execution of executables that can be used to bypass Applocker whitelisting'),(8792,'Issue',487,4,''),(8793,'Issue',487,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nUsing installutil to add features for .NET applications (primarly would occur in developer environments)'),(8794,'Issue',487,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*))\nindex: so-*\nname: Possible Applocker Bypass\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8795,'Issue',487,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\ndescription: Detects execution of executables that can be used to bypass Applocker\n whitelisting\nstatus: experimental\nreferences:\n- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1118\n- attack.t1121\n- attack.t1127\n- attack.t1170\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - \\msdt.exe\n - \\installutil.exe\n - \\regsvcs.exe\n - \\regasm.exe\n - \\msbuild.exe\n - \\ieexec.exe\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\n- Using installutil to add features for .NET applications (primarly would occur in\n developer environments)\nlevel: low\n\n
\n}}'),(8796,'Issue',487,15,'T1118'),(8797,'Issue',487,15,'T1121'),(8798,'Issue',487,15,'T1127'),(8799,'Issue',487,15,'T1170'),(8800,'Issue',488,1,'Detection of Possible Rotten Potato'),(8801,'Issue',488,2,'Teymur Kheirkhabarov'),(8802,'Issue',488,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'),(8803,'Issue',488,10,'high'),(8804,'Issue',488,13,'community'),(8805,'Issue',488,14,'windows'),(8807,'Issue',488,11,'c3d4efb18'),(8808,'Issue',488,12,'6c5808ee-85a2-4e56-8137-72e5876a5096'),(8809,'Issue',488,16,'win-proc'),(8810,'Issue',488,17,''),(8811,'Issue',488,7,''),(8812,'Issue',488,3,'Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges'),(8813,'Issue',488,4,''),(8814,'Issue',488,5,'_False Positives_\nUnknown'),(8815,'Issue',488,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (ParentUser:(\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\" OR \"NT\\ AUTHORITY\\\\LOCAL\\ SERVICE\") AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\") AND (NOT (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*DavSetCookie*)))\nindex: so-*\nname: Detection of Possible Rotten Potato\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8816,'Issue',488,9,'{{collapse(View Sigma)\n\n\ntitle: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentUser:\n - NT AUTHORITY\\NETWORK SERVICE\n - NT AUTHORITY\\LOCAL SERVICE\n User: NT AUTHORITY\\SYSTEM\n rundllexception:\n Image|endswith: \\rundll32.exe\n CommandLine|contains: DavSetCookie\n condition: selection and not rundllexception\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8817,'Issue',488,15,'T1134'),(8818,'Issue',489,1,'Powershell AMSI Bypass via .NET Reflection'),(8819,'Issue',489,2,'Markus Neis'),(8820,'Issue',489,8,'https://twitter.com/mattifestation/status/735261176745988096\nhttps://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120'),(8821,'Issue',489,10,'high'),(8822,'Issue',489,13,'community'),(8823,'Issue',489,14,'windows'),(8825,'Issue',489,11,'b5bdb996a'),(8826,'Issue',489,12,'30edb182-aa75-42c0-b0a9-e998bb29067c'),(8827,'Issue',489,16,'win-proc'),(8828,'Issue',489,17,''),(8829,'Issue',489,7,''),(8830,'Issue',489,3,'Detects Request to amsiInitFailed that can be used to disable AMSI Scanning'),(8831,'Issue',489,4,''),(8832,'Issue',489,5,'_False Positives_\nPotential Admin Activity'),(8833,'Issue',489,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*System.Management.Automation.AmsiUtils*) AND process.command_line.keyword:(*amsiInitFailed*))\nindex: so-*\nname: Powershell AMSI Bypass via .NET Reflection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8834,'Issue',489,9,'{{collapse(View Sigma)\n\n\ntitle: Powershell AMSI Bypass via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nstatus: experimental\ndescription: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning\nreferences:\n- https://twitter.com/mattifestation/status/735261176745988096\n- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/08/17\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*System.Management.Automation.AmsiUtils*\'\n selection2:\n CommandLine:\n - \'*amsiInitFailed*\'\n condition: selection1 and selection2\nfalsepositives:\n- Potential Admin Activity\nlevel: high\n\n
\n}}'),(8835,'Issue',489,15,'T1086'),(8836,'Issue',490,1,'Audio Capture via PowerShell'),(8837,'Issue',490,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8838,'Issue',490,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html'),(8839,'Issue',490,10,'medium'),(8840,'Issue',490,13,'community'),(8841,'Issue',490,14,'windows'),(8843,'Issue',490,11,'7f4dc80d2'),(8844,'Issue',490,12,'932fb0d8-692b-4b0f-a26e-5643a50fe7d6'),(8845,'Issue',490,16,'win-proc'),(8846,'Issue',490,17,''),(8847,'Issue',490,7,''),(8848,'Issue',490,3,'Detects audio capture via PowerShell Cmdlet'),(8849,'Issue',490,4,''),(8850,'Issue',490,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(8851,'Issue',490,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*)\nindex: so-*\nname: Audio Capture via PowerShell\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8852,'Issue',490,9,'{{collapse(View Sigma)\n\n\ntitle: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\ndescription: Detects audio capture via PowerShell Cmdlet\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\ntags:\n- attack.collection\n- attack.t1123\ndetection:\n selection:\n CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\n\n
\n}}'),(8853,'Issue',490,15,'T1123'),(8854,'Issue',491,1,'PowerShell Base64 Encoded Shellcode'),(8855,'Issue',491,2,'Florian Roth'),(8856,'Issue',491,8,'https://twitter.com/cyb3rops/status/1063072865992523776'),(8857,'Issue',491,10,'critical'),(8858,'Issue',491,13,'community'),(8859,'Issue',491,14,'windows'),(8861,'Issue',491,11,'5d3447e7d'),(8862,'Issue',491,12,'2d117e49-e626-4c7c-bd1f-c3c0147774c8'),(8863,'Issue',491,16,'win-proc'),(8864,'Issue',491,17,''),(8865,'Issue',491,7,''),(8866,'Issue',491,3,'Detects Base64 encoded Shellcode'),(8867,'Issue',491,4,''),(8868,'Issue',491,5,'_False Positives_\nUnknown'),(8869,'Issue',491,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*AAAAYInlM* AND process.command_line.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))\nindex: so-*\nname: PowerShell Base64 Encoded Shellcode\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8870,'Issue',491,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\ndescription: Detects Base64 encoded Shellcode\nstatus: experimental\nreferences:\n- https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth\ndate: 2018/11/17\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine: \'*AAAAYInlM*\'\n selection2:\n CommandLine:\n - \'*OiCAAAAYInlM*\'\n - \'*OiJAAAAYInlM*\'\n condition: selection1 and selection2\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8871,'Issue',491,15,'T1036'),(8872,'Issue',492,1,'Suspicious Bitsadmin Job via PowerShell'),(8873,'Issue',492,2,'Endgame, JHasenbusch (ported to sigma for oscd.community)'),(8874,'Issue',492,8,'https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md'),(8875,'Issue',492,10,'medium'),(8876,'Issue',492,13,'community'),(8877,'Issue',492,14,'windows'),(8879,'Issue',492,11,'8676c64ae'),(8880,'Issue',492,12,'f67dbfce-93bc-440d-86ad-a95ae8858c90'),(8881,'Issue',492,16,'win-proc'),(8882,'Issue',492,17,''),(8883,'Issue',492,7,''),(8884,'Issue',492,3,'Detect download by BITS jobs via PowerShell'),(8885,'Issue',492,4,''),(8886,'Issue',492,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8887,'Issue',492,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Start\\-BitsTransfer*)\nindex: so-*\nname: Suspicious Bitsadmin Job via PowerShell\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8888,'Issue',492,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\powershell.exe\n CommandLine|contains: Start-BitsTransfer\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(8889,'Issue',492,15,'T1197'),(8890,'Issue',493,1,'Detection of PowerShell Execution via DLL'),(8891,'Issue',493,2,'Markus Neis'),(8892,'Issue',493,8,'https://github.com/p3nt4/PowerShdll/blob/master/README.md'),(8893,'Issue',493,10,'high'),(8894,'Issue',493,13,'community'),(8895,'Issue',493,14,'windows'),(8897,'Issue',493,11,'35da2d6b7'),(8898,'Issue',493,12,'6812a10b-60ea-420c-832f-dfcc33b646ba'),(8899,'Issue',493,16,'win-proc'),(8900,'Issue',493,17,''),(8901,'Issue',493,7,''),(8902,'Issue',493,3,'Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll'),(8903,'Issue',493,4,''),(8904,'Issue',493,5,'_False Positives_\nUnknown'),(8905,'Issue',493,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\rundll32.exe) OR process.pe.description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND process.command_line.keyword:(*Default.GetString* OR *FromBase64String*))\nindex: so-*\nname: Detection of PowerShell Execution via DLL\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8906,'Issue',493,9,'{{collapse(View Sigma)\n\n\ntitle: Detection of PowerShell Execution via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: experimental\ndescription: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll\nreferences:\n- https://github.com/p3nt4/PowerShdll/blob/master/README.md\ntags:\n- attack.execution\n- attack.t1086\n- car.2014-04-003\nauthor: Markus Neis\ndate: 2018/08/25\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\rundll32.exe\'\n selection2:\n Description:\n - \'*Windows-Hostprozess (Rundll32)*\'\n selection3:\n CommandLine:\n - \'*Default.GetString*\'\n - \'*FromBase64String*\'\n condition: (selection1 or selection2) and selection3\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8907,'Issue',493,15,'T1086'),(8908,'Issue',494,1,'PowerShell Downgrade Attack'),(8909,'Issue',494,2,'Harish Segar (rule)'),(8910,'Issue',494,8,'http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/'),(8911,'Issue',494,10,'medium'),(8912,'Issue',494,13,'community'),(8913,'Issue',494,14,'windows'),(8915,'Issue',494,11,'7dd8ab307'),(8916,'Issue',494,12,'b3512211-c67e-4707-bedc-66efc7848863'),(8917,'Issue',494,16,'win-proc'),(8918,'Issue',494,17,''),(8919,'Issue',494,7,''),(8920,'Issue',494,3,'Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0'),(8921,'Issue',494,4,''),(8922,'Issue',494,5,'_False Positives_\nPenetration Test\nUnknown'),(8923,'Issue',494,6,'{{collapse(View ElastAlert Config)\n\n\n\n
\n}}'),(8924,'Issue',494,9,'{{collapse(View Sigma)\n\n\naction: global\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with\n the actually used engine version 2.0\nreferences:\n- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n- Penetration Test\n- Unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - \' -version 2 \'\n - \' -versio 2 \'\n - \' -versi 2 \'\n - \' -vers 2 \'\n - \' -ver 2 \'\n - \' -ve 2 \'\n Image|endswith: \\powershell.exe\n condition: selection\n\n
\n}}'),(8925,'Issue',494,15,'T1086'),(8926,'Issue',495,1,'PowerShell Download from URL'),(8927,'Issue',495,2,'Florian Roth'),(8928,'Issue',495,8,'none'),(8929,'Issue',495,10,'medium'),(8930,'Issue',495,13,'community'),(8931,'Issue',495,14,'windows'),(8933,'Issue',495,11,'0058be94d'),(8934,'Issue',495,12,'3b6ab547-8ec2-4991-b9d2-2b06702a48d7'),(8935,'Issue',495,16,'win-proc'),(8936,'Issue',495,17,''),(8937,'Issue',495,7,''),(8938,'Issue',495,3,'Detects a Powershell process that contains download commands in its command line string'),(8939,'Issue',495,4,''),(8940,'Issue',495,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8941,'Issue',495,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))\nindex: so-*\nname: PowerShell Download from URL\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8942,'Issue',495,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Download from URL\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nstatus: experimental\ndescription: Detects a Powershell process that contains download commands in its command\n line string\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\powershell.exe\'\n CommandLine:\n - \'*new-object system.net.webclient).downloadstring(*\'\n - \'*new-object system.net.webclient).downloadfile(*\'\n - \'*new-object net.webclient).downloadstring(*\'\n - \'*new-object net.webclient).downloadfile(*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(8943,'Issue',495,15,'T1086'),(8944,'Issue',496,1,'FromBase64String Command Line'),(8945,'Issue',496,2,'Florian Roth'),(8946,'Issue',496,8,'https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639'),(8947,'Issue',496,10,'high'),(8948,'Issue',496,13,'community'),(8949,'Issue',496,14,'windows'),(8951,'Issue',496,11,'9f0eefc93'),(8952,'Issue',496,12,'e32d4572-9826-4738-b651-95fa63747e8a'),(8953,'Issue',496,16,'win-proc'),(8954,'Issue',496,17,''),(8955,'Issue',496,7,''),(8956,'Issue',496,3,'Detects suspicious FromBase64String expressions in command line arguments'),(8957,'Issue',496,4,''),(8958,'Issue',496,5,'_False Positives_\nAdministrative script libraries'),(8959,'Issue',496,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\:\\:FromBase64String\\(*)\nindex: so-*\nname: FromBase64String Command Line\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8960,'Issue',496,9,'{{collapse(View Sigma)\n\n\ntitle: FromBase64String Command Line\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: experimental\ndescription: Detects suspicious FromBase64String expressions in command line arguments\nreferences:\n- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth\ndate: 2020/01/29\ntags:\n- attack.t1027\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: ::FromBase64String(\n condition: selection\nfalsepositives:\n- Administrative script libraries\nlevel: high\n\n
\n}}'),(8961,'Issue',496,15,'T1027'),(8962,'Issue',497,1,'Suspicious PowerShell Parameter Substring'),(8963,'Issue',497,2,'Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)'),(8964,'Issue',497,8,'http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier'),(8965,'Issue',497,10,'high'),(8966,'Issue',497,13,'community'),(8967,'Issue',497,14,'windows'),(8969,'Issue',497,11,'5e2eb5a76'),(8970,'Issue',497,12,'36210e0d-5b19-485d-a087-c096088885f0'),(8971,'Issue',497,16,'win-proc'),(8972,'Issue',497,17,''),(8973,'Issue',497,7,''),(8974,'Issue',497,3,'Detects suspicious PowerShell invocation with a parameter substring'),(8975,'Issue',497,4,''),(8976,'Issue',497,5,'_False Positives_\nPenetration tests'),(8977,'Issue',497,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\Powershell.exe) AND process.command_line:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))\nindex: so-*\nname: Suspicious PowerShell Parameter Substring\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8978,'Issue',497,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: experimental\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\Powershell.exe\'\n CommandLine:\n - \' -windowstyle h \'\n - \' -windowstyl h\'\n - \' -windowsty h\'\n - \' -windowst h\'\n - \' -windows h\'\n - \' -windo h\'\n - \' -wind h\'\n - \' -win h\'\n - \' -wi h\'\n - \' -win h \'\n - \' -win hi \'\n - \' -win hid \'\n - \' -win hidd \'\n - \' -win hidde \'\n - \' -NoPr \'\n - \' -NoPro \'\n - \' -NoProf \'\n - \' -NoProfi \'\n - \' -NoProfil \'\n - \' -nonin \'\n - \' -nonint \'\n - \' -noninte \'\n - \' -noninter \'\n - \' -nonintera \'\n - \' -noninterac \'\n - \' -noninteract \'\n - \' -noninteracti \'\n - \' -noninteractiv \'\n - \' -ec \'\n - \' -encodedComman \'\n - \' -encodedComma \'\n - \' -encodedComm \'\n - \' -encodedCom \'\n - \' -encodedCo \'\n - \' -encodedC \'\n - \' -encoded \'\n - \' -encode \'\n - \' -encod \'\n - \' -enco \'\n - \' -en \'\n condition: selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(8979,'Issue',497,15,'T1086'),(8980,'Issue',498,1,'Suspicious XOR Encoded PowerShell Command Line'),(8981,'Issue',498,2,'Sami Ruohonen'),(8982,'Issue',498,8,'none'),(8983,'Issue',498,10,'medium'),(8984,'Issue',498,13,'community'),(8985,'Issue',498,14,'windows'),(8987,'Issue',498,11,'4d93efac2'),(8988,'Issue',498,12,'bb780e0c-16cf-4383-8383-1e5471db6cf9'),(8989,'Issue',498,16,'win-proc'),(8990,'Issue',498,17,''),(8991,'Issue',498,7,''),(8992,'Issue',498,3,'Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.'),(8993,'Issue',498,4,''),(8994,'Issue',498,5,'_False Positives_\nunknown'),(8995,'Issue',498,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-bxor*))\nindex: so-*\nname: Suspicious XOR Encoded PowerShell Command Line\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8996,'Issue',498,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious XOR Encoded PowerShell Command Line\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\ndescription: Detects suspicious powershell process which includes bxor command, alternatvide\n obfuscation method to b64 encoded commands.\nstatus: experimental\nauthor: Sami Ruohonen\ndate: 2018/09/05\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n selection:\n CommandLine:\n - \'* -bxor*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\n\n
\n}}'),(8997,'Issue',498,15,'T1086'),(8998,'Issue',499,1,'Default PowerSploit and Empire Schtasks Persistence'),(8999,'Issue',499,2,'Markus Neis, @Karneades'),(9000,'Issue',499,8,'https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py'),(9001,'Issue',499,10,'high'),(9002,'Issue',499,13,'community'),(9003,'Issue',499,14,'windows'),(9005,'Issue',499,11,'52c48c3b3'),(9006,'Issue',499,12,'56c217c3-2de2-479b-990f-5c109ba8458f'),(9007,'Issue',499,16,'win-proc'),(9008,'Issue',499,17,''),(9009,'Issue',499,7,''),(9010,'Issue',499,3,'Detects the creation of a schtask via PowerSploit or Empire Default Configuration.'),(9011,'Issue',499,4,''),(9012,'Issue',499,5,'_False Positives_\nFalse positives are possible, depends on organisation and processes'),(9013,'Issue',499,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\powershell.exe) AND process.command_line.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))\nindex: so-*\nname: Default PowerSploit and Empire Schtasks Persistence\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9014,'Issue',499,9,'{{collapse(View Sigma)\n\n\ntitle: Default PowerSploit and Empire Schtasks Persistence\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: experimental\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018/03/06\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage:\n - \'*\\powershell.exe\'\n CommandLine:\n - \'*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*\'\n - \'*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*\'\n - \'*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*\'\n - \'*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*\'\n condition: selection\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.t1086\n- attack.s0111\n- attack.g0022\n- attack.g0060\n- car.2013-08-001\nfalsepositives:\n- False positives are possible, depends on organisation and processes\nlevel: high\n\n
\n}}'),(9015,'Issue',499,15,'T1053'),(9016,'Issue',499,15,'T1086'),(9017,'Issue',500,1,'Windows Processes Suspicious Parent Directory'),(9018,'Issue',500,2,'vburov'),(9019,'Issue',500,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://attack.mitre.org/techniques/T1036/'),(9020,'Issue',500,10,'low'),(9021,'Issue',500,13,'community'),(9022,'Issue',500,14,'windows'),(9024,'Issue',500,11,'c9688cc7f'),(9025,'Issue',500,12,'96036718-71cc-4027-a538-d1587e0006a7'),(9026,'Issue',500,16,'win-proc'),(9027,'Issue',500,17,''),(9028,'Issue',500,7,''),(9029,'Issue',500,3,'Detect suspicious parent processes of well-known Windows processes'),(9030,'Issue',500,4,''),(9031,'Issue',500,5,'_False Positives_\nSome security products seem to spawn these'),(9032,'Issue',500,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (process.parent.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Windows Processes Suspicious Parent Directory\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9033,'Issue',500,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: experimental\ndescription: Detect suspicious parent processes of well-known Windows processes\nauthor: vburov\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\n- https://attack.mitre.org/techniques/T1036/\ndate: 2019/02/23\nmodified: 2019/08/20\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\svchost.exe\'\n - \'*\\taskhost.exe\'\n - \'*\\lsm.exe\'\n - \'*\\lsass.exe\'\n - \'*\\services.exe\'\n - \'*\\lsaiso.exe\'\n - \'*\\csrss.exe\'\n - \'*\\wininit.exe\'\n - \'*\\winlogon.exe\'\n filter:\n ParentImage:\n - \'*\\System32\\\\*\'\n - \'*\\SysWOW64\\\\*\'\n - \'*\\SavService.exe\'\n - \'*\\Windows Defender\\\\*\\MsMpEng.exe\'\n filter_null:\n ParentImage:\n condition: selection and not filter and not filter_null\nfalsepositives:\n- Some security products seem to spawn these\nlevel: low\n\n
\n}}'),(9034,'Issue',500,15,'T1036'),(9035,'Issue',501,1,'Bitsadmin Download'),(9036,'Issue',501,2,'Michael Haag'),(9037,'Issue',501,8,'https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://isc.sans.edu/diary/22264'),(9038,'Issue',501,10,'medium'),(9039,'Issue',501,13,'community'),(9040,'Issue',501,14,'windows'),(9042,'Issue',501,11,'0859ceb13'),(9043,'Issue',501,12,'d059842b-6b9d-4ed1-b5c3-5b89143c6ede'),(9044,'Issue',501,16,'win-proc'),(9045,'Issue',501,17,''),(9046,'Issue',501,7,''),(9047,'Issue',501,3,'Detects usage of bitsadmin downloading a file'),(9048,'Issue',501,4,''),(9049,'Issue',501,5,'_False Positives_\nSome legitimate apps use this, but limited.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9050,'Issue',501,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\bitsadmin.exe) AND process.command_line.keyword:(*\\ \\/transfer\\ *)) OR process.command_line.keyword:(*copy\\ bitsadmin.exe*)))\nindex: so-*\nname: Bitsadmin Download\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9051,'Issue',501,9,'{{collapse(View Sigma)\n\n\ntitle: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n- https://isc.sans.edu/diary/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017/03/09\nmodified: 2019/12/06\nauthor: Michael Haag\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\bitsadmin.exe\'\n CommandLine:\n - \'* /transfer *\'\n selection2:\n CommandLine:\n - \'*copy bitsadmin.exe*\'\n condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium\n\n
\n}}'),(9052,'Issue',501,15,'T1197'),(9053,'Issue',502,1,'Process Dump via Rundll32 and Comsvcs.dll'),(9054,'Issue',502,2,'Florian Roth'),(9055,'Issue',502,8,'https://twitter.com/shantanukhande/status/1229348874298388484'),(9056,'Issue',502,10,'high'),(9057,'Issue',502,13,'community'),(9058,'Issue',502,14,'windows'),(9060,'Issue',502,11,'f4af737c0'),(9061,'Issue',502,12,'646ea171-dded-4578-8a4d-65e9822892e3'),(9062,'Issue',502,16,'win-proc'),(9063,'Issue',502,17,''),(9064,'Issue',502,7,''),(9065,'Issue',502,3,'Detects a process memory dump performed via ordinal function 24 in comsvcs.dll'),(9066,'Issue',502,4,''),(9067,'Issue',502,5,'_False Positives_\nUnlikely, because no one should dump the process memory in that way'),(9068,'Issue',502,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*))\nindex: so-*\nname: Process Dump via Rundll32 and Comsvcs.dll\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9069,'Issue',502,9,'{{collapse(View Sigma)\n\n\ntitle: Process Dump via Rundll32 and Comsvcs.dll\nid: 646ea171-dded-4578-8a4d-65e9822892e3\ndescription: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll\nstatus: experimental\nreferences:\n- https://twitter.com/shantanukhande/status/1229348874298388484\nauthor: Florian Roth\ndate: 2020/02/18\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - comsvcs.dll,#24\n - comsvcs.dll,MiniDump\n condition: selection\nfalsepositives:\n- Unlikely, because no one should dump the process memory in that way\nlevel: high\n\n
\n}}'),(9070,'Issue',502,15,'T1036'),(9071,'Issue',502,15,'T1003'),(9072,'Issue',503,1,'PsExec Service Start'),(9073,'Issue',503,2,'Florian Roth'),(9074,'Issue',503,8,'none'),(9075,'Issue',503,10,'low'),(9076,'Issue',503,13,'community'),(9077,'Issue',503,14,'windows'),(9079,'Issue',503,11,'15de28714'),(9080,'Issue',503,12,'3ede524d-21cc-472d-a3ce-d21b568d8db7'),(9081,'Issue',503,16,'win-proc'),(9082,'Issue',503,17,''),(9083,'Issue',503,7,''),(9084,'Issue',503,3,'Detects a PsExec service start'),(9085,'Issue',503,4,''),(9086,'Issue',503,5,'_False Positives_\nAdministrative activity'),(9087,'Issue',503,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ProcessCommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\")\nindex: so-*\nname: PsExec Service Start\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9088,'Issue',503,9,'{{collapse(View Sigma)\n\n\ntitle: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\ndescription: Detects a PsExec service start\nauthor: Florian Roth\ndate: 2018/03/13\nmodified: 2012/12/11\ntags:\n- attack.execution\n- attack.t1035\n- attack.s0029\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n condition: selection\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(9089,'Issue',503,15,'T1035'),(9090,'Issue',504,1,'Query Registry'),(9091,'Issue',504,2,'Timur Zinniatullin, oscd.community'),(9092,'Issue',504,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml'),(9093,'Issue',504,10,'low'),(9094,'Issue',504,13,'community'),(9095,'Issue',504,14,'windows'),(9097,'Issue',504,11,'05ee88dcb'),(9098,'Issue',504,12,'970007b7-ce32-49d0-a4a4-fbef016950bd'),(9099,'Issue',504,16,'win-proc'),(9100,'Issue',504,17,''),(9101,'Issue',504,7,''),(9102,'Issue',504,3,'Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.'),(9103,'Issue',504,4,''),(9104,'Issue',504,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(9105,'Issue',504,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:(*query* OR *save* OR *export*) AND process.command_line.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))\nindex: so-*\nname: Query Registry\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9106,'Issue',504,9,'{{collapse(View Sigma)\n\n\ntitle: Query Registry\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: experimental\ndescription: Adversaries may interact with the Windows Registry to gather information\n about the system, configuration, and installed software.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \\reg.exe\n CommandLine|contains:\n - query\n - save\n - export\n selection_2:\n CommandLine|contains:\n - currentVersion\\windows\n - currentVersion\\runServicesOnce\n - currentVersion\\runServices\n - winlogon\\\n - currentVersion\\shellServiceObjectDelayLoad\n - currentVersion\\runOnce\n - currentVersion\\runOnceEx\n - currentVersion\\run\n - currentVersion\\policies\\explorer\\run\n - currentcontrolset\\services\n condition: selection_1 and selection_2\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.discovery\n- attack.t1012\n- attack.t1007\n\n
\n}}'),(9107,'Issue',504,15,'T1012'),(9108,'Issue',504,15,'T1007'),(9109,'Issue',505,1,'MSTSC Shadowing'),(9110,'Issue',505,2,'Florian Roth'),(9111,'Issue',505,8,'https://twitter.com/kmkz_security/status/1220694202301976576\nhttps://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet'),(9112,'Issue',505,10,'high'),(9113,'Issue',505,13,'community'),(9114,'Issue',505,14,'windows'),(9115,'Issue',505,15,''),(9116,'Issue',505,11,'8c3dc3ef9'),(9117,'Issue',505,12,'6ba5a05f-b095-4f0a-8654-b825f4f16334'),(9118,'Issue',505,16,'win-proc'),(9119,'Issue',505,17,''),(9120,'Issue',505,7,''),(9121,'Issue',505,3,'Detects RDP session hijacking by using MSTSC shadowing'),(9122,'Issue',505,4,''),(9123,'Issue',505,5,'_False Positives_\nUnknown'),(9124,'Issue',505,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*noconsentprompt* AND process.command_line.keyword:*shadow\\:*)\nindex: so-*\nname: MSTSC Shadowing\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9125,'Issue',505,9,'{{collapse(View Sigma)\n\n\ntitle: MSTSC Shadowing\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nstatus: experimental\nauthor: Florian Roth\ndate: 2020/01/24\nreferences:\n- https://twitter.com/kmkz_security/status/1220694202301976576\n- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - noconsentprompt\n - \'shadow:\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9126,'Issue',506,1,'Remote PowerShell Session'),(9127,'Issue',506,2,'Roberto Rodriguez @Cyb3rWard0g'),(9128,'Issue',506,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(9129,'Issue',506,10,'medium'),(9130,'Issue',506,13,'community'),(9131,'Issue',506,14,'windows'),(9133,'Issue',506,11,'fe42832a8'),(9134,'Issue',506,12,'734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8'),(9135,'Issue',506,16,'win-proc'),(9136,'Issue',506,17,''),(9137,'Issue',506,7,''),(9138,'Issue',506,3,'Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)'),(9139,'Issue',506,4,''),(9140,'Issue',506,5,'_False Positives_\nLegitimate usage of remote Powershell, e.g. for monitoring purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9141,'Issue',506,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\wsmprovhost.exe OR process.parent.executable.keyword:*\\\\wsmprovhost.exe))\nindex: so-*\nname: Remote PowerShell Session\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9142,'Issue',506,9,'{{collapse(View Sigma)\n\n\ntitle: Remote PowerShell Session\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost as a\n parent or child process (sign of an active ps remote session)\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\wsmprovhost.exe\n - ParentImage|endswith: \\wsmprovhost.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate usage of remote Powershell, e.g. for monitoring purposes\nlevel: medium\n\n
\n}}'),(9143,'Issue',506,15,'T1086'),(9144,'Issue',507,1,'Discovery of a System Time'),(9145,'Issue',507,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9146,'Issue',507,8,'https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md'),(9147,'Issue',507,10,'low'),(9148,'Issue',507,13,'community'),(9149,'Issue',507,14,'windows'),(9151,'Issue',507,11,'9639546cc'),(9152,'Issue',507,12,'b243b280-65fe-48df-ba07-6ddea7646427'),(9153,'Issue',507,16,'win-proc'),(9154,'Issue',507,17,''),(9155,'Issue',507,7,''),(9156,'Issue',507,3,'Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.'),(9157,'Issue',507,4,''),(9158,'Issue',507,5,'_False Positives_\nLegitimate use of the system utilities to discover system time for legitimate reason'),(9159,'Issue',507,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*time*) OR (process.executable.keyword:*\\\\w32tm.exe AND process.command_line.keyword:*tz*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Date*)))\nindex: so-*\nname: Discovery of a System Time\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9160,'Issue',507,9,'{{collapse(View Sigma)\n\n\ntitle: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\ndescription: Identifies use of various commands to query a systems time. This technique\n may be used before executing a scheduled task or to discover the time zone of a\n target system.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md\ntags:\n- attack.discovery\n- attack.t1124\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: time\n - Image|endswith: \\w32tm.exe\n CommandLine|contains: tz\n - Image|endswith: \\powershell.exe\n CommandLine|contains: Get-Date\n condition: selection\nfalsepositives:\n- Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n\n
\n}}'),(9161,'Issue',507,15,'T1124'),(9162,'Issue',508,1,'Renamed Binary'),(9163,'Issue',508,2,'Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)'),(9164,'Issue',508,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9165,'Issue',508,10,'medium'),(9166,'Issue',508,13,'community'),(9167,'Issue',508,14,'windows'),(9169,'Issue',508,11,'b585cbf22'),(9170,'Issue',508,12,'36480ae1-a1cb-4eaa-a0d6-29801d7e9142'),(9171,'Issue',508,16,'win-proc'),(9172,'Issue',508,17,''),(9173,'Issue',508,7,''),(9174,'Issue',508,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9175,'Issue',508,4,''),(9176,'Issue',508,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9177,'Issue',508,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\") AND (NOT (process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe))))\nindex: so-*\nname: Renamed Binary\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9178,'Issue',508,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community\n (improvements)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - cmd.exe\n - powershell.exe\n - powershell_ise.exe\n - psexec.exe\n - psexec.c\n - cscript.exe\n - wscript.exe\n - mshta.exe\n - regsvr32.exe\n - wmic.exe\n - certutil.exe\n - rundll32.exe\n - cmstp.exe\n - msiexec.exe\n - 7z.exe\n - winrar.exe\n - wevtutil.exe\n - net.exe\n - net1.exe\n filter:\n Image|endswith:\n - \\cmd.exe\n - \\powershell.exe\n - \\powershell_ise.exe\n - \\psexec.exe\n - \\psexec64.exe\n - \\cscript.exe\n - \\wscript.exe\n - \\mshta.exe\n - \\regsvr32.exe\n - \\wmic.exe\n - \\certutil.exe\n - \\rundll32.exe\n - \\cmstp.exe\n - \\msiexec.exe\n - \\7z.exe\n - \\winrar.exe\n - \\wevtutil.exe\n - \\net.exe\n - \\net1.exe\n condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(9179,'Issue',508,15,'T1036'),(9180,'Issue',509,1,'Highly Relevant Renamed Binary'),(9181,'Issue',509,2,'Matthew Green - @mgreen27, Florian Roth'),(9182,'Issue',509,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9183,'Issue',509,10,'high'),(9184,'Issue',509,13,'community'),(9185,'Issue',509,14,'windows'),(9187,'Issue',509,11,'11b349716'),(9188,'Issue',509,12,'0ba1da6d-b6ce-4366-828c-18826c9de23e'),(9189,'Issue',509,16,'win-proc'),(9190,'Issue',509,17,''),(9191,'Issue',509,7,''),(9192,'Issue',509,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9193,'Issue',509,4,''),(9194,'Issue',509,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9195,'Issue',509,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))\nindex: so-*\nname: Highly Relevant Renamed Binary\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9196,'Issue',509,9,'{{collapse(View Sigma)\n\n\ntitle: Highly Relevant Renamed Binary\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Florian Roth\ndate: 2019/06/15\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - powershell.exe\n - powershell_ise.exe\n - psexec.exe\n - psexec.c\n - cscript.exe\n - wscript.exe\n - mshta.exe\n - regsvr32.exe\n - wmic.exe\n - certutil.exe\n - rundll32.exe\n - cmstp.exe\n - msiexec.exe\n filter:\n Image:\n - \'*\\powershell.exe\'\n - \'*\\powershell_ise.exe\'\n - \'*\\psexec.exe\'\n - \'*\\psexec64.exe\'\n - \'*\\cscript.exe\'\n - \'*\\wscript.exe\'\n - \'*\\mshta.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\wmic.exe\'\n - \'*\\certutil.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\cmstp.exe\'\n - \'*\\msiexec.exe\'\n condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n this is easy to spot and add to whitelist\nlevel: high\n\n
\n}}'),(9197,'Issue',509,15,'T1036'),(9198,'Issue',510,1,'Execution of Renamed PaExec'),(9199,'Issue',510,2,'Jason Lynch'),(9200,'Issue',510,8,'sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf'),(9201,'Issue',510,10,'medium'),(9202,'Issue',510,13,'community'),(9203,'Issue',510,14,'windows'),(9205,'Issue',510,11,'53a0f9acd'),(9206,'Issue',510,12,'7b0666ad-3e38-4e3d-9bab-78b06de85f7b'),(9207,'Issue',510,16,'win-proc'),(9208,'Issue',510,17,''),(9209,'Issue',510,7,''),(9210,'Issue',510,3,'Detects execution of renamed paexec via imphash and executable product string'),(9211,'Issue',510,4,''),(9212,'Issue',510,5,'_False Positives_\nUnknown imphashes'),(9213,'Issue',510,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.product.keyword:(*PAExec*) AND event_data.Imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process.executable.keyword:*paexec*)))\nindex: so-*\nname: Execution of Renamed PaExec\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9214,'Issue',510,9,'{{collapse(View Sigma)\n\n\ntitle: Execution of Renamed PaExec\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: experimental\ndescription: Detects execution of renamed paexec via imphash and executable product\n string\nreferences:\n- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\ntags:\n- attack.defense_evasion\n- attack.t1036\n- FIN7\n- car.2013-05-009\ndate: 2019/04/17\nauthor: Jason Lynch\nfalsepositives:\n- Unknown imphashes\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Product:\n - \'*PAExec*\'\n selection2:\n Imphash:\n - 11D40A7B7876288F919AB819CC2D9802\n - 6444f8a34e99b8f7d9647de66aabe516\n - dfd6aa3f7b2b1035b76b718f1ddc689f\n - 1a6cca4d5460b1710a12dea39e4a592c\n filter1:\n Image: \'*paexec*\'\n condition: (selection1 and selection2) and not filter1\n\n
\n}}'),(9215,'Issue',510,15,'T1036'),(9216,'Issue',511,1,'Run PowerShell Script from ADS'),(9217,'Issue',511,2,'Sergey Soldatov, Kaspersky Lab, oscd.community'),(9218,'Issue',511,8,'https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1'),(9219,'Issue',511,10,'high'),(9220,'Issue',511,13,'community'),(9221,'Issue',511,14,'windows'),(9223,'Issue',511,11,'3297ebd01'),(9224,'Issue',511,12,'45a594aa-1fbd-4972-a809-ff5a99dd81b8'),(9225,'Issue',511,16,'win-proc'),(9226,'Issue',511,17,''),(9227,'Issue',511,7,''),(9228,'Issue',511,3,'Detects PowerShell script execution from Alternate Data Stream (ADS)'),(9229,'Issue',511,4,''),(9230,'Issue',511,5,'_False Positives_\nUnknown'),(9231,'Issue',511,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\powershell.exe AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Content* AND process.command_line.keyword:*\\-Stream*)\nindex: so-*\nname: Run PowerShell Script from ADS\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9232,'Issue',511,9,'{{collapse(View Sigma)\n\n\ntitle: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: experimental\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019/10/30\ntags:\n- attack.defense_evasion\n- attack.t1096\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\powershell.exe\n Image|endswith: \\powershell.exe\n CommandLine|contains|all:\n - Get-Content\n - -Stream\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9233,'Issue',511,15,'T1096'),(9234,'Issue',512,1,'Possible Shim Database Persistence via sdbinst.exe'),(9235,'Issue',512,2,'Markus Neis'),(9236,'Issue',512,8,'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'),(9237,'Issue',512,10,'high'),(9238,'Issue',512,13,'community'),(9239,'Issue',512,14,'windows'),(9241,'Issue',512,11,'1f62648d2'),(9242,'Issue',512,12,'517490a7-115a-48c6-8862-1a481504d5a8'),(9243,'Issue',512,16,'win-proc'),(9244,'Issue',512,17,''),(9245,'Issue',512,7,''),(9246,'Issue',512,3,'Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.'),(9247,'Issue',512,4,''),(9248,'Issue',512,5,'_False Positives_\nUnknown'),(9249,'Issue',512,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sdbinst.exe) AND process.command_line.keyword:(*.sdb*))\nindex: so-*\nname: Possible Shim Database Persistence via sdbinst.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9250,'Issue',512,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Shim Database Persistence via sdbinst.exe\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nstatus: experimental\ndescription: Detects installation of a new shim using sdbinst.exe. A shim can be used\n to load malicious DLLs into applications.\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\ntags:\n- attack.persistence\n- attack.t1138\nauthor: Markus Neis\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\sdbinst.exe\'\n CommandLine:\n - \'*.sdb*\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9251,'Issue',512,15,'T1138'),(9252,'Issue',513,1,'Service Execution'),(9253,'Issue',513,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(9254,'Issue',513,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml'),(9255,'Issue',513,10,'low'),(9256,'Issue',513,13,'community'),(9257,'Issue',513,14,'windows'),(9259,'Issue',513,11,'0313836b2'),(9260,'Issue',513,12,'2a072a96-a086-49fa-bcb5-15cc5a619093'),(9261,'Issue',513,16,'win-proc'),(9262,'Issue',513,17,''),(9263,'Issue',513,7,''),(9264,'Issue',513,3,'Detects manual service execution (start) via system utilities'),(9265,'Issue',513,4,''),(9266,'Issue',513,5,'_False Positives_\nLegitimate administrator or user executes a service for legitimate reason'),(9267,'Issue',513,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*\\ start\\ *)\nindex: so-*\nname: Service Execution\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9268,'Issue',513,9,'{{collapse(View Sigma)\n\n\ntitle: Service Execution\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: experimental\ndescription: Detects manual service execution (start) via system utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: \' start \'\n condition: selection\nfalsepositives:\n- Legitimate administrator or user executes a service for legitimate reason\nlevel: low\ntags:\n- attack.execution\n- attack.t1035\n\n
\n}}'),(9269,'Issue',513,15,'T1035'),(9270,'Issue',514,1,'Stop Windows Service'),(9271,'Issue',514,2,'Jakob Weinzettl, oscd.community'),(9272,'Issue',514,8,'none'),(9273,'Issue',514,10,'low'),(9274,'Issue',514,13,'community'),(9275,'Issue',514,14,'windows'),(9277,'Issue',514,11,'f5cf59506'),(9278,'Issue',514,12,'eb87818d-db5d-49cc-a987-d5da331fbd90'),(9279,'Issue',514,16,'win-proc'),(9280,'Issue',514,17,''),(9281,'Issue',514,7,''),(9282,'Issue',514,3,'Detects a windows service to be stopped'),(9283,'Issue',514,4,''),(9284,'Issue',514,5,'_False Positives_\nAdministrator shutting down the service due to upgrade or removal purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9285,'Issue',514,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*stop*)\nindex: so-*\nname: Stop Windows Service\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9286,'Issue',514,9,'{{collapse(View Sigma)\n\n\ntitle: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\ndescription: Detects a windows service to be stopped\nstatus: experimental\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.impact\n- attack.t1489\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - \\sc.exe\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: stop\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n\n
\n}}'),(9287,'Issue',514,15,'T1489'),(9288,'Issue',515,1,'Shadow Copies Access via Symlink'),(9289,'Issue',515,2,'Teymur Kheirkhabarov, oscd.community'),(9290,'Issue',515,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(9291,'Issue',515,10,'medium'),(9292,'Issue',515,13,'community'),(9293,'Issue',515,14,'windows'),(9295,'Issue',515,11,'42af87c98'),(9296,'Issue',515,12,'40b19fa6-d835-400c-b301-41f3a2baacaf'),(9297,'Issue',515,16,'win-proc'),(9298,'Issue',515,17,''),(9299,'Issue',515,7,''),(9300,'Issue',515,3,'Shadow Copies storage symbolic link creation using operating systems utilities'),(9301,'Issue',515,4,''),(9302,'Issue',515,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9303,'Issue',515,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*mklink* AND process.command_line.keyword:*HarddiskVolumeShadowCopy*)\nindex: so-*\nname: Shadow Copies Access via Symlink\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9304,'Issue',515,9,'{{collapse(View Sigma)\n\n\ntitle: Shadow Copies Access via Symlink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\ndescription: Shadow Copies storage symbolic link creation using operating systems\n utilities\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - mklink\n - HarddiskVolumeShadowCopy\n condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9305,'Issue',515,15,'T1003'),(9306,'Issue',516,1,'Shadow Copies Creation Using Operating Systems Utilities'),(9307,'Issue',516,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9308,'Issue',516,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/'),(9309,'Issue',516,10,'medium'),(9310,'Issue',516,13,'community'),(9311,'Issue',516,14,'windows'),(9313,'Issue',516,11,'8093daa95'),(9314,'Issue',516,12,'b17ea6f7-6e90-447e-a799-e6c0a493d6ce'),(9315,'Issue',516,16,'win-proc'),(9316,'Issue',516,17,''),(9317,'Issue',516,7,''),(9318,'Issue',516,3,'Shadow Copies creation using operating systems utilities, possible credential access'),(9319,'Issue',516,4,''),(9320,'Issue',516,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9321,'Issue',516,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*create*)\nindex: so-*\nname: Shadow Copies Creation Using Operating Systems Utilities\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9322,'Issue',516,9,'{{collapse(View Sigma)\n\n\ntitle: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\ndescription: Shadow Copies creation using operating systems utilities, possible credential\n access\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName|endswith:\n - \\powershell.exe\n - \\wmic.exe\n - \\vssadmin.exe\n CommandLine|contains|all:\n - shadow\n - create\n condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9323,'Issue',516,15,'T1003'),(9324,'Issue',517,1,'Shadow Copies Deletion Using Operating Systems Utilities'),(9325,'Issue',517,2,'Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9326,'Issue',517,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(9327,'Issue',517,10,'critical'),(9328,'Issue',517,13,'community'),(9329,'Issue',517,14,'windows'),(9331,'Issue',517,11,'afac78337'),(9332,'Issue',517,12,'c947b146-0abc-4c87-9c64-b17e9d7274a2'),(9333,'Issue',517,16,'win-proc'),(9334,'Issue',517,17,''),(9335,'Issue',517,7,''),(9336,'Issue',517,3,'Shadow Copies deletion using operating systems utilities'),(9337,'Issue',517,4,''),(9338,'Issue',517,5,'_False Positives_\nLegitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9339,'Issue',517,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*delete*)\nindex: so-*\nname: Shadow Copies Deletion Using Operating Systems Utilities\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9340,'Issue',517,9,'{{collapse(View Sigma)\n\n\ntitle: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://blog.talosintelligence.com/2017/05/wannacry.html\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\ntags:\n- attack.defense_evasion\n- attack.impact\n- attack.t1070\n- attack.t1490\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName|endswith:\n - \\powershell.exe\n - \\wmic.exe\n - \\vssadmin.exe\n CommandLine|contains|all:\n - shadow\n - delete\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate Administrator deletes Shadow Copies using operating systems utilities\n for legitimate reason\nlevel: critical\n\n
\n}}'),(9341,'Issue',517,15,'T1070'),(9342,'Issue',517,15,'T1490'),(9343,'Issue',518,1,'Windows Shell Spawning Suspicious Program'),(9344,'Issue',518,2,'Florian Roth'),(9345,'Issue',518,8,'https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(9346,'Issue',518,10,'high'),(9347,'Issue',518,13,'community'),(9348,'Issue',518,14,'windows'),(9350,'Issue',518,11,'cbf52c91d'),(9351,'Issue',518,12,'3a6586ad-127a-4d3b-a677-1e6eacdf8fde'),(9352,'Issue',518,16,'win-proc'),(9353,'Issue',518,17,''),(9354,'Issue',518,7,''),(9355,'Issue',518,3,'Detects a suspicious child process of a Windows shell'),(9356,'Issue',518,4,''),(9357,'Issue',518,5,'_False Positives_\nAdministrative scripts\nMicrosoft SCCM\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9358,'Issue',518,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (process.working_directory\".keyword:*\\\\ccmcache\\\\*)))\nindex: so-*\nname: Windows Shell Spawning Suspicious Program\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9359,'Issue',518,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Shell Spawning Suspicious Program\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: experimental\ndescription: Detects a suspicious child process of a Windows shell\nreferences:\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth\ndate: 2018/04/06\nmodified: 2019/02/05\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\mshta.exe\'\n - \'*\\powershell.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\cscript.exe\'\n - \'*\\wscript.exe\'\n - \'*\\wmiprvse.exe\'\n Image:\n - \'*\\schtasks.exe\'\n - \'*\\nslookup.exe\'\n - \'*\\certutil.exe\'\n - \'*\\bitsadmin.exe\'\n - \'*\\mshta.exe\'\n falsepositives:\n CurrentDirectory: \'*\\ccmcache\\\\*\'\n condition: selection and not falsepositives\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\n- Microsoft SCCM\nlevel: high\n\n
\n}}'),(9360,'Issue',518,15,'T1064'),(9361,'Issue',519,1,'Audio Capture via SoundRecorder'),(9362,'Issue',519,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9363,'Issue',519,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html'),(9364,'Issue',519,10,'medium'),(9365,'Issue',519,13,'community'),(9366,'Issue',519,14,'windows'),(9368,'Issue',519,11,'cb34e0e58'),(9369,'Issue',519,12,'83865853-59aa-449e-9600-74b9d89a6d6e'),(9370,'Issue',519,16,'win-proc'),(9371,'Issue',519,17,''),(9372,'Issue',519,7,''),(9373,'Issue',519,3,'Detect attacker collecting audio via SoundRecorder application'),(9374,'Issue',519,4,''),(9375,'Issue',519,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(9376,'Issue',519,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\SoundRecorder.exe AND process.command_line.keyword:*\\/FILE*)\nindex: so-*\nname: Audio Capture via SoundRecorder\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9377,'Issue',519,9,'{{collapse(View Sigma)\n\n\ntitle: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\ndescription: Detect attacker collecting audio via SoundRecorder application\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\ntags:\n- attack.collection\n- attack.t1123\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\SoundRecorder.exe\n CommandLine|contains: /FILE\n condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\n\n
\n}}'),(9378,'Issue',519,15,'T1123'),(9379,'Issue',520,1,'Possible SPN Enumeration'),(9380,'Issue',520,2,'Markus Neis, keepwatch'),(9381,'Issue',520,8,'https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation'),(9382,'Issue',520,10,'medium'),(9383,'Issue',520,13,'community'),(9384,'Issue',520,14,'windows'),(9386,'Issue',520,11,'f2f2e56bb'),(9387,'Issue',520,12,'1eeed653-dbc8-4187-ad0c-eeebb20e6599'),(9388,'Issue',520,16,'win-proc'),(9389,'Issue',520,17,''),(9390,'Issue',520,7,''),(9391,'Issue',520,3,'Detects Service Principal Name Enumeration used for Kerberoasting'),(9392,'Issue',520,4,''),(9393,'Issue',520,5,'_False Positives_\nAdministrator Activity'),(9394,'Issue',520,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\setspn.exe OR process.pe.description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND process.command_line.keyword:*\\-q*)\nindex: so-*\nname: Possible SPN Enumeration\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9395,'Issue',520,9,'{{collapse(View Sigma)\n\n\ntitle: Possible SPN Enumeration\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\ndescription: Detects Service Principal Name Enumeration used for Kerberoasting\nstatus: experimental\nreferences:\n- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nauthor: Markus Neis, keepwatch\ndate: 2018/11/14\ntags:\n- attack.credential_access\n- attack.t1208\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n Image: \'*\\setspn.exe\'\n selection_desc:\n Description: \'*Query or reset the computer* SPN attribute*\'\n cmd:\n CommandLine: \'*-q*\'\n condition: (selection_image or selection_desc) and cmd\nfalsepositives:\n- Administrator Activity\nlevel: medium\n\n
\n}}'),(9396,'Issue',520,15,'T1208'),(9397,'Issue',521,1,'Possible Ransomware or Unauthorized MBR Modifications'),(9398,'Issue',521,2,'@neu5ron'),(9399,'Issue',521,8,'https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set'),(9400,'Issue',521,10,'medium'),(9401,'Issue',521,13,'community'),(9402,'Issue',521,14,'windows'),(9404,'Issue',521,11,'09cf8bf91'),(9405,'Issue',521,12,'c9fbe8e9-119d-40a6-9b59-dd58a5d84429'),(9406,'Issue',521,16,'win-proc'),(9407,'Issue',521,17,''),(9408,'Issue',521,7,''),(9409,'Issue',521,3,'Detects, possibly, malicious unauthorized usage of bcdedit.exe'),(9410,'Issue',521,4,''),(9411,'Issue',521,5,'_False Positives_\n Unknown'),(9412,'Issue',521,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))\nindex: so-*\nname: Possible Ransomware or Unauthorized MBR Modifications\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9413,'Issue',521,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Ransomware or Unauthorized MBR Modifications\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: experimental\ndescription: Detects, possibly, malicious unauthorized usage of bcdedit.exe\nreferences:\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nauthor: \'@neu5ron\'\ndate: 2019/02/07\ntags:\n- attack.defense_evasion\n- attack.t1070\n- attack.persistence\n- attack.t1067\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName: \'*\\bcdedit.exe\'\n ProcessCommandLine:\n - \'*delete*\'\n - \'*deletevalue*\'\n - \'*import*\'\n condition: selection\nlevel: medium\n\n
\n}}'),(9414,'Issue',521,15,'T1070'),(9415,'Issue',521,15,'T1067'),(9416,'Issue',522,1,'Application Whitelisting Bypass via Bginfo'),(9417,'Issue',522,2,'Beyu Denis, oscd.community'),(9418,'Issue',522,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/'),(9419,'Issue',522,10,'medium'),(9420,'Issue',522,13,'community'),(9421,'Issue',522,14,'windows'),(9423,'Issue',522,11,'6fd11c107'),(9424,'Issue',522,12,'aaf46cdc-934e-4284-b329-34aa701e3771'),(9425,'Issue',522,16,'win-proc'),(9426,'Issue',522,17,''),(9427,'Issue',522,7,''),(9428,'Issue',522,3,'Execute VBscript code that is referenced within the *.bgi file.'),(9429,'Issue',522,4,''),(9430,'Issue',522,5,'_False Positives_\nUnknown'),(9431,'Issue',522,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\bginfo.exe AND process.command_line.keyword:*\\/popup* AND process.command_line.keyword:*\\/nolicprompt*)\nindex: so-*\nname: Application Whitelisting Bypass via Bginfo\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9432,'Issue',522,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via Bginfo\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nstatus: experimental\ndescription: Execute VBscript code that is referenced within the *.bgi file.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\n- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\bginfo.exe\n CommandLine|contains|all:\n - /popup\n - /nolicprompt\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(9433,'Issue',522,15,'T1218'),(9434,'Issue',523,1,'Suspicious Calculator Usage'),(9435,'Issue',523,2,'Florian Roth'),(9436,'Issue',523,8,'https://twitter.com/ItsReallyNick/status/1094080242686312448'),(9437,'Issue',523,10,'high'),(9438,'Issue',523,13,'community'),(9439,'Issue',523,14,'windows'),(9441,'Issue',523,11,'7ea9554ba'),(9442,'Issue',523,12,'737e618a-a410-49b5-bec3-9e55ff7fbc15'),(9443,'Issue',523,16,'win-proc'),(9444,'Issue',523,17,''),(9445,'Issue',523,7,''),(9446,'Issue',523,3,'Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion'),(9447,'Issue',523,4,''),(9448,'Issue',523,5,'_False Positives_\nUnknown'),(9449,'Issue',523,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\calc.exe\\ * OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\calc.exe AND (NOT (process.executable.keyword:*\\\\Windows\\\\Sys*)))))\nindex: so-*\nname: Suspicious Calculator Usage\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9450,'Issue',523,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\ndescription: Detects suspicious use of calc.exe with command line parameters or in\n a suspicious directory, which is likely caused by some PoC or detection evasion\nstatus: experimental\nreferences:\n- https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth\ndate: 2019/02/09\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine: \'*\\calc.exe *\'\n selection2:\n Image: \'*\\calc.exe\'\n filter2:\n Image: \'*\\Windows\\Sys*\'\n condition: selection1 or ( selection2 and not filter2 )\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9451,'Issue',523,15,'T1036'),(9452,'Issue',524,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'),(9453,'Issue',524,2,'Beyu Denis, oscd.community'),(9454,'Issue',524,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\nhttp://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html'),(9455,'Issue',524,10,'medium'),(9456,'Issue',524,13,'community'),(9457,'Issue',524,14,'windows'),(9459,'Issue',524,11,'ef8ab8f1c'),(9460,'Issue',524,12,'b5c7395f-e501-4a08-94d4-57fe7a9da9d2'),(9461,'Issue',524,16,'win-proc'),(9462,'Issue',524,17,''),(9463,'Issue',524,7,''),(9464,'Issue',524,3,'Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.'),(9465,'Issue',524,4,''),(9466,'Issue',524,5,'_False Positives_\nLegitimate use of debugging tools'),(9467,'Issue',524,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cdb.exe AND process.command_line.keyword:*\\-cf*)\nindex: so-*\nname: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9468,'Issue',524,9,'{{collapse(View Sigma)\n\n\ntitle: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: experimental\ndescription: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\n- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\cdb.exe\n CommandLine|contains: -cf\n condition: selection\nfalsepositives:\n- Legitimate use of debugging tools\n\n
\n}}'),(9469,'Issue',524,15,'T1218'),(9470,'Issue',525,1,'Suspicious Certutil Command'),(9471,'Issue',525,2,'Florian Roth, juju4, keepwatch'),(9472,'Issue',525,8,'https://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/subTee/status/888102593838362624\nhttps://twitter.com/subTee/status/888071631528235010\nhttps://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/'),(9473,'Issue',525,10,'high'),(9474,'Issue',525,13,'community'),(9475,'Issue',525,14,'windows'),(9477,'Issue',525,11,'67ceb029c'),(9478,'Issue',525,12,'e011a729-98a6-4139-b5c4-bf6f6dd8239a'),(9479,'Issue',525,16,'win-proc'),(9480,'Issue',525,17,''),(9481,'Issue',525,7,''),(9482,'Issue',525,3,'Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility'),(9483,'Issue',525,4,''),(9484,'Issue',525,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9485,'Issue',525,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*))\nindex: so-*\nname: Suspicious Certutil Command\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9486,'Issue',525,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Certutil Command\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: experimental\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like\n \'decode\' sub command, which is sometimes used to decode malicious code with the\n built-in certutil utility\nauthor: Florian Roth, juju4, keepwatch\nmodified: 2019/01/22\ndate: 2019/01/16\nreferences:\n- https://twitter.com/JohnLaTwC/status/835149808817991680\n- https://twitter.com/subTee/status/888102593838362624\n- https://twitter.com/subTee/status/888071631528235010\n- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://twitter.com/egre55/status/1087685529016193025\n- https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -decode *\'\n - \'* /decode *\'\n - \'* -decodehex *\'\n - \'* /decodehex *\'\n - \'* -urlcache *\'\n - \'* /urlcache *\'\n - \'* -verifyctl *\'\n - \'* /verifyctl *\'\n - \'* -encode *\'\n - \'* /encode *\'\n - \'*certutil* -URL*\'\n - \'*certutil* /URL*\'\n - \'*certutil* -ping*\'\n - \'*certutil* /ping*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1105\n- attack.s0189\n- attack.g0007\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: high\n\n
\n}}'),(9487,'Issue',525,15,'T1140'),(9488,'Issue',525,15,'T1105'),(9489,'Issue',526,1,'Certutil Encode'),(9490,'Issue',526,2,'Florian Roth'),(9491,'Issue',526,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(9492,'Issue',526,10,'medium'),(9493,'Issue',526,13,'community'),(9494,'Issue',526,14,'windows'),(9495,'Issue',526,15,''),(9496,'Issue',526,11,'8b115c8b1'),(9497,'Issue',526,12,'e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a'),(9498,'Issue',526,16,'win-proc'),(9499,'Issue',526,17,''),(9500,'Issue',526,7,''),(9501,'Issue',526,3,'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'),(9502,'Issue',526,4,''),(9503,'Issue',526,5,'_False Positives_\nunknown'),(9504,'Issue',526,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *))\nindex: so-*\nname: Certutil Encode\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9505,'Issue',526,9,'{{collapse(View Sigma)\n\n\ntitle: Certutil Encode\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: experimental\ndescription: Detects suspicious a certutil command that used to encode files, which\n is sometimes used for data exfiltration\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth\ndate: 2019/02/24\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - certutil -f -encode *\n - certutil.exe -f -encode *\n - certutil -encode -f *\n - certutil.exe -encode -f *\n condition: selection\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9506,'Issue',527,1,'Suspicious Commandline Escape'),(9507,'Issue',527,2,'juju4'),(9508,'Issue',527,8,'https://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\nhttp://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/'),(9509,'Issue',527,10,'low'),(9510,'Issue',527,13,'community'),(9511,'Issue',527,14,'windows'),(9513,'Issue',527,11,'2267c2557'),(9514,'Issue',527,12,'f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd'),(9515,'Issue',527,16,'win-proc'),(9516,'Issue',527,17,''),(9517,'Issue',527,7,''),(9518,'Issue',527,3,'Detects suspicious process that use escape characters'),(9519,'Issue',527,4,''),(9520,'Issue',527,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9521,'Issue',527,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*))\nindex: so-*\nname: Suspicious Commandline Escape\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9522,'Issue',527,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Commandline Escape\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\ndescription: Detects suspicious process that use escape characters\nstatus: experimental\nreferences:\n- https://twitter.com/vysecurity/status/885545634958385153\n- https://twitter.com/Hexacorn/status/885553465417756673\n- https://twitter.com/Hexacorn/status/885570278637678592\n- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\n- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018/12/11\nmodified: 2020/03/14\ntags:\n- attack.defense_evasion\n- attack.t1140\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*h^t^t^p*\'\n - \'*h\"t\"t\"p*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: low\n\n
\n}}'),(9523,'Issue',527,15,'T1140'),(9524,'Issue',528,1,'Command Line Execution with Suspicious URL and AppData Strings'),(9525,'Issue',528,2,'Florian Roth'),(9526,'Issue',528,8,'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'),(9527,'Issue',528,10,'medium'),(9528,'Issue',528,13,'community'),(9529,'Issue',528,14,'windows'),(9531,'Issue',528,11,'6f1a08e1b'),(9532,'Issue',528,12,'1ac8666b-046f-4201-8aba-1951aaec03a3'),(9533,'Issue',528,16,'win-proc'),(9534,'Issue',528,17,''),(9535,'Issue',528,7,''),(9536,'Issue',528,3,'Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)'),(9537,'Issue',528,4,''),(9538,'Issue',528,5,'_False Positives_\nHigh\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9539,'Issue',528,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%))\nindex: so-*\nname: Command Line Execution with Suspicious URL and AppData Strings\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9540,'Issue',528,9,'{{collapse(View Sigma)\n\n\ntitle: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: experimental\ndescription: Detects a suspicious command line execution that includes an URL and\n AppData string in the command line parameters as used by several droppers (js/vbs\n > powershell)\nreferences:\n- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1059\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - cmd.exe /c *http://*%AppData%\n - cmd.exe /c *https://*%AppData%\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- High\nlevel: medium\n\n
\n}}'),(9541,'Issue',528,15,'T1059'),(9542,'Issue',529,1,'Suspicious Code Page Switch'),(9543,'Issue',529,2,'Florian Roth'),(9544,'Issue',529,8,'https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://twitter.com/cglyer/status/1183756892952248325'),(9545,'Issue',529,10,'medium'),(9546,'Issue',529,13,'community'),(9547,'Issue',529,14,'windows'),(9548,'Issue',529,15,''),(9549,'Issue',529,11,'29f880f96'),(9550,'Issue',529,12,'c7942406-33dd-4377-a564-0f62db0593a3'),(9551,'Issue',529,16,'win-proc'),(9552,'Issue',529,17,''),(9553,'Issue',529,7,''),(9554,'Issue',529,3,'Detects a code page switch in command line or batch scripts to a rare language'),(9555,'Issue',529,4,''),(9556,'Issue',529,5,'_False Positives_\nAdministrative activity (adjust code pages according to your organisation\'s region)\n\n_Interesting Log Fields_\nParentCommandLine'),(9557,'Issue',529,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(chcp*\\ 936 OR chcp*\\ 1258))\nindex: so-*\nname: Suspicious Code Page Switch\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9558,'Issue',529,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Code Page Switch\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: experimental\ndescription: Detects a code page switch in command line or batch scripts to a rare\n language\nauthor: Florian Roth\ndate: 2019/10/14\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n- https://twitter.com/cglyer/status/1183756892952248325\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - chcp* 936\n - chcp* 1258\n condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Administrative activity (adjust code pages according to your organisation\'s region)\nlevel: medium\n\n
\n}}'),(9559,'Issue',530,1,'Reconnaissance Activity with Net Command'),(9560,'Issue',530,2,'Florian Roth, Markus Neis'),(9561,'Issue',530,8,'https://twitter.com/haroonmeer/status/939099379834658817\nhttps://twitter.com/c_APT_ure/status/939475433711722497\nhttps://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html'),(9562,'Issue',530,10,'medium'),(9563,'Issue',530,13,'community'),(9564,'Issue',530,14,'windows'),(9566,'Issue',530,11,'c51af1088'),(9567,'Issue',530,12,'2887e914-ce96-435f-8105-593937e90757'),(9568,'Issue',530,16,'win-proc'),(9569,'Issue',530,17,''),(9570,'Issue',530,7,''),(9571,'Issue',530,3,'Detects a set of commands often used in recon stages by different attack groups'),(9572,'Issue',530,4,''),(9573,'Issue',530,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9574,'Issue',530,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an))\nindex: so-*\nmax_threshold: 4\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Reconnaissance Activity with Net Command\npriority: 3\nquery_key: process.command_line.keyword\nrealert:\n minutes: 0\ntype: metric_aggregation\n
\n}}'),(9575,'Issue',530,9,'{{collapse(View Sigma)\n\n\ntitle: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack\n groups\nreferences:\n- https://twitter.com/haroonmeer/status/939099379834658817\n- https://twitter.com/c_APT_ure/status/939475433711722497\n- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n- attack.discovery\n- attack.t1087\n- attack.t1082\n- car.2016-03-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - tasklist\n - net time\n - systeminfo\n - whoami\n - nbtstat\n - net start\n - \'*\\net1 start\'\n - qprocess\n - nslookup\n - hostname.exe\n - \'*\\net1 user /domain\'\n - \'*\\net1 group /domain\'\n - \'*\\net1 group \"domain admins\" /domain\'\n - \'*\\net1 group \"Exchange Trusted Subsystem\" /domain\'\n - \'*\\net1 accounts /domain\'\n - \'*\\net1 user net localgroup administrators\'\n - netstat -an\n timeframe: 15s\n condition: selection | count() by CommandLine > 4\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(9576,'Issue',530,15,'T1087'),(9577,'Issue',530,15,'T1082'),(9578,'Issue',531,1,'Suspicious Compression Tool Parameters'),(9579,'Issue',531,2,'Florian Roth, Samir Bousseaden'),(9580,'Issue',531,8,'https://twitter.com/SBousseaden/status/1184067445612535811'),(9581,'Issue',531,10,'high'),(9582,'Issue',531,13,'community'),(9583,'Issue',531,14,'windows'),(9585,'Issue',531,11,'ca20cc397'),(9586,'Issue',531,12,'27a72a60-7e5e-47b1-9d17-909c9abafdcd'),(9587,'Issue',531,16,'win-proc'),(9588,'Issue',531,17,''),(9589,'Issue',531,7,''),(9590,'Issue',531,3,'Detects suspicious command line arguments of common data compression tools'),(9591,'Issue',531,4,''),(9592,'Issue',531,5,'_False Positives_\nunknown'),(9593,'Issue',531,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND process.command_line.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (process.parent.executable.keyword:C\\:\\\\Program*)))\nindex: so-*\nname: Suspicious Compression Tool Parameters\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9594,'Issue',531,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: experimental\ndescription: Detects suspicious command line arguments of common data compression\n tools\nreferences:\n- https://twitter.com/SBousseaden/status/1184067445612535811\ntags:\n- attack.exfiltration\n- attack.t1020\n- attack.t1002\nauthor: Florian Roth, Samir Bousseaden\ndate: 2019/10/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 7z*.exe\n - \'*rar.exe\'\n - \'*Command*Line*RAR*\'\n CommandLine:\n - \'* -p*\'\n - \'* -ta*\'\n - \'* -tb*\'\n - \'* -sdel*\'\n - \'* -dw*\'\n - \'* -hp*\'\n falsepositive:\n ParentImage: C:\\Program*\n condition: selection and not falsepositive\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(9595,'Issue',531,15,'T1020'),(9596,'Issue',531,15,'T1002'),(9597,'Issue',532,1,'Process Dump via Comsvcs DLL'),(9598,'Issue',532,2,'Modexp (idea)'),(9599,'Issue',532,8,'https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://twitter.com/SBousseaden/status/1167417096374050817'),(9600,'Issue',532,10,'medium'),(9601,'Issue',532,13,'community'),(9602,'Issue',532,14,'windows'),(9604,'Issue',532,11,'01665fd2b'),(9605,'Issue',532,12,'09e6d5c0-05b8-4ff8-9eeb-043046ec774c'),(9606,'Issue',532,16,'win-proc'),(9607,'Issue',532,17,''),(9608,'Issue',532,7,''),(9609,'Issue',532,3,'Detects process memory dump via comsvcs.dll and rundll32'),(9610,'Issue',532,4,''),(9611,'Issue',532,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9612,'Issue',532,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))\nindex: so-*\nname: Process Dump via Comsvcs DLL\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9613,'Issue',532,9,'{{collapse(View Sigma)\n\n\ntitle: Process Dump via Comsvcs DLL\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\nstatus: experimental\ndescription: Detects process memory dump via comsvcs.dll and rundll32\nreferences:\n- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n- https://twitter.com/SBousseaden/status/1167417096374050817\nauthor: Modexp (idea)\ndate: 2019/09/02\nlogsource:\n category: process_creation\n product: windows\ndetection:\n rundll_image:\n Image: \'*\\rundll32.exe\'\n rundll_ofn:\n OriginalFileName: RUNDLL32.EXE\n selection:\n CommandLine:\n - \'*comsvcs*MiniDump*full*\'\n - \'*comsvcs*MiniDumpW*full*\'\n condition: (rundll_image or rundll_ofn) and selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.credential_access\n- attack.t1003\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9614,'Issue',532,15,'T1003'),(9615,'Issue',533,1,'Suspicious Control Panel DLL Load'),(9616,'Issue',533,2,'Florian Roth'),(9617,'Issue',533,8,'https://twitter.com/rikvduijn/status/853251879320662017'),(9618,'Issue',533,10,'high'),(9619,'Issue',533,13,'community'),(9620,'Issue',533,14,'windows'),(9622,'Issue',533,11,'7b06179ac'),(9623,'Issue',533,12,'d7eb979b-c2b5-4a6f-a3a7-c87ce6763819'),(9624,'Issue',533,16,'win-proc'),(9625,'Issue',533,17,''),(9626,'Issue',533,7,''),(9627,'Issue',533,3,'Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits'),(9628,'Issue',533,4,''),(9629,'Issue',533,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9630,'Issue',533,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\System32\\\\control.exe AND process.command_line.keyword:*\\\\rundll32.exe\\ *) AND (NOT (process.command_line.keyword:*Shell32.dll*)))\nindex: so-*\nname: Suspicious Control Panel DLL Load\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9631,'Issue',533,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: experimental\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation\n Group and Exploit Kits\nauthor: Florian Roth\ndate: 2017/04/15\nreferences:\n- https://twitter.com/rikvduijn/status/853251879320662017\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1085\n- car.2013-10-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\System32\\control.exe\'\n CommandLine: \'*\\rundll32.exe *\'\n filter:\n CommandLine: \'*Shell32.dll*\'\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9632,'Issue',533,15,'T1073'),(9633,'Issue',533,15,'T1085'),(9634,'Issue',534,1,'Copy from Admin Share'),(9635,'Issue',534,2,'Florian Roth'),(9636,'Issue',534,8,'https://twitter.com/SBousseaden/status/1211636381086339073'),(9637,'Issue',534,10,'high'),(9638,'Issue',534,13,'community'),(9639,'Issue',534,14,'windows'),(9641,'Issue',534,11,'ec9ee9ed7'),(9642,'Issue',534,12,'855bc8b5-2ae8-402e-a9ed-b889e6df1900'),(9643,'Issue',534,16,'win-proc'),(9644,'Issue',534,17,''),(9645,'Issue',534,7,''),(9646,'Issue',534,3,'Detects a suspicious copy command from a remote C$ or ADMIN$ share'),(9647,'Issue',534,4,''),(9648,'Issue',534,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9649,'Issue',534,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*))\nindex: so-*\nname: Copy from Admin Share\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9650,'Issue',534,9,'{{collapse(View Sigma)\n\n\ntitle: Copy from Admin Share\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: experimental\ndescription: Detects a suspicious copy command from a remote C$ or ADMIN$ share\nreferences:\n- https://twitter.com/SBousseaden/status/1211636381086339073\nauthor: Florian Roth\ndate: 2019/12/30\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1105\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - copy *\\c$\n - copy *\\ADMIN$\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(9651,'Issue',534,15,'T1077'),(9652,'Issue',534,15,'T1105'),(9653,'Issue',535,1,'Suspicious Parent of Csc.exe'),(9654,'Issue',535,2,'Florian Roth'),(9655,'Issue',535,8,'https://twitter.com/SBousseaden/status/1094924091256176641'),(9656,'Issue',535,10,'high'),(9657,'Issue',535,13,'community'),(9658,'Issue',535,14,'windows'),(9660,'Issue',535,11,'2a0ef0717'),(9661,'Issue',535,12,'b730a276-6b63-41b8-bcf8-55930c8fc6ee'),(9662,'Issue',535,16,'win-proc'),(9663,'Issue',535,17,''),(9664,'Issue',535,7,''),(9665,'Issue',535,3,'Detects a suspicious parent of csc.exe, which could by a sign of payload delivery'),(9666,'Issue',535,4,''),(9667,'Issue',535,5,'_False Positives_\nUnkown'),(9668,'Issue',535,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csc.exe* AND process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))\nindex: so-*\nname: Suspicious Parent of Csc.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9669,'Issue',535,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Parent of Csc.exe\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\ndescription: Detects a suspicious parent of csc.exe, which could by a sign of payload\n delivery\nstatus: experimental\nreferences:\n- https://twitter.com/SBousseaden/status/1094924091256176641\nauthor: Florian Roth\ndate: 2019/02/11\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\csc.exe*\'\n ParentImage:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\mshta.exe\'\n condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(9670,'Issue',535,15,'T1036'),(9671,'Issue',536,1,'Suspicious Csc.exe Source File Folder'),(9672,'Issue',536,2,'Florian Roth'),(9673,'Issue',536,8,'https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://twitter.com/gN3mes1s/status/1206874118282448897'),(9674,'Issue',536,10,'high'),(9675,'Issue',536,13,'community'),(9676,'Issue',536,14,'windows'),(9678,'Issue',536,11,'7da368a8e'),(9679,'Issue',536,12,'dcaa3f04-70c3-427a-80b4-b870d73c94c4'),(9680,'Issue',536,16,'win-proc'),(9681,'Issue',536,17,''),(9682,'Issue',536,7,''),(9683,'Issue',536,3,'Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)'),(9684,'Issue',536,4,''),(9685,'Issue',536,5,'_False Positives_\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gabriele_pippi/status/1206907900268072962'),(9686,'Issue',536,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\csc.exe AND process.command_line.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (process.parent.executable.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))\nindex: so-*\nname: Suspicious Csc.exe Source File Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9687,'Issue',536,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Csc.exe Source File Folder\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\ndescription: Detects a suspicious execution of csc.exe, which uses a source in a suspicious\n folder (e.g. AppData)\nstatus: experimental\nreferences:\n- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n- https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Florian Roth\ndate: 2019/08/24\nmodified: 2019/12/17\ntags:\n- attack.defense_evasion\n- attack.t1500\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\csc.exe\'\n CommandLine:\n - \'*\\AppData\\\\*\'\n - \'*\\Windows\\Temp\\\\*\'\n filter:\n ParentImage:\n - C:\\Program Files*\n - \'*\\sdiagnhost.exe\'\n - \'*\\w3wp.exe\'\n condition: selection and not filter\nfalsepositives:\n- https://twitter.com/gN3mes1s/status/1206874118282448897\n- https://twitter.com/gabriele_pippi/status/1206907900268072962\nlevel: high\n\n
\n}}'),(9688,'Issue',536,15,'T1500'),(9689,'Issue',537,1,'Curl Start Combination'),(9690,'Issue',537,2,'Sreeman'),(9691,'Issue',537,8,'https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983'),(9692,'Issue',537,10,'medium'),(9693,'Issue',537,13,'community'),(9694,'Issue',537,14,'windows'),(9696,'Issue',537,11,'cba091473'),(9697,'Issue',537,12,'21dd6d38-2b18-4453-9404-a0fe4a0cc288'),(9698,'Issue',537,16,'win-proc'),(9699,'Issue',537,17,''),(9700,'Issue',537,7,''),(9701,'Issue',537,3,'Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.'),(9702,'Issue',537,4,''),(9703,'Issue',537,5,'_False Positives_\nAdministrative scripts (installers)\n\n_Interesting Log Fields_\nParentImage\nCommandLine'),(9704,'Issue',537,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*curl*\\ start\\ *)\nindex: so-*\nname: Curl Start Combination\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9705,'Issue',537,9,'{{collapse(View Sigma)\n\n\ntitle: Curl Start Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: experimental\ndescription: Adversaries can use curl to download payloads remotely and execute them.\n Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nauthor: Sreeman\ndate: 2020/01/13\ntags:\n- attack.execution\n- attack.t1218\nlogsource:\n category: process_creation\n product: windows\ndetection:\n condition: selection\n selection:\n CommandLine|contains: \'curl* start \'\nfalsepositives:\n- Administrative scripts (installers)\nfields:\n- ParentImage\n- CommandLine\nlevel: medium\n\n
\n}}'),(9706,'Issue',537,15,'T1218'),(9707,'Issue',538,1,'ZOHO Dctask64 Process Injection'),(9708,'Issue',538,2,'Florian Roth'),(9709,'Issue',538,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(9710,'Issue',538,10,'high'),(9711,'Issue',538,13,'community'),(9712,'Issue',538,14,'windows'),(9714,'Issue',538,11,'fe9f76fc8'),(9715,'Issue',538,12,'6345b048-8441-43a7-9bed-541133633d7a'),(9716,'Issue',538,16,'win-proc'),(9717,'Issue',538,17,''),(9718,'Issue',538,7,''),(9719,'Issue',538,3,'Detects suspicious process injection using ZOHO\'s dctask64.exe'),(9720,'Issue',538,4,''),(9721,'Issue',538,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(9722,'Issue',538,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\dctask64.exe) AND (NOT (process.command_line.keyword:(*DesktopCentral_Agent\\\\agent*))))\nindex: so-*\nname: ZOHO Dctask64 Process Injection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9723,'Issue',538,9,'{{collapse(View Sigma)\n\n\ntitle: ZOHO Dctask64 Process Injection\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: experimental\ndescription: Detects suspicious process injection using ZOHO\'s dctask64.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\dctask64.exe\n filter:\n CommandLine|contains:\n - DesktopCentral_Agent\\agent\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(9724,'Issue',538,15,'T1055'),(9725,'Issue',539,1,'Devtoolslauncher.exe Executes Specified Binary'),(9726,'Issue',539,2,'Beyu Denis, oscd.community (rule), @_felamos (idea)'),(9727,'Issue',539,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\nhttps://twitter.com/_felamos/status/1179811992841797632'),(9728,'Issue',539,10,'critical'),(9729,'Issue',539,13,'community'),(9730,'Issue',539,14,'windows'),(9732,'Issue',539,11,'8beb4a23d'),(9733,'Issue',539,12,'cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6'),(9734,'Issue',539,16,'win-proc'),(9735,'Issue',539,17,''),(9736,'Issue',539,7,''),(9737,'Issue',539,3,'The Devtoolslauncher.exe executes other binary'),(9738,'Issue',539,4,''),(9739,'Issue',539,5,'_False Positives_\nLegitimate use of devtoolslauncher.exe by legitimate user'),(9740,'Issue',539,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\devtoolslauncher.exe AND process.command_line.keyword:*LaunchForDeploy*)\nindex: so-*\nname: Devtoolslauncher.exe Executes Specified Binary\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9741,'Issue',539,9,'{{collapse(View Sigma)\n\n\ntitle: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: experimental\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\n- https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: critical\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\devtoolslauncher.exe\n CommandLine|contains: LaunchForDeploy\n condition: selection\nfalsepositives:\n- Legitimate use of devtoolslauncher.exe by legitimate user\n\n
\n}}'),(9742,'Issue',539,15,'T1218'),(9743,'Issue',540,1,'Direct Autorun Keys Modification'),(9744,'Issue',540,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(9745,'Issue',540,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(9746,'Issue',540,10,'medium'),(9747,'Issue',540,13,'community'),(9748,'Issue',540,14,'windows'),(9750,'Issue',540,11,'8eab5e98e'),(9751,'Issue',540,12,'24357373-078f-44ed-9ac4-6d334a668a11'),(9752,'Issue',540,16,'win-proc'),(9753,'Issue',540,17,''),(9754,'Issue',540,7,''),(9755,'Issue',540,3,'Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.'),(9756,'Issue',540,4,''),(9757,'Issue',540,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9758,'Issue',540,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))\nindex: so-*\nname: Direct Autorun Keys Modification\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9759,'Issue',540,9,'{{collapse(View Sigma)\n\n\ntitle: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\ndescription: Detects direct modification of autostart extensibility point (ASEP) in\n registry using reg.exe.\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/25\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \'*\\reg.exe\'\n CommandLine|contains: add\n selection_2:\n CommandLine|contains:\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\n condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(9760,'Issue',540,15,'T1060'),(9761,'Issue',541,1,'Application Whitelisting Bypass via Dnx.exe'),(9762,'Issue',541,2,'Beyu Denis, oscd.community'),(9763,'Issue',541,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/'),(9764,'Issue',541,10,'medium'),(9765,'Issue',541,13,'community'),(9766,'Issue',541,14,'windows'),(9768,'Issue',541,11,'4f84e2c15'),(9769,'Issue',541,12,'81ebd28b-9607-4478-bf06-974ed9d53ed7'),(9770,'Issue',541,16,'win-proc'),(9771,'Issue',541,17,''),(9772,'Issue',541,7,''),(9773,'Issue',541,3,'Execute C# code located in the consoleapp folder'),(9774,'Issue',541,4,''),(9775,'Issue',541,5,'_False Positives_\nLegitimate use of dnx.exe by legitimate user'),(9776,'Issue',541,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dnx.exe)\nindex: so-*\nname: Application Whitelisting Bypass via Dnx.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9777,'Issue',541,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via Dnx.exe\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: experimental\ndescription: Execute C# code located in the consoleapp folder\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\n- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\dnx.exe\n condition: selection\nfalsepositives:\n- Legitimate use of dnx.exe by legitimate user\n\n
\n}}'),(9778,'Issue',541,15,'T1218'),(9779,'Issue',542,1,'Suspicious Double Extension'),(9780,'Issue',542,2,'Florian Roth (rule), @blu3_team (idea)'),(9781,'Issue',542,8,'https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://twitter.com/blackorbird/status/1140519090961825792'),(9782,'Issue',542,10,'critical'),(9783,'Issue',542,13,'community'),(9784,'Issue',542,14,'windows'),(9786,'Issue',542,11,'17b387ea8'),(9787,'Issue',542,12,'1cdd9a09-06c9-4769-99ff-626e2b3991b8'),(9788,'Issue',542,16,'win-proc'),(9789,'Issue',542,17,''),(9790,'Issue',542,7,''),(9791,'Issue',542,3,'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns'),(9792,'Issue',542,4,''),(9793,'Issue',542,5,'_False Positives_\nUnknown'),(9794,'Issue',542,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe))\nindex: so-*\nname: Suspicious Double Extension\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9795,'Issue',542,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Double Extension\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\ndescription: Detects suspicious use of an .exe extension after a non-executable file\n extension like .pdf.exe, a set of spaces or underlines to cloak the executable file\n in spear phishing campaigns\nreferences:\n- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n- https://twitter.com/blackorbird/status/1140519090961825792\nauthor: Florian Roth (rule), @blu3_team (idea)\ndate: 2019/06/26\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*.doc.exe\'\n - \'*.docx.exe\'\n - \'*.xls.exe\'\n - \'*.xlsx.exe\'\n - \'*.ppt.exe\'\n - \'*.pptx.exe\'\n - \'*.rtf.exe\'\n - \'*.pdf.exe\'\n - \'*.txt.exe\'\n - \'* .exe\'\n - \'*______.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(9796,'Issue',542,15,'T1193'),(9797,'Issue',543,1,'Application Whitelisting Bypass via Dxcap.exe'),(9798,'Issue',543,2,'Beyu Denis, oscd.community'),(9799,'Issue',543,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\nhttps://twitter.com/harr0ey/status/992008180904419328'),(9800,'Issue',543,10,'medium'),(9801,'Issue',543,13,'community'),(9802,'Issue',543,14,'windows'),(9804,'Issue',543,11,'21213eb67'),(9805,'Issue',543,12,'60f16a96-db70-42eb-8f76-16763e333590'),(9806,'Issue',543,16,'win-proc'),(9807,'Issue',543,17,''),(9808,'Issue',543,7,''),(9809,'Issue',543,3,'Detects execution of of Dxcap.exe'),(9810,'Issue',543,4,''),(9811,'Issue',543,5,'_False Positives_\nLegitimate execution of dxcap.exe by legitimate user'),(9812,'Issue',543,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dxcap.exe AND process.command_line.keyword:*\\-c* AND process.command_line.keyword:*.exe*)\nindex: so-*\nname: Application Whitelisting Bypass via Dxcap.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9813,'Issue',543,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via Dxcap.exe\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: experimental\ndescription: Detects execution of of Dxcap.exe\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\n- https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\dxcap.exe\n CommandLine|contains|all:\n - -c\n - .exe\n condition: selection\nfalsepositives:\n- Legitimate execution of dxcap.exe by legitimate user\n\n
\n}}'),(9814,'Issue',543,15,'T1218'),(9815,'Issue',544,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil'),(9816,'Issue',544,2,'Ecco, Daniil Yugoslavskiy, oscd.community'),(9817,'Issue',544,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html'),(9818,'Issue',544,10,'high'),(9819,'Issue',544,13,'community'),(9820,'Issue',544,14,'windows'),(9822,'Issue',544,11,'63dddab3d'),(9823,'Issue',544,12,'cc36992a-4671-4f21-a91d-6c2b72a2edf5'),(9824,'Issue',544,16,'win-proc'),(9825,'Issue',544,17,''),(9826,'Issue',544,7,''),(9827,'Issue',544,3,'Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9828,'Issue',544,4,''),(9829,'Issue',544,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9830,'Issue',544,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\ ClearEventLog\\ *)) OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\wevtutil.exe AND process.command_line.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *))))\nindex: so-*\nname: Suspicious Eventlog Clear or Configuration Using Wevtutil\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9831,'Issue',544,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Eventlog Clear or Configuration Using Wevtutil\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\ndescription: Detects clearing or configuration of eventlogs uwing wevtutil, powershell\n and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\ndate: 2019/09/26\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_wevtutil_binary:\n Image|endswith: \\wevtutil.exe\n selection_wevtutil_command:\n CommandLine|contains:\n - clear-log\n - \' cl \'\n - set-log\n - \' sl \'\n selection_other_ps:\n Image|endswith: \\powershell.exe\n CommandLine|contains:\n - Clear-EventLog\n - Remove-EventLog\n - Limit-EventLog\n selection_other_wmic:\n Image|endswith: \\wmic.exe\n CommandLine|contains: \' ClearEventLog \'\n condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9832,'Issue',544,15,'T1070'),(9833,'Issue',545,1,'Executables Started in Suspicious Folder'),(9834,'Issue',545,2,'Florian Roth'),(9835,'Issue',545,8,'https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md'),(9836,'Issue',545,10,'high'),(9837,'Issue',545,13,'community'),(9838,'Issue',545,14,'windows'),(9840,'Issue',545,11,'a3054aa4c'),(9841,'Issue',545,12,'7a38aa19-86a9-4af7-ac51-6bfe4e59f254'),(9842,'Issue',545,16,'win-proc'),(9843,'Issue',545,17,''),(9844,'Issue',545,7,''),(9845,'Issue',545,3,'Detects process starts of binaries from a suspicious folder'),(9846,'Issue',545,4,''),(9847,'Issue',545,5,'_False Positives_\nUnknown'),(9848,'Issue',545,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*))\nindex: so-*\nname: Executables Started in Suspicious Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9849,'Issue',545,9,'{{collapse(View Sigma)\n\n\ntitle: Executables Started in Suspicious Folder\nid: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254\nstatus: experimental\ndescription: Detects process starts of binaries from a suspicious folder\nauthor: Florian Roth\ndate: 2017/10/14\nmodified: 2019/02/21\nreferences:\n- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\n- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - C:\\PerfLogs\\\\*\n - C:\\$Recycle.bin\\\\*\n - C:\\Intel\\Logs\\\\*\n - C:\\Users\\Default\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\NetworkService\\\\*\n - C:\\Windows\\Fonts\\\\*\n - C:\\Windows\\Debug\\\\*\n - C:\\Windows\\Media\\\\*\n - C:\\Windows\\Help\\\\*\n - C:\\Windows\\addins\\\\*\n - C:\\Windows\\repair\\\\*\n - C:\\Windows\\security\\\\*\n - \'*\\RSA\\MachineKeys\\\\*\'\n - C:\\Windows\\system32\\config\\systemprofile\\\\*\n - C:\\Windows\\Tasks\\\\*\n - C:\\Windows\\System32\\Tasks\\\\*\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9850,'Issue',545,15,'T1036'),(9851,'Issue',546,1,'Execution in Non-Executable Folder'),(9852,'Issue',546,2,'Florian Roth'),(9853,'Issue',546,8,'none'),(9854,'Issue',546,10,'high'),(9855,'Issue',546,13,'community'),(9856,'Issue',546,14,'windows'),(9858,'Issue',546,11,'a7b3dd43a'),(9859,'Issue',546,12,'3dfd06d2-eaf4-4532-9555-68aca59f57c4'),(9860,'Issue',546,16,'win-proc'),(9861,'Issue',546,17,''),(9862,'Issue',546,7,''),(9863,'Issue',546,3,'Detects a suspicious exection from an uncommon folder'),(9864,'Issue',546,4,''),(9865,'Issue',546,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9866,'Issue',546,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Execution in Non-Executable Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9867,'Issue',546,9,'{{collapse(View Sigma)\n\n\ntitle: Execution in Non-Executable Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: experimental\ndescription: Detects a suspicious exection from an uncommon folder\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\$Recycle.bin\'\n - \'*\\Users\\All Users\\\\*\'\n - \'*\\Users\\Default\\\\*\'\n - \'*\\Users\\Public\\\\*\'\n - C:\\Perflogs\\\\*\n - \'*\\config\\systemprofile\\\\*\'\n - \'*\\Windows\\Fonts\\\\*\'\n - \'*\\Windows\\IME\\\\*\'\n - \'*\\Windows\\addins\\\\*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9868,'Issue',546,15,'T1036'),(9869,'Issue',547,1,'Execution in Webserver Root Folder'),(9870,'Issue',547,2,'Florian Roth'),(9871,'Issue',547,8,'none'),(9872,'Issue',547,10,'medium'),(9873,'Issue',547,13,'community'),(9874,'Issue',547,14,'windows'),(9876,'Issue',547,11,'3e95069d6'),(9877,'Issue',547,12,'35efb964-e6a5-47ad-bbcd-19661854018d'),(9878,'Issue',547,16,'win-proc'),(9879,'Issue',547,17,''),(9880,'Issue',547,7,''),(9881,'Issue',547,3,'Detects a suspicious program execution in a web service root folder (filter out false positives)'),(9882,'Issue',547,4,''),(9883,'Issue',547,5,'_False Positives_\nVarious applications\nTools that include ping or nslookup command invocations\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9884,'Issue',547,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (process.executable.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND process.parent.executable.keyword:(*\\\\services.exe))))\nindex: so-*\nname: Execution in Webserver Root Folder\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9885,'Issue',547,9,'{{collapse(View Sigma)\n\n\ntitle: Execution in Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: experimental\ndescription: Detects a suspicious program execution in a web service root folder (filter\n out false positives)\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wwwroot\\\\*\'\n - \'*\\wmpub\\\\*\'\n - \'*\\htdocs\\\\*\'\n filter:\n Image:\n - \'*bin\\\\*\'\n - \'*\\Tools\\\\*\'\n - \'*\\SMSComponent\\\\*\'\n ParentImage:\n - \'*\\services.exe\'\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Various applications\n- Tools that include ping or nslookup command invocations\nlevel: medium\n\n
\n}}'),(9886,'Issue',547,15,'T1100'),(9887,'Issue',548,1,'Firewall Disabled via Netsh'),(9888,'Issue',548,2,'Fatih Sirin'),(9889,'Issue',548,8,'https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/'),(9890,'Issue',548,10,'medium'),(9891,'Issue',548,13,'community'),(9892,'Issue',548,14,'windows'),(9893,'Issue',548,15,''),(9894,'Issue',548,11,'525bbf871'),(9895,'Issue',548,12,'57c4bf16-227f-4394-8ec7-1b745ee061c3'),(9896,'Issue',548,16,'win-proc'),(9897,'Issue',548,17,''),(9898,'Issue',548,7,''),(9899,'Issue',548,3,'Detects netsh commands that turns off the Windows firewall'),(9900,'Issue',548,4,''),(9901,'Issue',548,5,'_False Positives_\nLegitimate administration'),(9902,'Issue',548,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off))\nindex: so-*\nname: Firewall Disabled via Netsh\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9903,'Issue',548,9,'{{collapse(View Sigma)\n\n\ntitle: Firewall Disabled via Netsh\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\ndate: 2019/11/01\nstatus: experimental\nauthor: Fatih Sirin\ntags:\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh firewall set opmode mode=disable\n - netsh advfirewall set * state off\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(9904,'Issue',549,1,'Fsutil Suspicious Invocation'),(9905,'Issue',549,2,'Ecco, E.M. Anhaus, oscd.community'),(9906,'Issue',549,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html'),(9907,'Issue',549,10,'high'),(9908,'Issue',549,13,'community'),(9909,'Issue',549,14,'windows'),(9911,'Issue',549,11,'b3585220b'),(9912,'Issue',549,12,'add64136-62e5-48ea-807e-88638d02df1e'),(9913,'Issue',549,16,'win-proc'),(9914,'Issue',549,17,''),(9915,'Issue',549,7,''),(9916,'Issue',549,3,'Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9917,'Issue',549,4,''),(9918,'Issue',549,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9919,'Issue',549,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND process.command_line.keyword:(*deletejournal* OR *createjournal*))\nindex: so-*\nname: Fsutil Suspicious Invocation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9920,'Issue',549,9,'{{collapse(View Sigma)\n\n\ntitle: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\ndescription: Detects suspicious parameters of fsutil (deleting USN journal, configuring\n it with small size..). Might be used by ransomwares during the attack (seen by NotPetya\n and others)\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019/09/26\nmodified: 2019/11/11\nlevel: high\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\ntags:\n- attack.defense_evasion\n- attack.t1070\nlogsource:\n category: process_creation\n product: windows\ndetection:\n binary_1:\n Image|endswith: \\fsutil.exe\n binary_2:\n OriginalFileName: fsutil.exe\n selection:\n CommandLine|contains:\n - deletejournal\n - createjournal\n condition: (1 of binary_*) and selection\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9921,'Issue',549,15,'T1070'),(9922,'Issue',550,1,'Suspicious GUP Usage'),(9923,'Issue',550,2,'Florian Roth'),(9924,'Issue',550,8,'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'),(9925,'Issue',550,10,'high'),(9926,'Issue',550,13,'community'),(9927,'Issue',550,14,'windows'),(9929,'Issue',550,11,'64acf349c'),(9930,'Issue',550,12,'0a4f6091-223b-41f6-8743-f322ec84930b'),(9931,'Issue',550,16,'win-proc'),(9932,'Issue',550,17,''),(9933,'Issue',550,7,''),(9934,'Issue',550,3,'Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks'),(9935,'Issue',550,4,''),(9936,'Issue',550,5,'_False Positives_\nExecution of tools named GUP.exe and located in folders different than Notepad++\\updater'),(9937,'Issue',550,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\GUP.exe AND (NOT (process.executable.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))\nindex: so-*\nname: Suspicious GUP Usage\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9938,'Issue',550,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\ndescription: Detects execution of the Notepad++ updater in a suspicious directory,\n which is often used in DLL side-loading attacks\nstatus: experimental\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\ntags:\n- attack.defense_evasion\n- attack.t1073\nauthor: Florian Roth\ndate: 2019/02/06\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\GUP.exe\'\n filter:\n Image:\n - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n - C:\\Program Files\\Notepad++\\updater\\gup.exe\n - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n condition: selection and not filter\nfalsepositives:\n- Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n\n
\n}}'),(9939,'Issue',550,15,'T1073'),(9940,'Issue',551,1,'IIS Native-Code Module Command Line Installation'),(9941,'Issue',551,2,'Florian Roth'),(9942,'Issue',551,8,'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'),(9943,'Issue',551,10,'medium'),(9944,'Issue',551,13,'community'),(9945,'Issue',551,14,'windows'),(9947,'Issue',551,11,'181436e25'),(9948,'Issue',551,12,'9465ddf4-f9e4-4ebd-8d98-702df3a93239'),(9949,'Issue',551,16,'win-proc'),(9950,'Issue',551,17,''),(9951,'Issue',551,7,''),(9952,'Issue',551,3,'Detects suspicious IIS native-code module installations via command line'),(9953,'Issue',551,4,''),(9954,'Issue',551,5,'_False Positives_\nUnknown as it may vary from organisation to arganisation how admins use to install IIS modules'),(9955,'Issue',551,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*))\nindex: so-*\nname: IIS Native-Code Module Command Line Installation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9956,'Issue',551,9,'{{collapse(View Sigma)\n\n\ntitle: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\ndescription: Detects suspicious IIS native-code module installations via command line\nstatus: experimental\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nauthor: Florian Roth\ndate: 2012/12/11\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\APPCMD.EXE install module /name:*\'\n condition: selection\nfalsepositives:\n- Unknown as it may vary from organisation to arganisation how admins use to install\n IIS modules\nlevel: medium\n\n
\n}}'),(9957,'Issue',551,15,'T1100'),(9958,'Issue',552,1,'Suspicious MsiExec Directory'),(9959,'Issue',552,2,'Florian Roth'),(9960,'Issue',552,8,'https://twitter.com/200_okay_/status/1194765831911215104'),(9961,'Issue',552,10,'high'),(9962,'Issue',552,13,'community'),(9963,'Issue',552,14,'windows'),(9965,'Issue',552,11,'37c63b72b'),(9966,'Issue',552,12,'e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144'),(9967,'Issue',552,16,'win-proc'),(9968,'Issue',552,17,''),(9969,'Issue',552,7,''),(9970,'Issue',552,3,'Detects suspicious msiexec process starts in an uncommon directory'),(9971,'Issue',552,4,''),(9972,'Issue',552,5,'_False Positives_\nUnknown'),(9973,'Issue',552,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\msiexec.exe AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))\nindex: so-*\nname: Suspicious MsiExec Directory\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9974,'Issue',552,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious MsiExec Directory\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: experimental\ndescription: Detects suspicious msiexec process starts in an uncommon directory\nreferences:\n- https://twitter.com/200_okay_/status/1194765831911215104\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/11/14\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\msiexec.exe\'\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\WinSxS\\\\*\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9975,'Issue',552,15,'T1036'),(9976,'Issue',553,1,'MsiExec Web Install'),(9977,'Issue',553,2,'Florian Roth'),(9978,'Issue',553,8,'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'),(9979,'Issue',553,10,'medium'),(9980,'Issue',553,13,'community'),(9981,'Issue',553,14,'windows'),(9982,'Issue',553,15,''),(9983,'Issue',553,11,'2175aa08b'),(9984,'Issue',553,12,'f7b5f842-a6af-4da5-9e95-e32478f3cd2f'),(9985,'Issue',553,16,'win-proc'),(9986,'Issue',553,17,''),(9987,'Issue',553,7,''),(9988,'Issue',553,3,'Detects suspicious msiexec process starts with web addreses as parameter'),(9989,'Issue',553,4,''),(9990,'Issue',553,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9991,'Issue',553,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ msiexec*\\:\\/\\/*))\nindex: so-*\nname: MsiExec Web Install\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9992,'Issue',553,9,'{{collapse(View Sigma)\n\n\ntitle: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nstatus: experimental\ndescription: Detects suspicious msiexec process starts with web addreses as parameter\nreferences:\n- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\ntags:\n- attack.defense_evasion\nauthor: Florian Roth\ndate: 2018/02/09\nmodified: 2012/12/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* msiexec*://*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(9993,'Issue',554,1,'Malicious Payload Download via Office Binaries'),(9994,'Issue',554,2,'Beyu Denis, oscd.community'),(9995,'Issue',554,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nReegun J (OCBC Bank)'),(9996,'Issue',554,10,'high'),(9997,'Issue',554,13,'community'),(9998,'Issue',554,14,'windows'),(10000,'Issue',554,11,'8099ea1df'),(10001,'Issue',554,12,'0c79148b-118e-472b-bdb7-9b57b444cc19'),(10002,'Issue',554,16,'win-proc'),(10003,'Issue',554,17,''),(10004,'Issue',554,7,''),(10005,'Issue',554,3,'Downloads payload from remote server'),(10006,'Issue',554,4,''),(10007,'Issue',554,5,'_False Positives_\nUnknown'),(10008,'Issue',554,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND process.command_line.keyword:*http*)\nindex: so-*\nname: Malicious Payload Download via Office Binaries\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10009,'Issue',554,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious Payload Download via Office Binaries\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: experimental\ndescription: Downloads payload from remote server\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\n- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\n- Reegun J (OCBC Bank)\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.command_and_control\n- attack.t1105\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\powerpnt.exe\n - \\winword.exe\n - \\excel.exe\n CommandLine|contains: http\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10010,'Issue',554,15,'T1105'),(10011,'Issue',555,1,'Net.exe Execution'),(10012,'Issue',555,2,'Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)'),(10013,'Issue',555,8,'https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html'),(10014,'Issue',555,10,'low'),(10015,'Issue',555,13,'community'),(10016,'Issue',555,14,'windows'),(10018,'Issue',555,11,'8e384336b'),(10019,'Issue',555,12,'183e7ea8-ac4b-4c23-9aec-b3dac4e401ac'),(10020,'Issue',555,16,'win-proc'),(10021,'Issue',555,17,''),(10022,'Issue',555,7,''),(10023,'Issue',555,3,'Detects execution of Net.exe, whether suspicious or benign.'),(10024,'Issue',555,4,''),(10025,'Issue',555,5,'_False Positives_\nWill need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10026,'Issue',555,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))\nindex: so-*\nname: Net.exe Execution\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10027,'Issue',555,9,'{{collapse(View Sigma)\n\n\ntitle: Net.exe Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: experimental\ndescription: Detects execution of Net.exe, whether suspicious or benign.\nreferences:\n- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community\n (improvements)\ndate: 2019/01/16\ntags:\n- attack.s0039\n- attack.t1027\n- attack.t1049\n- attack.t1077\n- attack.t1135\n- attack.lateral_movement\n- attack.discovery\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\net.exe\'\n - \'*\\net1.exe\'\n cmdline:\n CommandLine:\n - \'* group*\'\n - \'* localgroup*\'\n - \'* user*\'\n - \'* view*\'\n - \'* share\'\n - \'* accounts*\'\n - \'* use*\'\n - \'* stop *\'\n condition: selection and cmdline\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine\n following the search for easy hunting by computer/CommandLine.\nlevel: low\n\n
\n}}'),(10028,'Issue',555,15,'T1027'),(10029,'Issue',555,15,'T1049'),(10030,'Issue',555,15,'T1077'),(10031,'Issue',555,15,'T1135'),(10032,'Issue',556,1,'Suspicious Netsh DLL Persistence'),(10033,'Issue',556,2,'Victor Sergeev, oscd.community'),(10034,'Issue',556,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md'),(10035,'Issue',556,10,'high'),(10036,'Issue',556,13,'community'),(10037,'Issue',556,14,'windows'),(10039,'Issue',556,11,'bc3cec555'),(10040,'Issue',556,12,'56321594-9087-49d9-bf10-524fe8479452'),(10041,'Issue',556,16,'win-proc'),(10042,'Issue',556,17,''),(10043,'Issue',556,7,''),(10044,'Issue',556,3,'Detects persitence via netsh helper'),(10045,'Issue',556,4,''),(10046,'Issue',556,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10047,'Issue',556,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\netsh.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:*helper*)\nindex: so-*\nname: Suspicious Netsh DLL Persistence\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10048,'Issue',556,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: test\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n- attack.persistence\n- attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\netsh.exe\n CommandLine|contains|all:\n - add\n - helper\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10049,'Issue',556,15,'T1128'),(10050,'Issue',557,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'),(10051,'Issue',557,2,'Thomas Patzke'),(10052,'Issue',557,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm'),(10053,'Issue',557,10,'high'),(10054,'Issue',557,13,'community'),(10055,'Issue',557,14,'windows'),(10057,'Issue',557,11,'49e9852da'),(10058,'Issue',557,12,'2afafd61-6aae-4df4-baed-139fa1f4c345'),(10059,'Issue',557,16,'win-proc'),(10060,'Issue',557,17,''),(10061,'Issue',557,7,''),(10062,'Issue',557,3,'Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)'),(10063,'Issue',557,4,''),(10064,'Issue',557,5,'_False Positives_\nNTDS maintenance'),(10065,'Issue',557,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\ntdsutil*)\nindex: so-*\nname: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10066,'Issue',557,9,'{{collapse(View Sigma)\n\n\ntitle: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks\n against the NTDS database (NTDS.DIT)\nstatus: experimental\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\ntdsutil*\'\n condition: selection\nfalsepositives:\n- NTDS maintenance\nlevel: high\n\n
\n}}'),(10067,'Issue',557,15,'T1003'),(10068,'Issue',558,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'),(10069,'Issue',558,2,'Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community'),(10070,'Issue',558,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\nhttps://twitter.com/Hexacorn/status/1187143326673330176'),(10071,'Issue',558,10,'medium'),(10072,'Issue',558,13,'community'),(10073,'Issue',558,14,'windows'),(10075,'Issue',558,11,'0c974e293'),(10076,'Issue',558,12,'65d2be45-8600-4042-b4c0-577a1ff8a60e'),(10077,'Issue',558,16,'win-proc'),(10078,'Issue',558,17,''),(10079,'Issue',558,7,''),(10080,'Issue',558,3,'Detects defence evasion attempt via odbcconf.exe execution to load DLL'),(10081,'Issue',558,4,''),(10082,'Issue',558,5,'_False Positives_\nLegitimate use of odbcconf.exe by legitimate user'),(10083,'Issue',558,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\odbcconf.exe AND process.command_line.keyword:(*\\-f* OR *regsvr*)) OR (process.parent.executable.keyword:*\\\\odbcconf.exe AND process.executable.keyword:*\\\\rundll32.exe)))\nindex: so-*\nname: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10084,'Issue',558,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nstatus: experimental\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\n- https://twitter.com/Hexacorn/status/1187143326673330176\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/07\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \\odbcconf.exe\n CommandLine|contains:\n - -f\n - regsvr\n selection_2:\n ParentImage|endswith: \\odbcconf.exe\n Image|endswith: \\rundll32.exe\n condition: selection_1 or selection_2\nlevel: medium\nfalsepositives:\n- Legitimate use of odbcconf.exe by legitimate user\n\n
\n}}'),(10085,'Issue',558,15,'T1218'),(10086,'Issue',559,1,'OpenWith.exe Executes Specified Binary'),(10087,'Issue',559,2,'Beyu Denis, oscd.community (rule), @harr0ey (idea)'),(10088,'Issue',559,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://twitter.com/harr0ey/status/991670870384021504'),(10089,'Issue',559,10,'high'),(10090,'Issue',559,13,'community'),(10091,'Issue',559,14,'windows'),(10093,'Issue',559,11,'1e6152842'),(10094,'Issue',559,12,'cec8e918-30f7-4e2d-9bfa-a59cc97ae60f'),(10095,'Issue',559,16,'win-proc'),(10096,'Issue',559,17,''),(10097,'Issue',559,7,''),(10098,'Issue',559,3,'The OpenWith.exe executes other binary'),(10099,'Issue',559,4,''),(10100,'Issue',559,5,'_False Positives_\nLegitimate use of OpenWith.exe by legitimate user'),(10101,'Issue',559,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\OpenWith.exe AND process.command_line.keyword:*\\/c*)\nindex: so-*\nname: OpenWith.exe Executes Specified Binary\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10102,'Issue',559,9,'{{collapse(View Sigma)\n\n\ntitle: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: experimental\ndescription: The OpenWith.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\n- https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\OpenWith.exe\n CommandLine|contains: /c\n condition: selection\nfalsepositives:\n- Legitimate use of OpenWith.exe by legitimate user\n\n
\n}}'),(10103,'Issue',559,15,'T1218'),(10104,'Issue',560,1,'Suspicious Execution from Outlook'),(10105,'Issue',560,2,'Markus Neis'),(10106,'Issue',560,8,'https://github.com/sensepost/ruler\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html'),(10107,'Issue',560,10,'high'),(10108,'Issue',560,13,'community'),(10109,'Issue',560,14,'windows'),(10111,'Issue',560,11,'294e47aa7'),(10112,'Issue',560,12,'e212d415-0e93-435f-9e1a-f29005bb4723'),(10113,'Issue',560,16,'win-proc'),(10114,'Issue',560,17,''),(10115,'Issue',560,7,''),(10116,'Issue',560,3,'Detects EnableUnsafeClientMailRules used for Script Execution from Outlook'),(10117,'Issue',560,4,''),(10118,'Issue',560,5,'_False Positives_\nunknown'),(10119,'Issue',560,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*EnableUnsafeClientMailRules* OR (process.parent.executable.keyword:*\\\\outlook.exe AND process.command_line.keyword:\\\\\\\\*\\\\*.exe)))\nindex: so-*\nname: Suspicious Execution from Outlook\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10120,'Issue',560,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Execution from Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nstatus: experimental\ndescription: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook\nreferences:\n- https://github.com/sensepost/ruler\n- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1202\nauthor: Markus Neis\ndate: 2018/12/27\nlogsource:\n category: process_creation\n product: windows\ndetection:\n clientMailRules:\n CommandLine: \'*EnableUnsafeClientMailRules*\'\n outlookExec:\n ParentImage: \'*\\outlook.exe\'\n CommandLine: \\\\\\\\*\\\\*.exe\n condition: clientMailRules or outlookExec\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10121,'Issue',560,15,'T1059'),(10122,'Issue',560,15,'T1202'),(10123,'Issue',561,1,'Execution in Outlook Temp Folder'),(10124,'Issue',561,2,'Florian Roth'),(10125,'Issue',561,8,'none'),(10126,'Issue',561,10,'high'),(10127,'Issue',561,13,'community'),(10128,'Issue',561,14,'windows'),(10130,'Issue',561,11,'1162b3913'),(10131,'Issue',561,12,'a018fdc3-46a3-44e5-9afb-2cd4af1d4b39'),(10132,'Issue',561,16,'win-proc'),(10133,'Issue',561,17,''),(10134,'Issue',561,7,''),(10135,'Issue',561,3,'Detects a suspicious program execution in Outlook temp folder'),(10136,'Issue',561,4,''),(10137,'Issue',561,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10138,'Issue',561,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*)\nindex: so-*\nname: Execution in Outlook Temp Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10139,'Issue',561,9,'{{collapse(View Sigma)\n\n\ntitle: Execution in Outlook Temp Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: experimental\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10140,'Issue',561,15,'T1193'),(10141,'Issue',562,1,'Ping Hex IP'),(10142,'Issue',562,2,'Florian Roth'),(10143,'Issue',562,8,'https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\nhttps://twitter.com/vysecurity/status/977198418354491392'),(10144,'Issue',562,10,'high'),(10145,'Issue',562,13,'community'),(10146,'Issue',562,14,'windows'),(10148,'Issue',562,11,'478a5066b'),(10149,'Issue',562,12,'1a0d4aba-7668-4365-9ce4-6d79ab088dfd'),(10150,'Issue',562,16,'win-proc'),(10151,'Issue',562,17,''),(10152,'Issue',562,7,''),(10153,'Issue',562,3,'Detects a ping command that uses a hex encoded IP address'),(10154,'Issue',562,4,''),(10155,'Issue',562,5,'_False Positives_\nUnlikely, because no sane admin pings IP addresses in a hexadecimal form\n\n_Interesting Log Fields_\nParentCommandLine'),(10156,'Issue',562,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*))\nindex: so-*\nname: Ping Hex IP\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10157,'Issue',562,9,'{{collapse(View Sigma)\n\n\ntitle: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\n- https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth\ndate: 2018/03/23\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1027\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\ping.exe 0x*\'\n - \'*\\ping 0x*\'\n condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n\n
\n}}'),(10158,'Issue',562,15,'T1140'),(10159,'Issue',562,15,'T1027'),(10160,'Issue',563,1,'Empire PowerShell Launch Parameters'),(10161,'Issue',563,2,'Florian Roth'),(10162,'Issue',563,8,'https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64'),(10163,'Issue',563,10,'critical'),(10164,'Issue',563,13,'community'),(10165,'Issue',563,14,'windows'),(10167,'Issue',563,11,'182824220'),(10168,'Issue',563,12,'79f4ede3-402e-41c8-bc3e-ebbf5f162581'),(10169,'Issue',563,16,'win-proc'),(10170,'Issue',563,17,''),(10171,'Issue',563,7,''),(10172,'Issue',563,3,'Detects suspicious powershell command line parameters used in Empire'),(10173,'Issue',563,4,''),(10174,'Issue',563,5,'_False Positives_\n Unknown'),(10175,'Issue',563,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *))\nindex: so-*\nname: Empire PowerShell Launch Parameters\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10176,'Issue',563,9,'{{collapse(View Sigma)\n\n\ntitle: Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\ndescription: Detects suspicious powershell command line parameters used in Empire\nstatus: experimental\nreferences:\n- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth\ndate: 2019/04/20\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -NoP -sta -NonI -W Hidden -Enc *\'\n - \'* -noP -sta -w 1 -enc *\'\n - \'* -NoP -NonI -W Hidden -enc *\'\n condition: selection\nlevel: critical\n\n
\n}}'),(10177,'Issue',563,15,'T1086'),(10178,'Issue',564,1,'Empire PowerShell UAC Bypass'),(10179,'Issue',564,2,'Ecco'),(10180,'Issue',564,8,'https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64'),(10181,'Issue',564,10,'critical'),(10182,'Issue',564,13,'community'),(10183,'Issue',564,14,'windows'),(10185,'Issue',564,11,'517422778'),(10186,'Issue',564,12,'3268b746-88d8-4cd3-bffc-30077d02c787'),(10187,'Issue',564,16,'win-proc'),(10188,'Issue',564,17,''),(10189,'Issue',564,7,''),(10190,'Issue',564,3,'Detects some Empire PowerShell UAC bypass methods'),(10191,'Issue',564,4,''),(10192,'Issue',564,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10193,'Issue',564,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*))\nindex: so-*\nname: Empire PowerShell UAC Bypass\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10194,'Issue',564,9,'{{collapse(View Sigma)\n\n\ntitle: Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: experimental\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019/08/30\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\'\n - \'* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(10195,'Issue',564,15,'T1088'),(10196,'Issue',565,1,'Suspicious Encoded PowerShell Command Line'),(10197,'Issue',565,2,'Florian Roth, Markus Neis'),(10198,'Issue',565,8,'https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e'),(10199,'Issue',565,10,'high'),(10200,'Issue',565,13,'community'),(10201,'Issue',565,14,'windows'),(10203,'Issue',565,11,'9528c3459'),(10204,'Issue',565,12,'ca2092a1-c273-4878-9b4b-0d60115bf5ea'),(10205,'Issue',565,16,'win-proc'),(10206,'Issue',565,17,''),(10207,'Issue',565,7,''),(10208,'Issue',565,3,'Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)'),(10209,'Issue',565,4,''),(10210,'Issue',565,5,'_False Positives_\n Unknown'),(10211,'Issue',565,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (process.command_line.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))\nindex: so-*\nname: Suspicious Encoded PowerShell Command Line\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10212,'Issue',565,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\ndescription: Detects suspicious powershell process starts with base64 encoded commands\n (e.g. Emotet)\nstatus: experimental\nreferences:\n- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth, Markus Neis\ndate: 2018/09/03\nmodified: 2019/12/16\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -en JAB*\'\n - \'* -enc JAB*\'\n - \'* -enc* JAB*\'\n - \'* -w hidden -e* JAB*\'\n - \'* BA^J e-\'\n - \'* -e SUVYI*\'\n - \'* -e aWV4I*\'\n - \'* -e SQBFAFgA*\'\n - \'* -e aQBlAHgA*\'\n - \'* -enc SUVYI*\'\n - \'* -enc aWV4I*\'\n - \'* -enc SQBFAFgA*\'\n - \'* -enc aQBlAHgA*\'\n falsepositive1:\n CommandLine: \'* -ExecutionPolicy remotesigned *\'\n condition: selection and not falsepositive1\nlevel: high\n\n
\n}}'),(10213,'Issue',565,15,'T1086'),(10214,'Issue',566,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines'),(10215,'Issue',566,2,'John Lambert (rule)'),(10216,'Issue',566,8,'http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/'),(10217,'Issue',566,10,'high'),(10218,'Issue',566,13,'community'),(10219,'Issue',566,14,'windows'),(10221,'Issue',566,11,'7ae9f0c0e'),(10222,'Issue',566,12,'f26c6093-6f14-4b12-800f-0fcb46f5ffd0'),(10223,'Issue',566,16,'win-proc'),(10224,'Issue',566,17,''),(10225,'Issue',566,7,''),(10226,'Issue',566,3,'Detects base64 encoded strings used in hidden malicious PowerShell command lines'),(10227,'Issue',566,4,''),(10228,'Issue',566,5,'_False Positives_\nPenetration tests'),(10229,'Issue',566,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*\\ hidden\\ * AND process.command_line.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))\nindex: so-*\nname: Malicious Base64 Encoded PowerShell Keywords in Command Lines\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10230,'Issue',566,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: experimental\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command\n lines\nreferences:\n- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\ntags:\n- attack.execution\n- attack.t1086\nauthor: John Lambert (rule)\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n encoded:\n Image: \'*\\powershell.exe\'\n CommandLine: \'* hidden *\'\n selection:\n CommandLine:\n - \'*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*\'\n - \'*aXRzYWRtaW4gL3RyYW5zZmVy*\'\n - \'*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*\'\n - \'*JpdHNhZG1pbiAvdHJhbnNmZX*\'\n - \'*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*\'\n - \'*Yml0c2FkbWluIC90cmFuc2Zlc*\'\n - \'*AGMAaAB1AG4AawBfAHMAaQB6AGUA*\'\n - \'*JABjAGgAdQBuAGsAXwBzAGkAegBlA*\'\n - \'*JGNodW5rX3Npem*\'\n - \'*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*\'\n - \'*RjaHVua19zaXpl*\'\n - \'*Y2h1bmtfc2l6Z*\'\n - \'*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*\'\n - \'*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*\'\n - \'*lPLkNvbXByZXNzaW9u*\'\n - \'*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*\'\n - \'*SU8uQ29tcHJlc3Npb2*\'\n - \'*Ty5Db21wcmVzc2lvb*\'\n - \'*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*\'\n - \'*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*\'\n - \'*lPLk1lbW9yeVN0cmVhb*\'\n - \'*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*\'\n - \'*SU8uTWVtb3J5U3RyZWFt*\'\n - \'*Ty5NZW1vcnlTdHJlYW*\'\n - \'*4ARwBlAHQAQwBoAHUAbgBrA*\'\n - \'*5HZXRDaHVua*\'\n - \'*AEcAZQB0AEMAaAB1AG4Aaw*\'\n - \'*LgBHAGUAdABDAGgAdQBuAGsA*\'\n - \'*LkdldENodW5r*\'\n - \'*R2V0Q2h1bm*\'\n - \'*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*\'\n - \'*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*\'\n - \'*RIUkVBRF9JTkZPNj*\'\n - \'*SFJFQURfSU5GTzY0*\'\n - \'*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*\'\n - \'*VEhSRUFEX0lORk82N*\'\n - \'*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*\'\n - \'*cmVhdGVSZW1vdGVUaHJlYW*\'\n - \'*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*\'\n - \'*NyZWF0ZVJlbW90ZVRocmVhZ*\'\n - \'*Q3JlYXRlUmVtb3RlVGhyZWFk*\'\n - \'*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*\'\n - \'*0AZQBtAG0AbwB2AGUA*\'\n - \'*1lbW1vdm*\'\n - \'*AGUAbQBtAG8AdgBlA*\'\n - \'*bQBlAG0AbQBvAHYAZQ*\'\n - \'*bWVtbW92Z*\'\n - \'*ZW1tb3Zl*\'\n condition: encoded and selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(10231,'Issue',566,15,'T1086'),(10232,'Issue',567,1,'Suspicious PowerShell Invocation Based on Parent Process'),(10233,'Issue',567,2,'Florian Roth'),(10234,'Issue',567,8,'https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/'),(10235,'Issue',567,10,'medium'),(10236,'Issue',567,13,'community'),(10237,'Issue',567,14,'windows'),(10239,'Issue',567,11,'770115f6d'),(10240,'Issue',567,12,'95eadcb2-92e4-4ed1-9031-92547773a6db'),(10241,'Issue',567,16,'win-proc'),(10242,'Issue',567,17,''),(10243,'Issue',567,7,''),(10244,'Issue',567,3,'Detects suspicious powershell invocations from interpreters or unusual programs'),(10245,'Issue',567,4,''),(10246,'Issue',567,5,'_False Positives_\nMicrosoft Operations Manager (MOM)\nOther scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10247,'Issue',567,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.executable.keyword:(*\\\\powershell.exe)) AND (NOT (process.working_directory\".keyword:*\\\\Health\\ Service\\ State\\\\*)))\nindex: so-*\nname: Suspicious PowerShell Invocation Based on Parent Process\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10248,'Issue',567,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious PowerShell Invocation Based on Parent Process\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: experimental\ndescription: Detects suspicious powershell invocations from interpreters or unusual\n programs\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n Image:\n - \'*\\powershell.exe\'\n falsepositive:\n CurrentDirectory: \'*\\Health Service State\\\\*\'\n condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Microsoft Operations Manager (MOM)\n- Other scripts\nlevel: medium\n\n
\n}}'),(10249,'Issue',567,15,'T1086'),(10250,'Issue',568,1,'Suspicious Use of Procdump'),(10251,'Issue',568,2,'Florian Roth'),(10252,'Issue',568,8,'Internal Research'),(10253,'Issue',568,10,'high'),(10254,'Issue',568,13,'community'),(10255,'Issue',568,14,'windows'),(10257,'Issue',568,11,'5a6ba744a'),(10258,'Issue',568,12,'5afee48e-67dd-4e03-a783-f74259dcf998'),(10259,'Issue',568,16,'win-proc'),(10260,'Issue',568,17,''),(10261,'Issue',568,7,''),(10262,'Issue',568,3,'Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.'),(10263,'Issue',568,4,''),(10264,'Issue',568,5,'_False Positives_\nUnlikely, because no one should dump an lsass process memory\nAnother tool that uses the command line switches of Procdump'),(10265,'Issue',568,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-ma\\ *) AND process.command_line.keyword:(*\\ lsass*)) OR process.command_line.keyword:(*\\ \\-ma\\ ls*)))\nindex: so-*\nname: Suspicious Use of Procdump\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10266,'Issue',568,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Use of Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\ndescription: Detects suspicious uses of the SysInternals Procdump utility by using\n a special command line parameter in combination with the lsass.exe process. This\n way we\'re also able to catch cases in which the attacker has renamed the procdump\n executable.\nstatus: experimental\nreferences:\n- Internal Research\nauthor: Florian Roth\ndate: 2018/10/30\nmodified: 2019/10/14\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'* -ma *\'\n selection2:\n CommandLine:\n - \'* lsass*\'\n selection3:\n CommandLine:\n - \'* -ma ls*\'\n condition: ( selection1 and selection2 ) or selection3\nfalsepositives:\n- Unlikely, because no one should dump an lsass process memory\n- Another tool that uses the command line switches of Procdump\nlevel: high\n\n
\n}}'),(10267,'Issue',568,15,'T1036'),(10268,'Issue',568,15,'T1003'),(10269,'Issue',569,1,'Suspicious Process Creation'),(10270,'Issue',569,2,'Florian Roth, Daniil Yugoslavskiy, oscd.community (update)'),(10271,'Issue',569,8,'https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\nhttps://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://twitter.com/subTee/status/872244674609676288\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\nhttps://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\nhttps://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\nhttps://twitter.com/vector_sec/status/896049052642533376\nhttp://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf'),(10272,'Issue',569,10,'medium'),(10273,'Issue',569,13,'community'),(10274,'Issue',569,14,'windows'),(10275,'Issue',569,15,''),(10276,'Issue',569,11,'fb8d9b1f4'),(10277,'Issue',569,12,'5f0f47a5-cb16-4dbe-9e31-e8d976d73de3'),(10278,'Issue',569,16,'win-proc'),(10279,'Issue',569,17,''),(10280,'Issue',569,7,''),(10281,'Issue',569,3,'Detects suspicious process starts on Windows systems based on keywords'),(10282,'Issue',569,4,''),(10283,'Issue',569,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10284,'Issue',569,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *))\nindex: so-*\nname: Suspicious Process Creation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10285,'Issue',569,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Process Creation\nid: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\ndescription: Detects suspicious process starts on Windows systems based on keywords\nstatus: experimental\nreferences:\n- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n- https://twitter.com/subTee/status/872244674609676288\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n- https://twitter.com/vector_sec/status/896049052642533376\n- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\nauthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)\ndate: 2018/01/01\nmodified: 2019/11/01\ntags:\n- car.2013-07-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* sekurlsa:*\'\n - net localgroup administrators * /add\n - net group \"Domain Admins\" * /ADD /DOMAIN\n - certutil.exe *-urlcache* http*\n - certutil.exe *-urlcache* ftp*\n - netsh advfirewall firewall *\\AppData\\\\*\n - attrib +S +H +R *\\AppData\\\\*\n - schtasks* /create *\\AppData\\\\*\n - schtasks* /sc minute*\n - \'*\\Regasm.exe *\\AppData\\\\*\'\n - \'*\\Regasm *\\AppData\\\\*\'\n - \'*\\bitsadmin* /transfer*\'\n - \'*\\certutil.exe * -decode *\'\n - \'*\\certutil.exe * -decodehex *\'\n - \'*\\certutil.exe -ping *\'\n - icacls * /grant Everyone:F /T /C /Q\n - \'* wbadmin.exe delete catalog -quiet*\'\n - \'*\\wscript.exe *.jse\'\n - \'*\\wscript.exe *.js\'\n - \'*\\wscript.exe *.vba\'\n - \'*\\wscript.exe *.vbe\'\n - \'*\\cscript.exe *.jse\'\n - \'*\\cscript.exe *.js\'\n - \'*\\cscript.exe *.vba\'\n - \'*\\cscript.exe *.vbe\'\n - \'*\\fodhelper.exe\'\n - \'*waitfor*/s*\'\n - \'*waitfor*/si persist*\'\n - \'*remote*/s*\'\n - \'*remote*/c*\'\n - \'*remote*/q*\'\n - \'*AddInProcess*\'\n - \'* /stext *\'\n - \'* /scomma *\'\n - \'* /stab *\'\n - \'* /stabular *\'\n - \'* /shtml *\'\n - \'* /sverhtml *\'\n - \'* /sxml *\'\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10286,'Issue',570,1,'Suspicious Program Location Process Starts'),(10287,'Issue',570,2,'Florian Roth'),(10288,'Issue',570,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(10289,'Issue',570,10,'high'),(10290,'Issue',570,13,'community'),(10291,'Issue',570,14,'windows'),(10293,'Issue',570,11,'8bd722168'),(10294,'Issue',570,12,'f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5'),(10295,'Issue',570,16,'win-proc'),(10296,'Issue',570,17,''),(10297,'Issue',570,7,''),(10298,'Issue',570,3,'Detects programs running in suspicious files system locations'),(10299,'Issue',570,4,''),(10300,'Issue',570,5,'_False Positives_\nunknown'),(10301,'Issue',570,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*))\nindex: so-*\nname: Suspicious Program Location Process Starts\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10302,'Issue',570,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Program Location Process Starts\nid: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5\nstatus: experimental\ndescription: Detects programs running in suspicious files system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/01/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\$Recycle.bin\'\n - \'*\\Users\\Public\\\\*\'\n - C:\\Perflogs\\\\*\n - \'*\\Windows\\Fonts\\\\*\'\n - \'*\\Windows\\IME\\\\*\'\n - \'*\\Windows\\addins\\\\*\'\n - \'*\\Windows\\debug\\\\*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10303,'Issue',570,15,'T1036'),(10304,'Issue',571,1,'PowerShell Script Run in AppData'),(10305,'Issue',571,2,'Florian Roth'),(10306,'Issue',571,8,'https://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03'),(10307,'Issue',571,10,'medium'),(10308,'Issue',571,13,'community'),(10309,'Issue',571,14,'windows'),(10311,'Issue',571,11,'42ba455ec'),(10312,'Issue',571,12,'ac175779-025a-4f12-98b0-acdaeb77ea85'),(10313,'Issue',571,16,'win-proc'),(10314,'Issue',571,17,''),(10315,'Issue',571,7,''),(10316,'Issue',571,3,'Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder'),(10317,'Issue',571,4,''),(10318,'Issue',571,5,'_False Positives_\nAdministrative scripts'),(10319,'Issue',571,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*))\nindex: so-*\nname: PowerShell Script Run in AppData\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10320,'Issue',571,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: experimental\ndescription: Detects a suspicious command line execution that invokes PowerShell with\n reference to an AppData folder\nreferences:\n- https://twitter.com/JohnLaTwC/status/1082851155481288706\n- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth\ndate: 2019/01/09\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* /c powershell*\\AppData\\Local\\\\*\'\n - \'* /c powershell*\\AppData\\Roaming\\\\*\'\n condition: selection\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10321,'Issue',571,15,'T1086'),(10322,'Issue',572,1,'PowerShell DownloadFile'),(10323,'Issue',572,2,'Florian Roth'),(10324,'Issue',572,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html'),(10325,'Issue',572,10,'high'),(10326,'Issue',572,13,'community'),(10327,'Issue',572,14,'windows'),(10329,'Issue',572,11,'9c624cc24'),(10330,'Issue',572,12,'8f70ac5f-1f6f-4f8e-b454-db19561216c5'),(10331,'Issue',572,16,'win-proc'),(10332,'Issue',572,17,''),(10333,'Issue',572,7,''),(10334,'Issue',572,3,'Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line'),(10335,'Issue',572,4,''),(10336,'Issue',572,5,'_False Positives_\nUnknown'),(10337,'Issue',572,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*powershell* AND process.command_line.keyword:*.DownloadFile* AND process.command_line.keyword:*System.Net.WebClient*)\nindex: so-*\nname: PowerShell DownloadFile\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10338,'Issue',572,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: experimental\ndescription: Detects the execution of powershell, a WebClient object creation and\n the invocation of DownloadFile in a single command line\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - powershell\n - .DownloadFile\n - System.Net.WebClient\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10339,'Issue',572,15,'T1086'),(10340,'Issue',573,1,'Psr.exe Capture Screenshots'),(10341,'Issue',573,2,'Beyu Denis, oscd.community'),(10342,'Issue',573,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\nhttps://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf'),(10343,'Issue',573,10,'medium'),(10344,'Issue',573,13,'community'),(10345,'Issue',573,14,'windows'),(10347,'Issue',573,11,'5688f942b'),(10348,'Issue',573,12,'2158f96f-43c2-43cb-952a-ab4580f32382'),(10349,'Issue',573,16,'win-proc'),(10350,'Issue',573,17,''),(10351,'Issue',573,7,''),(10352,'Issue',573,3,'The psr.exe captures desktop screenshots and saves them on the local machine'),(10353,'Issue',573,4,''),(10354,'Issue',573,5,'_False Positives_\nUnknown'),(10355,'Issue',573,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Psr.exe AND process.command_line.keyword:*\\/start*)\nindex: so-*\nname: Psr.exe Capture Screenshots\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10356,'Issue',573,9,'{{collapse(View Sigma)\n\n\ntitle: Psr.exe Capture Screenshots\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: experimental\ndescription: The psr.exe captures desktop screenshots and saves them on the local\n machine\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\n- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\Psr.exe\n CommandLine|contains: /start\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10357,'Issue',573,15,'T1218'),(10358,'Issue',574,1,'Suspicious RASdial Activity'),(10359,'Issue',574,2,'juju4'),(10360,'Issue',574,8,'https://twitter.com/subTee/status/891298217907830785'),(10361,'Issue',574,10,'medium'),(10362,'Issue',574,13,'community'),(10363,'Issue',574,14,'windows'),(10365,'Issue',574,11,'5b5babf55'),(10366,'Issue',574,12,'6bba49bf-7f8c-47d6-a1bb-6b4dece4640e'),(10367,'Issue',574,16,'win-proc'),(10368,'Issue',574,17,''),(10369,'Issue',574,7,''),(10370,'Issue',574,3,'Detects suspicious process related to rasdial.exe'),(10371,'Issue',574,4,''),(10372,'Issue',574,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10373,'Issue',574,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"rasdial\"))\nindex: so-*\nname: Suspicious RASdial Activity\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10374,'Issue',574,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\ndescription: Detects suspicious process related to rasdial.exe\nstatus: experimental\nreferences:\n- https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - rasdial\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10375,'Issue',574,15,'T1064'),(10376,'Issue',575,1,'Suspicious Reconnaissance Activity'),(10377,'Issue',575,2,'Florian Roth'),(10378,'Issue',575,8,'none'),(10379,'Issue',575,10,'medium'),(10380,'Issue',575,13,'community'),(10381,'Issue',575,14,'windows'),(10383,'Issue',575,11,'b1f48d3a8'),(10384,'Issue',575,12,'d95de845-b83c-4a9a-8a6a-4fc802ebf6c0'),(10385,'Issue',575,16,'win-proc'),(10386,'Issue',575,17,''),(10387,'Issue',575,7,''),(10388,'Issue',575,3,'Detects suspicious command line activity on Windows systems'),(10389,'Issue',575,4,''),(10390,'Issue',575,5,'_False Positives_\nInventory tool runs\nPenetration tests\nAdministrative activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10391,'Issue',575,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\"))\nindex: so-*\nname: Suspicious Reconnaissance Activity\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10392,'Issue',575,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Reconnaissance Activity\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: experimental\ndescription: Detects suspicious command line activity on Windows systems\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - net group \"domain admins\" /domain\n - net localgroup administrators\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Inventory tool runs\n- Penetration tests\n- Administrative activity\nanalysis:\n recommendation: Check if the user that executed the commands is suspicious (e.g.\n service accounts, LOCAL_SYSTEM)\nlevel: medium\n\n
\n}}'),(10393,'Issue',575,15,'T1087'),(10394,'Issue',576,1,'Regsvr32 Anomaly'),(10395,'Issue',576,2,'Florian Roth'),(10396,'Issue',576,8,'https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html'),(10397,'Issue',576,10,'high'),(10398,'Issue',576,13,'community'),(10399,'Issue',576,14,'windows'),(10401,'Issue',576,11,'e316d1d1d'),(10402,'Issue',576,12,'8e2b24c9-4add-46a0-b4bb-0057b4e6187d'),(10403,'Issue',576,16,'win-proc'),(10404,'Issue',576,17,''),(10405,'Issue',576,7,''),(10406,'Issue',576,3,'Detects various anomalies in relation to regsvr32.exe'),(10407,'Issue',576,4,''),(10408,'Issue',576,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10409,'Issue',576,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:*\\\\Temp\\\\*) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\powershell.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\cmd.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (process.executable.keyword:*\\\\wscript.exe AND process.parent.executable.keyword:*\\\\regsvr32.exe) OR (process.executable.keyword:*\\\\EXCEL.EXE AND process.command_line.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *)))\nindex: so-*\nname: Regsvr32 Anomaly\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10410,'Issue',576,9,'{{collapse(View Sigma)\n\n\ntitle: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: experimental\ndescription: Detects various anomalies in relation to regsvr32.exe\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\ntags:\n- attack.t1117\n- attack.defense_evasion\n- attack.execution\n- car.2019-04-002\n- car.2019-04-003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: \'*\\regsvr32.exe\'\n CommandLine: \'*\\Temp\\\\*\'\n selection2:\n Image: \'*\\regsvr32.exe\'\n ParentImage: \'*\\powershell.exe\'\n selection3:\n Image: \'*\\regsvr32.exe\'\n ParentImage: \'*\\cmd.exe\'\n selection4:\n Image: \'*\\regsvr32.exe\'\n CommandLine:\n - \'*/i:http* scrobj.dll\'\n - \'*/i:ftp* scrobj.dll\'\n selection5:\n Image: \'*\\wscript.exe\'\n ParentImage: \'*\\regsvr32.exe\'\n selection6:\n Image: \'*\\EXCEL.EXE\'\n CommandLine: \'*..\\..\\..\\Windows\\System32\\regsvr32.exe *\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10411,'Issue',576,15,'T1117'),(10412,'Issue',577,1,'Renamed ZOHO Dctask64'),(10413,'Issue',577,2,'Florian Roth'),(10414,'Issue',577,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(10415,'Issue',577,10,'high'),(10416,'Issue',577,13,'community'),(10417,'Issue',577,14,'windows'),(10419,'Issue',577,11,'393865805'),(10420,'Issue',577,12,'340a090b-c4e9-412e-bb36-b4b16fe96f9b'),(10421,'Issue',577,16,'win-proc'),(10422,'Issue',577,17,''),(10423,'Issue',577,7,''),(10424,'Issue',577,3,'Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation'),(10425,'Issue',577,4,''),(10426,'Issue',577,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(10427,'Issue',577,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.Imphash:\"6834B1B94E49701D77CCB3C0895E1AFD\" AND (NOT (process.executable.keyword:*\\\\dctask64.exe)))\nindex: so-*\nname: Renamed ZOHO Dctask64\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10428,'Issue',577,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed ZOHO Dctask64\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: experimental\ndescription: Detects a renamed dctask64.exe used for process injection, command execution,\n process creation with a signed binary by ZOHO Corporation\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\n filter:\n Image|endswith: \\dctask64.exe\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(10429,'Issue',577,15,'T1055'),(10430,'Issue',578,1,'Suspicious Process Start Locations'),(10431,'Issue',578,2,'juju4'),(10432,'Issue',578,8,'https://car.mitre.org/wiki/CAR-2013-05-002'),(10433,'Issue',578,10,'medium'),(10434,'Issue',578,13,'community'),(10435,'Issue',578,14,'windows'),(10437,'Issue',578,11,'a6272c5e4'),(10438,'Issue',578,12,'15b75071-74cc-47e0-b4c6-b43744a62a2b'),(10439,'Issue',578,16,'win-proc'),(10440,'Issue',578,17,''),(10441,'Issue',578,7,''),(10442,'Issue',578,3,'Detects suspicious process run from unusual locations'),(10443,'Issue',578,4,''),(10444,'Issue',578,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10445,'Issue',578,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*))\nindex: so-*\nname: Suspicious Process Start Locations\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10446,'Issue',578,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\ndescription: Detects suspicious process run from unusual locations\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\n- car.2013-05-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*:\\RECYCLER\\\\*\'\n - \'*:\\SystemVolumeInformation\\\\*\'\n - C:\\\\Windows\\\\Tasks\\\\*\n - C:\\\\Windows\\\\debug\\\\*\n - C:\\\\Windows\\\\fonts\\\\*\n - C:\\\\Windows\\\\help\\\\*\n - C:\\\\Windows\\\\drivers\\\\*\n - C:\\\\Windows\\\\addins\\\\*\n - C:\\\\Windows\\\\cursors\\\\*\n - C:\\\\Windows\\\\system32\\tasks\\\\*\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10447,'Issue',578,15,'T1036'),(10448,'Issue',579,1,'Suspicious Rundll32 Activity'),(10449,'Issue',579,2,'juju4'),(10450,'Issue',579,8,'http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52'),(10451,'Issue',579,10,'medium'),(10452,'Issue',579,13,'community'),(10453,'Issue',579,14,'windows'),(10455,'Issue',579,11,'c359373f5'),(10456,'Issue',579,12,'e593cf51-88db-4ee1-b920-37e89012a3c9'),(10457,'Issue',579,16,'win-proc'),(10458,'Issue',579,17,''),(10459,'Issue',579,7,''),(10460,'Issue',579,3,'Detects suspicious process related to rundll32 based on arguments'),(10461,'Issue',579,4,''),(10462,'Issue',579,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10463,'Issue',579,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*))\nindex: so-*\nname: Suspicious Rundll32 Activity\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10464,'Issue',579,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\ndescription: Detects suspicious process related to rundll32 based on arguments\nstatus: experimental\nreferences:\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://twitter.com/Hexacorn/status/885258886428725250\n- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: juju4\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\rundll32.exe* url.dll,*OpenURL *\'\n - \'*\\rundll32.exe* url.dll,*OpenURLA *\'\n - \'*\\rundll32.exe* url.dll,*FileProtocolHandler *\'\n - \'*\\rundll32.exe* zipfldr.dll,*RouteTheCall *\'\n - \'*\\rundll32.exe* Shell32.dll,*Control_RunDLL *\'\n - \'*\\rundll32.exe javascript:*\'\n - \'* url.dll,*OpenURL *\'\n - \'* url.dll,*OpenURLA *\'\n - \'* url.dll,*FileProtocolHandler *\'\n - \'* zipfldr.dll,*RouteTheCall *\'\n - \'* Shell32.dll,*Control_RunDLL *\'\n - \'* javascript:*\'\n - \'*.RegisterXLL*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10465,'Issue',579,15,'T1085'),(10466,'Issue',580,1,'Suspicious Call by Ordinal'),(10467,'Issue',580,2,'Florian Roth'),(10468,'Issue',580,8,'https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://github.com/Neo23x0/DLLRunner\nhttps://twitter.com/cyb3rops/status/1186631731543236608'),(10469,'Issue',580,10,'high'),(10470,'Issue',580,13,'community'),(10471,'Issue',580,14,'windows'),(10473,'Issue',580,11,'b8fe700a1'),(10474,'Issue',580,12,'e79a9e79-eb72-4e78-a628-0e7e8f59e89c'),(10475,'Issue',580,16,'win-proc'),(10476,'Issue',580,17,''),(10477,'Issue',580,7,''),(10478,'Issue',580,3,'Detects suspicious calls of DLLs in rundll32.dll exports by ordinal'),(10479,'Issue',580,4,''),(10480,'Issue',580,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nWindows contol panel elements have been identified as source (mmc)'),(10481,'Issue',580,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,#*)\nindex: so-*\nname: Suspicious Call by Ordinal\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10482,'Issue',580,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Call by Ordinal\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\ndescription: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal\nstatus: experimental\nreferences:\n- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://github.com/Neo23x0/DLLRunner\n- https://twitter.com/cyb3rops/status/1186631731543236608\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: Florian Roth\ndate: 2019/10/22\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\rundll32.exe *,#*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\n- Windows contol panel elements have been identified as source (mmc)\nlevel: high\n\n
\n}}'),(10483,'Issue',580,15,'T1085'),(10484,'Issue',581,1,'Scheduled Task Creation'),(10485,'Issue',581,2,'Florian Roth'),(10486,'Issue',581,8,'none'),(10487,'Issue',581,10,'low'),(10488,'Issue',581,13,'community'),(10489,'Issue',581,14,'windows'),(10491,'Issue',581,11,'337aa5b57'),(10492,'Issue',581,12,'92626ddd-662c-49e3-ac59-f6535f12d189'),(10493,'Issue',581,16,'win-proc'),(10494,'Issue',581,17,''),(10495,'Issue',581,7,''),(10496,'Issue',581,3,'Detects the creation of scheduled tasks in user session'),(10497,'Issue',581,4,''),(10498,'Issue',581,5,'_False Positives_\nAdministrative activity\nSoftware installation\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10499,'Issue',581,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\schtasks.exe AND process.command_line.keyword:*\\ \\/create\\ *) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Scheduled Task Creation\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10500,'Issue',581,9,'{{collapse(View Sigma)\n\n\ntitle: Scheduled Task Creation\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: experimental\ndescription: Detects the creation of scheduled tasks in user session\nauthor: Florian Roth\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\schtasks.exe\'\n CommandLine: \'* /create *\'\n filter:\n User: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.s0111\n- car.2013-08-001\nfalsepositives:\n- Administrative activity\n- Software installation\nlevel: low\n\n
\n}}'),(10501,'Issue',581,15,'T1053'),(10502,'Issue',582,1,'WSF/JSE/JS/VBA/VBE File Execution'),(10503,'Issue',582,2,'Michael Haag'),(10504,'Issue',582,8,'none'),(10505,'Issue',582,10,'medium'),(10506,'Issue',582,13,'community'),(10507,'Issue',582,14,'windows'),(10509,'Issue',582,11,'6ed3e4c86'),(10510,'Issue',582,12,'1e33157c-53b1-41ad-bbcc-780b80b58288'),(10511,'Issue',582,16,'win-proc'),(10512,'Issue',582,17,''),(10513,'Issue',582,7,''),(10514,'Issue',582,3,'Detects suspicious file execution by wscript and cscript'),(10515,'Issue',582,4,''),(10516,'Issue',582,5,'_False Positives_\nWill need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10517,'Issue',582,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*.jse OR *.vbe OR *.js OR *.vba))\nindex: so-*\nname: WSF/JSE/JS/VBA/VBE File Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10518,'Issue',582,9,'{{collapse(View Sigma)\n\n\ntitle: WSF/JSE/JS/VBA/VBE File Execution\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nstatus: experimental\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Michael Haag\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n CommandLine:\n - \'*.jse\'\n - \'*.vbe\'\n - \'*.js\'\n - \'*.vba\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. I recommend adding the user profile path in CommandLine if\n it is getting too noisy.\nlevel: medium\n\n
\n}}'),(10519,'Issue',582,15,'T1064'),(10520,'Issue',583,1,'Suspicious Service Path Modification'),(10521,'Issue',583,2,'Victor Sergeev, oscd.community'),(10522,'Issue',583,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml'),(10523,'Issue',583,10,'high'),(10524,'Issue',583,13,'community'),(10525,'Issue',583,14,'windows'),(10527,'Issue',583,11,'4809892f5'),(10528,'Issue',583,12,'138d3531-8793-4f50-a2cd-f291b2863d78'),(10529,'Issue',583,16,'win-proc'),(10530,'Issue',583,17,''),(10531,'Issue',583,7,''),(10532,'Issue',583,3,'Detects service path modification to powershell/cmd'),(10533,'Issue',583,4,''),(10534,'Issue',583,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10535,'Issue',583,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*config* AND process.command_line.keyword:*binpath* AND process.command_line.keyword:(*powershell* OR *cmd*))\nindex: so-*\nname: Suspicious Service Path Modification\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10536,'Issue',583,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\ndescription: Detects service path modification to powershell/cmd\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml\ntags:\n- attack.persistence\n- attack.t1031\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, oscd.community\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \\sc.exe\n CommandLine|contains|all:\n - config\n - binpath\n selection_2:\n CommandLine|contains:\n - powershell\n - cmd\n condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10537,'Issue',583,15,'T1031'),(10538,'Issue',584,1,'Squirrel Lolbin'),(10539,'Issue',584,2,'Karneades / Markus Neis'),(10540,'Issue',584,8,'http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\nhttp://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/'),(10541,'Issue',584,10,'high'),(10542,'Issue',584,13,'community'),(10543,'Issue',584,14,'windows'),(10544,'Issue',584,15,''),(10545,'Issue',584,11,'820e704e9'),(10546,'Issue',584,12,'fa4b21c9-0057-4493-b289-2556416ae4d7'),(10547,'Issue',584,16,'win-proc'),(10548,'Issue',584,17,''),(10549,'Issue',584,7,''),(10550,'Issue',584,3,'Detects Possible Squirrel Packages Manager as Lolbin'),(10551,'Issue',584,4,''),(10552,'Issue',584,5,'_False Positives_\n1Clipboard\nBeaker Browser\nCaret\nCollectie\nDiscord\nFigma\nFlow\nGhost\nGitHub Desktop\nGitKraken\nHyper\nInsomnia\nJIBO\nKap\nKitematic\nNow Desktop\nPostman\nPostmanCanary\nRambox\nSimplenote\nSkype\nSlack\nSourceTree\nStride\nSvgsus\nWebTorrent\nWhatsApp\nWordPress.com\natom\ngitkraken\nslack\nteams'),(10553,'Issue',584,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\update.exe) AND process.command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))\nindex: so-*\nname: Squirrel Lolbin\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10554,'Issue',584,9,'{{collapse(View Sigma)\n\n\ntitle: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: experimental\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\ntags:\n- attack.execution\nauthor: Karneades / Markus Neis\ndate: 2019/11/12\nfalsepositives:\n- 1Clipboard\n- Beaker Browser\n- Caret\n- Collectie\n- Discord\n- Figma\n- Flow\n- Ghost\n- GitHub Desktop\n- GitKraken\n- Hyper\n- Insomnia\n- JIBO\n- Kap\n- Kitematic\n- Now Desktop\n- Postman\n- PostmanCanary\n- Rambox\n- Simplenote\n- Skype\n- Slack\n- SourceTree\n- Stride\n- Svgsus\n- WebTorrent\n- WhatsApp\n- WordPress.com\n- atom\n- gitkraken\n- slack\n- teams\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\update.exe\'\n CommandLine:\n - \'*--processStart*.exe*\'\n - \'*--processStartAndWait*.exe*\'\n - \'*--createShortcut*.exe*\'\n condition: selection\n\n
\n}}'),(10555,'Issue',585,1,'Suspicious Svchost Process'),(10556,'Issue',585,2,'Florian Roth'),(10557,'Issue',585,8,'none'),(10558,'Issue',585,10,'high'),(10559,'Issue',585,13,'community'),(10560,'Issue',585,14,'windows'),(10562,'Issue',585,11,'e79b5ce03'),(10563,'Issue',585,12,'01d2e2a1-5f09-44f7-9fc1-24faa7479b6d'),(10564,'Issue',585,16,'win-proc'),(10565,'Issue',585,17,''),(10566,'Issue',585,7,''),(10567,'Issue',585,3,'Detects a suspicious svchost process start'),(10568,'Issue',585,4,''),(10569,'Issue',585,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10570,'Issue',585,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\svchost.exe AND (NOT (process.parent.executable.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Suspicious Svchost Process\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10571,'Issue',585,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Svchost Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: experimental\ndescription: Detects a suspicious svchost process start\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2017/08/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\svchost.exe\'\n filter:\n ParentImage:\n - \'*\\services.exe\'\n - \'*\\MsMpEng.exe\'\n - \'*\\Mrt.exe\'\n - \'*\\rpcnet.exe\'\n - \'*\\svchost.exe\'\n filter_null:\n ParentImage:\n condition: selection and not filter and not filter_null\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10572,'Issue',585,15,'T1036'),(10573,'Issue',586,1,'Suspect Svchost Activity'),(10574,'Issue',586,2,'David Burkett'),(10575,'Issue',586,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2'),(10576,'Issue',586,10,'critical'),(10577,'Issue',586,13,'community'),(10578,'Issue',586,14,'windows'),(10580,'Issue',586,11,'df188a171'),(10581,'Issue',586,12,'16c37b52-b141-42a5-a3ea-bbe098444397'),(10582,'Issue',586,16,'win-proc'),(10583,'Issue',586,17,''),(10584,'Issue',586,7,''),(10585,'Issue',586,3,'It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.'),(10586,'Issue',586,4,''),(10587,'Issue',586,5,'_False Positives_\nrpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10588,'Issue',586,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND NOT _exists_:process.command_line AND process.executable.keyword:*\\\\svchost.exe) AND (NOT (process.parent.executable.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))\nindex: so-*\nname: Suspect Svchost Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10589,'Issue',586,9,'{{collapse(View Sigma)\n\n\ntitle: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: experimental\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n and is normally observed when a malicious process spawns the process and injects\n code into the process memory space.\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n selection2:\n Image: \'*\\svchost.exe\'\n filter:\n ParentImage:\n - \'*\\rpcnet.exe\'\n - \'*\\rpcnetp.exe\'\n condition: (selection1 and selection2) and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: critical\n\n
\n}}'),(10590,'Issue',586,15,'T1055'),(10591,'Issue',587,1,'Sysprep on AppData Folder'),(10592,'Issue',587,2,'Florian Roth'),(10593,'Issue',587,8,'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b'),(10594,'Issue',587,10,'medium'),(10595,'Issue',587,13,'community'),(10596,'Issue',587,14,'windows'),(10597,'Issue',587,15,''),(10598,'Issue',587,11,'ec7672eaa'),(10599,'Issue',587,12,'d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e'),(10600,'Issue',587,16,'win-proc'),(10601,'Issue',587,17,''),(10602,'Issue',587,7,''),(10603,'Issue',587,3,'Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)'),(10604,'Issue',587,4,''),(10605,'Issue',587,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10606,'Issue',587,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*))\nindex: so-*\nname: Sysprep on AppData Folder\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10607,'Issue',587,9,'{{collapse(View Sigma)\n\n\ntitle: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: experimental\ndescription: Detects suspicious sysprep process start with AppData folder as target\n (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\ntags:\n- attack.execution\nauthor: Florian Roth\ndate: 2018/06/22\nmodified: 2018/12/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\sysprep.exe *\\AppData\\\\*\'\n - sysprep.exe *\\AppData\\\\*\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10608,'Issue',588,1,'Suspicious SYSVOL Domain Group Policy Access'),(10609,'Issue',588,2,'Markus Neis'),(10610,'Issue',588,8,'https://adsecurity.org/?p=2288\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100'),(10611,'Issue',588,10,'medium'),(10612,'Issue',588,13,'community'),(10613,'Issue',588,14,'windows'),(10615,'Issue',588,11,'3587e5ee1'),(10616,'Issue',588,12,'05f3c945-dcc8-4393-9f3d-af65077a8f86'),(10617,'Issue',588,16,'win-proc'),(10618,'Issue',588,17,''),(10619,'Issue',588,7,''),(10620,'Issue',588,3,'Detects Access to Domain Group Policies stored in SYSVOL'),(10621,'Issue',588,4,''),(10622,'Issue',588,5,'_False Positives_\nadministrative activity'),(10623,'Issue',588,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*)\nindex: so-*\nname: Suspicious SYSVOL Domain Group Policy Access\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10624,'Issue',588,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: experimental\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n- https://adsecurity.org/?p=2288\n- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis\ndate: 2018/04/09\nmodified: 2018/12/11\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\SYSVOL\\\\*\\policies\\\\*\'\n condition: selection\nfalsepositives:\n- administrative activity\nlevel: medium\n\n
\n}}'),(10625,'Issue',588,15,'T1003'),(10626,'Issue',589,1,'Taskmgr as LOCAL_SYSTEM'),(10627,'Issue',589,2,'Florian Roth'),(10628,'Issue',589,8,'none'),(10629,'Issue',589,10,'high'),(10630,'Issue',589,13,'community'),(10631,'Issue',589,14,'windows'),(10633,'Issue',589,11,'6bcf5f333'),(10634,'Issue',589,12,'9fff585c-c33e-4a86-b3cd-39312079a65f'),(10635,'Issue',589,16,'win-proc'),(10636,'Issue',589,17,''),(10637,'Issue',589,7,''),(10638,'Issue',589,3,'Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM'),(10639,'Issue',589,4,''),(10640,'Issue',589,5,'_False Positives_\nUnkown'),(10641,'Issue',589,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\taskmgr.exe)\nindex: so-*\nname: Taskmgr as LOCAL_SYSTEM\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10642,'Issue',589,9,'{{collapse(View Sigma)\n\n\ntitle: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: experimental\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/18\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n User: NT AUTHORITY\\SYSTEM\n Image: \'*\\taskmgr.exe\'\n condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(10643,'Issue',589,15,'T1036'),(10644,'Issue',590,1,'Taskmgr as Parent'),(10645,'Issue',590,2,'Florian Roth'),(10646,'Issue',590,8,'none'),(10647,'Issue',590,10,'low'),(10648,'Issue',590,13,'community'),(10649,'Issue',590,14,'windows'),(10651,'Issue',590,11,'0181905d0'),(10652,'Issue',590,12,'3d7679bd-0c00-440c-97b0-3f204273e6c7'),(10653,'Issue',590,16,'win-proc'),(10654,'Issue',590,17,''),(10655,'Issue',590,7,''),(10656,'Issue',590,3,'Detects the creation of a process from Windows task manager'),(10657,'Issue',590,4,''),(10658,'Issue',590,5,'_False Positives_\nAdministrative activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nParentCommandLine'),(10659,'Issue',590,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\taskmgr.exe AND (NOT (process.executable.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))\nindex: so-*\nname: Taskmgr as Parent\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10660,'Issue',590,9,'{{collapse(View Sigma)\n\n\ntitle: Taskmgr as Parent\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: experimental\ndescription: Detects the creation of a process from Windows task manager\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/13\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\taskmgr.exe\'\n filter:\n Image:\n - \'*\\resmon.exe\'\n - \'*\\mmc.exe\'\n - \'*\\taskmgr.exe\'\n condition: selection and not filter\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(10661,'Issue',590,15,'T1036'),(10662,'Issue',591,1,'Suspicious TSCON Start'),(10663,'Issue',591,2,'Florian Roth'),(10664,'Issue',591,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10665,'Issue',591,10,'high'),(10666,'Issue',591,13,'community'),(10667,'Issue',591,14,'windows'),(10669,'Issue',591,11,'884abbf53'),(10670,'Issue',591,12,'9847f263-4a81-424f-970c-875dab15b79b'),(10671,'Issue',591,16,'win-proc'),(10672,'Issue',591,17,''),(10673,'Issue',591,7,''),(10674,'Issue',591,3,'Detects a tscon.exe start as LOCAL SYSTEM'),(10675,'Issue',591,4,''),(10676,'Issue',591,5,'_False Positives_\nUnknown'),(10677,'Issue',591,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\tscon.exe)\nindex: so-*\nname: Suspicious TSCON Start\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10678,'Issue',591,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious TSCON Start\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: experimental\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nauthor: Florian Roth\ndate: 2018/03/17\ntags:\n- attack.command_and_control\n- attack.t1219\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n User: NT AUTHORITY\\SYSTEM\n Image: \'*\\tscon.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10679,'Issue',591,15,'T1219'),(10680,'Issue',592,1,'Suspicious RDP Redirect Using TSCON'),(10681,'Issue',592,2,'Florian Roth'),(10682,'Issue',592,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10683,'Issue',592,10,'high'),(10684,'Issue',592,13,'community'),(10685,'Issue',592,14,'windows'),(10687,'Issue',592,11,'0ad8fd2d6'),(10688,'Issue',592,12,'f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb'),(10689,'Issue',592,16,'win-proc'),(10690,'Issue',592,17,''),(10691,'Issue',592,7,''),(10692,'Issue',592,3,'Detects a suspicious RDP session redirect using tscon.exe'),(10693,'Issue',592,4,''),(10694,'Issue',592,5,'_False Positives_\nUnknown'),(10695,'Issue',592,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*)\nindex: so-*\nname: Suspicious RDP Redirect Using TSCON\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10696,'Issue',592,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: experimental\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\ntags:\n- attack.lateral_movement\n- attack.privilege_escalation\n- attack.t1076\n- car.2013-07-002\nauthor: Florian Roth\ndate: 2018/03/17\nmodified: 2018/12/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'* /dest:rdp-tcp:*\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10697,'Issue',592,15,'T1076'),(10698,'Issue',593,1,'Suspicious Use of CSharp Interactive Console'),(10699,'Issue',593,2,'Michael R. (@nahamike01)'),(10700,'Issue',593,8,'https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/'),(10701,'Issue',593,10,'high'),(10702,'Issue',593,13,'community'),(10703,'Issue',593,14,'windows'),(10705,'Issue',593,11,'b2533edff'),(10706,'Issue',593,12,'a9e416a8-e613-4f8b-88b8-a7d1d1af2f61'),(10707,'Issue',593,16,'win-proc'),(10708,'Issue',593,17,''),(10709,'Issue',593,7,''),(10710,'Issue',593,3,'Detects the execution of CSharp interactive console by PowerShell'),(10711,'Issue',593,4,''),(10712,'Issue',593,5,'_False Positives_\nPossible depending on environment. Pair with other factors such as net connections, command-line args, etc.'),(10713,'Issue',593,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csi.exe AND process.parent.executable.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")\nindex: so-*\nname: Suspicious Use of CSharp Interactive Console\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10714,'Issue',593,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: experimental\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020/03/08\ntags:\n- attack.execution\n- attack.t1127\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\csi.exe\n ParentImage|endswith: \\powershell.exe\n OriginalFileName: csi.exe\n condition: selection\nfalsepositives:\n- Possible depending on environment. Pair with other factors such as net connections,\n command-line args, etc.\nlevel: high\n\n
\n}}'),(10715,'Issue',593,15,'T1127'),(10716,'Issue',594,1,'Suspicious Userinit Child Process'),(10717,'Issue',594,2,'Florian Roth (rule), Samir Bousseaden (idea)'),(10718,'Issue',594,8,'https://twitter.com/SBousseaden/status/1139811587760562176'),(10719,'Issue',594,10,'medium'),(10720,'Issue',594,13,'community'),(10721,'Issue',594,14,'windows'),(10722,'Issue',594,15,''),(10723,'Issue',594,11,'afd4cadf2'),(10724,'Issue',594,12,'b655a06a-31c0-477a-95c2-3726b83d649d'),(10725,'Issue',594,16,'win-proc'),(10726,'Issue',594,17,''),(10727,'Issue',594,7,''),(10728,'Issue',594,3,'Detects a suspicious child process of userinit'),(10729,'Issue',594,4,''),(10730,'Issue',594,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10731,'Issue',594,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\userinit.exe AND (NOT (process.command_line.keyword:*\\\\netlogon\\\\*))) AND (NOT (process.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Suspicious Userinit Child Process\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10732,'Issue',594,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: experimental\ndescription: Detects a suspicious child process of userinit\nreferences:\n- https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (rule), Samir Bousseaden (idea)\ndate: 2019/06/17\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\userinit.exe\'\n filter1:\n CommandLine: \'*\\\\netlogon\\\\*\'\n filter2:\n Image: \'*\\explorer.exe\'\n condition: selection and not filter1 and not filter2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10733,'Issue',595,1,'Whoami Execution'),(10734,'Issue',595,2,'Florian Roth'),(10735,'Issue',595,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(10736,'Issue',595,10,'high'),(10737,'Issue',595,13,'community'),(10738,'Issue',595,14,'windows'),(10740,'Issue',595,11,'28ff9a2dc'),(10741,'Issue',595,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(10742,'Issue',595,16,'win-proc'),(10743,'Issue',595,17,''),(10744,'Issue',595,7,''),(10745,'Issue',595,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(10746,'Issue',595,4,''),(10747,'Issue',595,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(10748,'Issue',595,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10749,'Issue',595,9,'{{collapse(View Sigma)\n\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\whoami.exe\'\n selection2:\n OriginalFileName: whoami.exe\n condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(10750,'Issue',595,15,'T1033'),(10751,'Issue',596,1,'Suspicious WMI Execution'),(10752,'Issue',596,2,'Michael Haag, Florian Roth, juju4'),(10753,'Issue',596,8,'https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/'),(10754,'Issue',596,10,'medium'),(10755,'Issue',596,13,'community'),(10756,'Issue',596,14,'windows'),(10758,'Issue',596,11,'c641d0d76'),(10759,'Issue',596,12,'526be59f-a573-4eea-b5f7-f0973207634d'),(10760,'Issue',596,16,'win-proc'),(10761,'Issue',596,17,''),(10762,'Issue',596,7,''),(10763,'Issue',596,3,'Detects WMI executing suspicious commands'),(10764,'Issue',596,4,''),(10765,'Issue',596,5,'_False Positives_\nWill need to be tuned\nIf using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10766,'Issue',596,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))\nindex: so-*\nname: Suspicious WMI Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10767,'Issue',596,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious WMI Execution\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nstatus: experimental\ndescription: Detects WMI executing suspicious commands\nreferences:\n- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\nauthor: Michael Haag, Florian Roth, juju4\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wmic.exe\'\n CommandLine:\n - \'*/NODE:*process call create *\'\n - \'* path AntiVirusProduct get *\'\n - \'* path FirewallProduct get *\'\n - \'* shadowcopy delete *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.t1047\n- car.2016-03-002\nfalsepositives:\n- Will need to be tuned\n- If using Splunk, I recommend | stats count by Computer,CommandLine following for\n easy hunting by Computer/CommandLine.\nlevel: medium\n\n
\n}}'),(10768,'Issue',596,15,'T1047'),(10769,'Issue',597,1,'Sysmon Driver Unload'),(10770,'Issue',597,2,'Kirill Kiryanov, oscd.community'),(10771,'Issue',597,8,'https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon'),(10772,'Issue',597,10,'high'),(10773,'Issue',597,13,'community'),(10774,'Issue',597,14,'windows'),(10775,'Issue',597,15,''),(10776,'Issue',597,11,'d7439c16c'),(10777,'Issue',597,12,'4d7cda18-1b12-4e52-b45c-d28653210df8'),(10778,'Issue',597,16,'win-proc'),(10779,'Issue',597,17,''),(10780,'Issue',597,7,''),(10781,'Issue',597,3,'Detect possible Sysmon driver unload'),(10782,'Issue',597,4,''),(10783,'Issue',597,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nDetails'),(10784,'Issue',597,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\fltmc.exe AND process.command_line.keyword:*unload* AND process.command_line.keyword:*sys*)\nindex: so-*\nname: Sysmon Driver Unload\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10785,'Issue',597,9,'{{collapse(View Sigma)\n\n\ntitle: Sysmon Driver Unload\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nstatus: experimental\nauthor: Kirill Kiryanov, oscd.community\ndescription: Detect possible Sysmon driver unload\ndate: 2019/10/23\nmodified: 2019/11/07\nreferences:\n- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: \\fltmc.exe\n CommandLine|contains|all:\n - unload\n - sys\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nfields:\n- CommandLine\n- Details\n\n
\n}}'),(10786,'Issue',598,1,'System File Execution Location Anomaly'),(10787,'Issue',598,2,'Florian Roth, Patrick Bareiss'),(10788,'Issue',598,8,'https://twitter.com/GelosSnake/status/934900723426439170'),(10789,'Issue',598,10,'high'),(10790,'Issue',598,13,'community'),(10791,'Issue',598,14,'windows'),(10793,'Issue',598,11,'c8ddca7b8'),(10794,'Issue',598,12,'e4a6b256-3e47-40fc-89d2-7a477edd6915'),(10795,'Issue',598,16,'win-proc'),(10796,'Issue',598,17,''),(10797,'Issue',598,7,''),(10798,'Issue',598,3,'Detects a Windows program executable started in a suspicious folder'),(10799,'Issue',598,4,''),(10800,'Issue',598,5,'_False Positives_\nExotic software\n\n_Interesting Log Fields_\nComputerName\nUser\nImage'),(10801,'Issue',598,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))\nindex: so-*\nname: System File Execution Location Anomaly\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10802,'Issue',598,9,'{{collapse(View Sigma)\n\n\ntitle: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nstatus: experimental\ndescription: Detects a Windows program executable started in a suspicious folder\nreferences:\n- https://twitter.com/GelosSnake/status/934900723426439170\nauthor: Florian Roth, Patrick Bareiss\ndate: 2017/11/27\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\svchost.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\services.exe\'\n - \'*\\powershell.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\spoolsv.exe\'\n - \'*\\lsass.exe\'\n - \'*\\smss.exe\'\n - \'*\\csrss.exe\'\n - \'*\\conhost.exe\'\n - \'*\\wininit.exe\'\n - \'*\\lsm.exe\'\n - \'*\\winlogon.exe\'\n - \'*\\explorer.exe\'\n - \'*\\taskhost.exe\'\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\system32\\\\*\n - C:\\Windows\\SysWow64\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\explorer.exe\n - C:\\Windows\\winsxs\\\\*\n - C:\\Windows\\WinSxS\\\\*\n - \\SystemRoot\\System32\\\\*\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\nfalsepositives:\n- Exotic software\nlevel: high\n\n
\n}}'),(10803,'Issue',598,15,'T1036'),(10804,'Issue',599,1,'Tap Installer Execution'),(10805,'Issue',599,2,'Daniil Yugoslavskiy, Ian Davis, oscd.community'),(10806,'Issue',599,8,'none'),(10807,'Issue',599,10,'medium'),(10808,'Issue',599,13,'community'),(10809,'Issue',599,14,'windows'),(10811,'Issue',599,11,'f0f415f09'),(10812,'Issue',599,12,'99793437-3e16-439b-be0f-078782cf953d'),(10813,'Issue',599,16,'win-proc'),(10814,'Issue',599,17,''),(10815,'Issue',599,7,''),(10816,'Issue',599,3,'Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques'),(10817,'Issue',599,4,''),(10818,'Issue',599,5,'_False Positives_\nLegitimate OpenVPN TAP insntallation'),(10819,'Issue',599,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\tapinstall.exe)\nindex: so-*\nname: Tap Installer Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10820,'Issue',599,9,'{{collapse(View Sigma)\n\n\ntitle: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration\n using tunneling techniques\nstatus: experimental\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1048\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\tapinstall.exe\n condition: selection\nfalsepositives:\n- Legitimate OpenVPN TAP insntallation\nlevel: medium\n\n
\n}}'),(10821,'Issue',599,15,'T1048'),(10822,'Issue',600,1,'Tasks Folder Evasion'),(10823,'Issue',600,2,'Sreeman'),(10824,'Issue',600,8,'https://twitter.com/subTee/status/1216465628946563073\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26'),(10825,'Issue',600,10,'high'),(10826,'Issue',600,13,'community'),(10827,'Issue',600,14,'windows'),(10829,'Issue',600,11,'0eb37ce7b'),(10830,'Issue',600,12,'cc4e02ba-9c06-48e2-b09e-2500cace9ae0'),(10831,'Issue',600,16,'win-proc'),(10832,'Issue',600,17,''),(10833,'Issue',600,7,''),(10834,'Issue',600,3,'The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr'),(10835,'Issue',600,4,''),(10836,'Issue',600,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentProcess\nCommandLine'),(10837,'Issue',600,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (process.command_line.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND process.command_line.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\*))\nindex: so-*\nname: Tasks Folder Evasion\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10838,'Issue',600,9,'{{collapse(View Sigma)\n\n\ntitle: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: experimental\ndescription: The Tasks folder in system32 and syswow64 are globally writable paths.\n Adversaries can take advantage of this and load or influence any script hosts or\n ANY .NET Application in Tasks to load and execute a custom assembly into cscript,\n wscript, regsvr32, mshta, eventvwr\nreferences:\n- https://twitter.com/subTee/status/1216465628946563073\n- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\ndate: 2020/01/13\nauthor: Sreeman\ntags:\n- attack.t1064\n- attack.t1211\n- attack.t1059\n- attack.defense_evasion\n- attack.persistence\nlogsource:\n product: Windows\ndetection:\n selection1:\n CommandLine|contains:\n - \'echo \'\n - \'copy \'\n - \'type \'\n - file createnew\n selection2:\n CommandLine|contains:\n - \' C:\\Windows\\System32\\Tasks\\\'\n - \' C:\\Windows\\SysWow64\\Tasks\\\'\n condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10839,'Issue',600,15,'T1064'),(10840,'Issue',600,15,'T1211'),(10841,'Issue',600,15,'T1059'),(10842,'Issue',601,1,'Terminal Service Process Spawn'),(10843,'Issue',601,2,'Florian Roth'),(10844,'Issue',601,8,'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/'),(10845,'Issue',601,10,'high'),(10846,'Issue',601,13,'community'),(10847,'Issue',601,14,'windows'),(10848,'Issue',601,15,''),(10849,'Issue',601,11,'b5e174d1b'),(10850,'Issue',601,12,'1012f107-b8f1-4271-af30-5aed2de89b39'),(10851,'Issue',601,16,'win-proc'),(10852,'Issue',601,17,''),(10853,'Issue',601,7,''),(10854,'Issue',601,3,'Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)'),(10855,'Issue',601,4,''),(10856,'Issue',601,5,'_False Positives_\nUnknown'),(10857,'Issue',601,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\svchost.exe*termsvcs AND (NOT (process.executable.keyword:*\\\\rdpclip.exe)))\nindex: so-*\nname: Terminal Service Process Spawn\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10858,'Issue',601,9,'{{collapse(View Sigma)\n\n\ntitle: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: experimental\ndescription: Detects a process spawned by the terminal service server process (this\n could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth\ndate: 2019/05/22\ntags:\n- car.2013-07-002\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentCommandLine: \'*\\svchost.exe*termsvcs\'\n filter:\n Image: \'*\\rdpclip.exe\'\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10859,'Issue',602,1,'Domain Trust Discovery'),(10860,'Issue',602,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10861,'Issue',602,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html'),(10862,'Issue',602,10,'medium'),(10863,'Issue',602,13,'community'),(10864,'Issue',602,14,'windows'),(10866,'Issue',602,11,'c1662fb6e'),(10867,'Issue',602,12,'3bad990e-4848-4a78-9530-b427d854aac0'),(10868,'Issue',602,16,'win-proc'),(10869,'Issue',602,17,''),(10870,'Issue',602,7,''),(10871,'Issue',602,3,'Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.'),(10872,'Issue',602,4,''),(10873,'Issue',602,5,'_False Positives_\nLegitimate use of the utilities by legitimate user for legitimate reason'),(10874,'Issue',602,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*) OR (process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*trustedDomain*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10875,'Issue',602,9,'{{collapse(View Sigma)\n\n\ntitle: Domain Trust Discovery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\ndescription: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.\n This technique is used by attackers to enumerate Active Directory trusts.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\n- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\nltest.exe\n CommandLine|contains: domain_trusts\n - Image|endswith: \\dsquery.exe\n CommandLine|contains: trustedDomain\n condition: selection\nfalsepositives:\n- Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\n\n
\n}}'),(10876,'Issue',602,15,'T1482'),(10877,'Issue',603,1,'Bypass UAC via CMSTP'),(10878,'Issue',603,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(10879,'Issue',603,8,'https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md'),(10880,'Issue',603,10,'high'),(10881,'Issue',603,13,'community'),(10882,'Issue',603,14,'windows'),(10884,'Issue',603,11,'7c2726c72'),(10885,'Issue',603,12,'e66779cc-383e-4224-a3a4-267eeb585c40'),(10886,'Issue',603,16,'win-proc'),(10887,'Issue',603,17,''),(10888,'Issue',603,7,''),(10889,'Issue',603,3,'Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).'),(10890,'Issue',603,4,''),(10891,'Issue',603,5,'_False Positives_\nLegitimate use of cmstp.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10892,'Issue',603,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmstp.exe AND process.command_line.keyword:(*\\/s* OR *\\/au*))\nindex: so-*\nname: Bypass UAC via CMSTP\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10893,'Issue',603,9,'{{collapse(View Sigma)\n\n\ntitle: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\ndescription: Detect child processes of automatically elevated instances of Microsoft\n Connection Manager Profile Installer (cmstp.exe).\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nmodified: 2019/11/11\ndate: 2019/10/24\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1191\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\cmstp.exe\n CommandLine|contains:\n - /s\n - /au\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10894,'Issue',603,15,'T1191'),(10895,'Issue',603,15,'T1088'),(10896,'Issue',604,1,'Bypass UAC via Fodhelper.exe'),(10897,'Issue',604,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10898,'Issue',604,8,'https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md'),(10899,'Issue',604,10,'high'),(10900,'Issue',604,13,'community'),(10901,'Issue',604,14,'windows'),(10903,'Issue',604,11,'b29738791'),(10904,'Issue',604,12,'7f741dcf-fc22-4759-87b4-9ae8376676a2'),(10905,'Issue',604,16,'win-proc'),(10906,'Issue',604,17,''),(10907,'Issue',604,7,''),(10908,'Issue',604,3,'Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10909,'Issue',604,4,''),(10910,'Issue',604,5,'_False Positives_\nLegitimate use of fodhelper.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10911,'Issue',604,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\fodhelper.exe)\nindex: so-*\nname: Bypass UAC via Fodhelper.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10912,'Issue',604,9,'{{collapse(View Sigma)\n\n\ntitle: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries\n use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\fodhelper.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10913,'Issue',604,15,'T1088'),(10914,'Issue',605,1,'Bypass UAC via WSReset.exe'),(10915,'Issue',605,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10916,'Issue',605,8,'https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html'),(10917,'Issue',605,10,'high'),(10918,'Issue',605,13,'community'),(10919,'Issue',605,14,'windows'),(10921,'Issue',605,11,'88c9a0107'),(10922,'Issue',605,12,'d797268e-28a9-49a7-b9a8-2f5039011c5c'),(10923,'Issue',605,16,'win-proc'),(10924,'Issue',605,17,''),(10925,'Issue',605,7,''),(10926,'Issue',605,3,'Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10927,'Issue',605,4,''),(10928,'Issue',605,5,'_False Positives_\nUnknown'),(10929,'Issue',605,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\wsreset.exe AND (NOT (process.executable.keyword:*\\\\conhost.exe)))\nindex: so-*\nname: Bypass UAC via WSReset.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10930,'Issue',605,9,'{{collapse(View Sigma)\n\n\ntitle: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\ndescription: Identifies use of WSReset.exe to bypass User Account Control. Adversaries\n use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\wsreset.exe\n filter:\n Image|endswith: \\conhost.exe\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10931,'Issue',605,15,'T1088'),(10932,'Issue',606,1,'Possible Privilege Escalation via Weak Service Permissions'),(10933,'Issue',606,2,'Teymur Kheirkhabarov'),(10934,'Issue',606,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/'),(10935,'Issue',606,10,'high'),(10936,'Issue',606,13,'community'),(10937,'Issue',606,14,'windows'),(10939,'Issue',606,11,'20df1ec32'),(10940,'Issue',606,12,'d937b75f-a665-4480-88a5-2f20e9f9b22a'),(10941,'Issue',606,16,'win-proc'),(10942,'Issue',606,17,''),(10943,'Issue',606,7,''),(10944,'Issue',606,3,'Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand'),(10945,'Issue',606,4,''),(10946,'Issue',606,5,'_False Positives_\nUnknown'),(10947,'Issue',606,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.command_line.keyword:*config* AND process.command_line.keyword:*binPath*) OR (process.command_line.keyword:*failure* AND process.command_line.keyword:*command*)))\nindex: so-*\nname: Possible Privilege Escalation via Weak Service Permissions\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10948,'Issue',606,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level\n to change service ImagePath or FailureCommand\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/30/weak-service-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n scbynonadmin:\n Image|endswith: \\sc.exe\n IntegrityLevel: Medium\n binpath:\n CommandLine|contains|all:\n - config\n - binPath\n failurecommand:\n CommandLine|contains|all:\n - failure\n - command\n condition: scbynonadmin and (binpath or failurecommand)\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10949,'Issue',606,15,'T1134'),(10950,'Issue',607,1,'Java Running with Remote Debugging'),(10951,'Issue',607,2,'Florian Roth'),(10952,'Issue',607,8,'none'),(10953,'Issue',607,10,'medium'),(10954,'Issue',607,13,'community'),(10955,'Issue',607,14,'windows'),(10957,'Issue',607,11,'b24838b11'),(10958,'Issue',607,12,'8f88e3f6-2a49-48f5-a5c4-2f7eedf78710'),(10959,'Issue',607,16,'win-proc'),(10960,'Issue',607,17,''),(10961,'Issue',607,7,''),(10962,'Issue',607,3,'Detects a JAVA process running with remote debugging allowing more than just localhost to connect'),(10963,'Issue',607,4,''),(10964,'Issue',607,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10965,'Issue',607,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*transport\\=dt_socket,address\\=* AND (NOT (process.command_line.keyword:*address\\=127.0.0.1* OR process.command_line.keyword:*address\\=localhost*)))\nindex: so-*\nname: Java Running with Remote Debugging\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10966,'Issue',607,9,'{{collapse(View Sigma)\n\n\ntitle: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\ndescription: Detects a JAVA process running with remote debugging allowing more than\n just localhost to connect\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*transport=dt_socket,address=*\'\n exclusion:\n - CommandLine: \'*address=127.0.0.1*\'\n - CommandLine: \'*address=localhost*\'\n condition: selection and not exclusion\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(10967,'Issue',607,15,'T1046'),(10968,'Issue',608,1,'Webshell Detection With Command Line Keywords'),(10969,'Issue',608,2,'Florian Roth'),(10970,'Issue',608,8,'none'),(10971,'Issue',608,10,'high'),(10972,'Issue',608,13,'community'),(10973,'Issue',608,14,'windows'),(10975,'Issue',608,11,'8d70dcff6'),(10976,'Issue',608,12,'bed2a484-9348-4143-8a8a-b801c979301c'),(10977,'Issue',608,16,'win-proc'),(10978,'Issue',608,17,''),(10979,'Issue',608,7,''),(10980,'Issue',608,3,'Detects certain command line parameters often used during reconnaissance activity via web shells'),(10981,'Issue',608,4,''),(10982,'Issue',608,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10983,'Issue',608,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process.command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))\nindex: so-*\nname: Webshell Detection With Command Line Keywords\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10984,'Issue',608,9,'{{collapse(View Sigma)\n\n\ntitle: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\ndescription: Detects certain command line parameters often used during reconnaissance\n activity via web shells\nauthor: Florian Roth\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\ndate: 2017/01/01\nmodified: 2019/10/26\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\apache*\'\n - \'*\\tomcat*\'\n - \'*\\w3wp.exe\'\n - \'*\\php-cgi.exe\'\n - \'*\\nginx.exe\'\n - \'*\\httpd.exe\'\n CommandLine:\n - \'*whoami*\'\n - \'*net user *\'\n - \'*ping -n *\'\n - \'*systeminfo\'\n - \'*&cd&echo*\'\n - \'*cd /d*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10985,'Issue',608,15,'T1100'),(10986,'Issue',609,1,'Shells Spawned by Web Servers'),(10987,'Issue',609,2,'Thomas Patzke'),(10988,'Issue',609,8,'none'),(10989,'Issue',609,10,'high'),(10990,'Issue',609,13,'community'),(10991,'Issue',609,14,'windows'),(10993,'Issue',609,11,'f05538a42'),(10994,'Issue',609,12,'8202070f-edeb-4d31-a010-a26c72ac5600'),(10995,'Issue',609,16,'win-proc'),(10996,'Issue',609,17,''),(10997,'Issue',609,7,''),(10998,'Issue',609,3,'Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack'),(10999,'Issue',609,4,''),(11000,'Issue',609,5,'_False Positives_\nParticular web applications may spawn a shell process legitimately\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11001,'Issue',609,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Shells Spawned by Web Servers\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11002,'Issue',609,9,'{{collapse(View Sigma)\n\n\ntitle: Shells Spawned by Web Servers\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: experimental\ndescription: Web servers that spawn shell processes could be the result of a successfully\n placed web shell or an other attack\nauthor: Thomas Patzke\ndate: 2019/01/16\nmodified: 2020/03/25\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\w3wp.exe\'\n - \'*\\httpd.exe\'\n - \'*\\nginx.exe\'\n - \'*\\php-cgi.exe\'\n - \'*\\tomcat.exe\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\powershell.exe\'\n - \'*\\bitsadmin.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nfalsepositives:\n- Particular web applications may spawn a shell process legitimately\nlevel: high\n\n
\n}}'),(11003,'Issue',609,15,'T1100'),(11004,'Issue',610,1,'Run Whoami as SYSTEM'),(11005,'Issue',610,2,'Teymur Kheirkhabarov'),(11006,'Issue',610,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(11007,'Issue',610,10,'high'),(11008,'Issue',610,13,'community'),(11009,'Issue',610,14,'windows'),(11011,'Issue',610,11,'4e41dd00b'),(11012,'Issue',610,12,'80167ada-7a12-41ed-b8e9-aa47195c66a1'),(11013,'Issue',610,16,'win-proc'),(11014,'Issue',610,17,''),(11015,'Issue',610,7,''),(11016,'Issue',610,3,'Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.'),(11017,'Issue',610,4,''),(11018,'Issue',610,5,'_False Positives_\nUnknown'),(11019,'Issue',610,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\whoami.exe)\nindex: so-*\nname: Run Whoami as SYSTEM\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11020,'Issue',610,9,'{{collapse(View Sigma)\n\n\ntitle: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: experimental\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of\n a successful local privilege escalation.\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/23\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.privilege_escalation\n- attack.t1033\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n User: NT AUTHORITY\\SYSTEM\n Image|endswith: \\whoami.exe\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(11021,'Issue',610,15,'T1033'),(11022,'Issue',611,1,'Windows 10 Scheduled Task SandboxEscaper 0-day'),(11023,'Issue',611,2,'Olaf Hartong'),(11024,'Issue',611,8,'https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe'),(11025,'Issue',611,10,'high'),(11026,'Issue',611,13,'community'),(11027,'Issue',611,14,'windows'),(11029,'Issue',611,11,'3ff4919f0'),(11030,'Issue',611,12,'931b6802-d6a6-4267-9ffa-526f57f22aaf'),(11031,'Issue',611,16,'win-proc'),(11032,'Issue',611,17,''),(11033,'Issue',611,7,''),(11034,'Issue',611,3,'Detects Task Scheduler .job import arbitrary DACL write\\par'),(11035,'Issue',611,4,''),(11036,'Issue',611,5,'_False Positives_\nUnknown'),(11037,'Issue',611,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"schtasks.exe\" AND process.command_line.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)\nindex: so-*\nname: Windows 10 Scheduled Task SandboxEscaper 0-day\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11038,'Issue',611,9,'{{collapse(View Sigma)\n\n\ntitle: Windows 10 Scheduled Task SandboxEscaper 0-day\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: experimental\ndescription: Detects Task Scheduler .job import arbitrary DACL write\\par\nreferences:\n- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe\nauthor: Olaf Hartong\ndate: 2019/05/22\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: schtasks.exe\n CommandLine: \'*/change*/TN*/RU*/RP*\'\n condition: selection\nfalsepositives:\n- Unknown\ntags:\n- attack.privilege_escalation\n- attack.execution\n- attack.t1053\n- car.2013-08-001\nlevel: high\n\n
\n}}'),(11039,'Issue',611,15,'T1053'),(11040,'Issue',612,1,'WMI Backdoor Exchange Transport Agent'),(11041,'Issue',612,2,'Florian Roth'),(11042,'Issue',612,8,'https://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120'),(11043,'Issue',612,10,'critical'),(11044,'Issue',612,13,'community'),(11045,'Issue',612,14,'windows'),(11047,'Issue',612,11,'a650229e3'),(11048,'Issue',612,12,'797011dc-44f4-4e6f-9f10-a8ceefbe566b'),(11049,'Issue',612,16,'win-proc'),(11050,'Issue',612,17,''),(11051,'Issue',612,7,''),(11052,'Issue',612,3,'Detects a WMi backdoor in Exchange Transport Agents via WMi event filters'),(11053,'Issue',612,4,''),(11054,'Issue',612,5,'_False Positives_\nUnknown'),(11055,'Issue',612,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EdgeTransport.exe)\nindex: so-*\nname: WMI Backdoor Exchange Transport Agent\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11056,'Issue',612,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: experimental\ndescription: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters\nauthor: Florian Roth\ndate: 2019/10/11\nreferences:\n- https://twitter.com/cglyer/status/1182389676876980224\n- https://twitter.com/cglyer/status/1182391019633029120\nlogsource:\n category: process_creation\n product: windows\ntags:\n- attack.persistence\n- attack.t1084\ndetection:\n selection:\n ParentImage: \'*\\EdgeTransport.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11057,'Issue',612,15,'T1084'),(11058,'Issue',613,1,'WMI Persistence - Script Event Consumer'),(11059,'Issue',613,2,'Thomas Patzke'),(11060,'Issue',613,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(11061,'Issue',613,10,'high'),(11062,'Issue',613,13,'community'),(11063,'Issue',613,14,'windows'),(11065,'Issue',613,11,'8e6b7ecfd'),(11066,'Issue',613,12,'ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e'),(11067,'Issue',613,16,'win-proc'),(11068,'Issue',613,17,''),(11069,'Issue',613,7,''),(11070,'Issue',613,3,'Detects WMI script event consumers'),(11071,'Issue',613,4,''),(11072,'Issue',613,5,'_False Positives_\nLegitimate event consumers'),(11073,'Issue',613,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND process.parent.executable:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11074,'Issue',613,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: experimental\ndescription: Detects WMI script event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.execution\n- attack.persistence\n- attack.t1047\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n ParentImage: C:\\Windows\\System32\\svchost.exe\n condition: selection\nfalsepositives:\n- Legitimate event consumers\nlevel: high\n\n
\n}}'),(11075,'Issue',613,15,'T1047'),(11076,'Issue',614,1,'WMI Spawning Windows PowerShell'),(11077,'Issue',614,2,'Markus Neis / @Karneades'),(11078,'Issue',614,8,'https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e'),(11079,'Issue',614,10,'high'),(11080,'Issue',614,13,'community'),(11081,'Issue',614,14,'windows'),(11083,'Issue',614,11,'127d6cb16'),(11084,'Issue',614,12,'692f0bec-83ba-4d04-af7e-e884a96059b6'),(11085,'Issue',614,16,'win-proc'),(11086,'Issue',614,17,''),(11087,'Issue',614,7,''),(11088,'Issue',614,3,'Detects WMI spawning PowerShell'),(11089,'Issue',614,4,''),(11090,'Issue',614,5,'_False Positives_\nAppvClient\nCCM'),(11091,'Issue',614,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\powershell.exe))\nindex: so-*\nname: WMI Spawning Windows PowerShell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11092,'Issue',614,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Spawning Windows PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nstatus: experimental\ndescription: Detects WMI spawning PowerShell\nreferences:\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\n- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis / @Karneades\ndate: 2019/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\wmiprvse.exe\'\n Image:\n - \'*\\powershell.exe\'\n condition: selection\nfalsepositives:\n- AppvClient\n- CCM\nlevel: high\n\n
\n}}'),(11093,'Issue',614,15,'T1064'),(11094,'Issue',615,1,'Wmiprvse Spawning Process'),(11095,'Issue',615,2,'Roberto Rodriguez @Cyb3rWard0g'),(11096,'Issue',615,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md'),(11097,'Issue',615,10,'critical'),(11098,'Issue',615,13,'community'),(11099,'Issue',615,14,'windows'),(11101,'Issue',615,11,'eab53c8fb'),(11102,'Issue',615,12,'d21374ff-f574-44a7-9998-4a8c8bf33d7d'),(11103,'Issue',615,16,'win-proc'),(11104,'Issue',615,17,''),(11105,'Issue',615,7,''),(11106,'Issue',615,3,'Detects wmiprvse spawning processes'),(11107,'Issue',615,4,''),(11108,'Issue',615,5,'_False Positives_\nUnknown'),(11109,'Issue',615,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Wmiprvse Spawning Process\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11110,'Issue',615,9,'{{collapse(View Sigma)\n\n\ntitle: Wmiprvse Spawning Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\ndescription: Detects wmiprvse spawning processes\nstatus: experimental\ndate: 2019/08/15\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\WmiPrvSe.exe\n filter:\n - LogonId: \'0x3e7\'\n - Username: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11111,'Issue',615,15,'T1047'),(11112,'Issue',616,1,'Microsoft Workflow Compiler'),(11113,'Issue',616,2,'Nik Seetharaman'),(11114,'Issue',616,8,'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb'),(11115,'Issue',616,10,'high'),(11116,'Issue',616,13,'community'),(11117,'Issue',616,14,'windows'),(11119,'Issue',616,11,'b7e329a1b'),(11120,'Issue',616,12,'419dbf2b-8a9b-4bea-bf99-7544b050ec8d'),(11121,'Issue',616,16,'win-proc'),(11122,'Issue',616,17,''),(11123,'Issue',616,7,''),(11124,'Issue',616,3,'Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.'),(11125,'Issue',616,4,''),(11126,'Issue',616,5,'_False Positives_\nLegitimate MWC use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11127,'Issue',616,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Microsoft.Workflow.Compiler.exe)\nindex: so-*\nname: Microsoft Workflow Compiler\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11128,'Issue',616,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Workflow Compiler\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: experimental\ndescription: Detects invocation of Microsoft Workflow Compiler, which may permit the\n execution of arbitrary unsigned code.\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1127\nauthor: Nik Seetharaman\ndate: 2019/01/16\nreferences:\n- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\Microsoft.Workflow.Compiler.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(11129,'Issue',616,15,'T1127'),(11130,'Issue',617,1,'Wsreset UAC Bypass'),(11131,'Issue',617,2,'Florian Roth'),(11132,'Issue',617,8,'https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://twitter.com/ReaQta/status/1222548288731217921'),(11133,'Issue',617,10,'high'),(11134,'Issue',617,13,'community'),(11135,'Issue',617,14,'windows'),(11137,'Issue',617,11,'a20c95e40'),(11138,'Issue',617,12,'bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae'),(11139,'Issue',617,16,'win-proc'),(11140,'Issue',617,17,''),(11141,'Issue',617,7,''),(11142,'Issue',617,3,'Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC'),(11143,'Issue',617,4,''),(11144,'Issue',617,5,'_False Positives_\nUnknown sub processes of Wsreset.exe\n\n_Interesting Log Fields_\nCommandLine'),(11145,'Issue',617,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WSreset.exe))\nindex: so-*\nname: Wsreset UAC Bypass\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11146,'Issue',617,9,'{{collapse(View Sigma)\n\n\ntitle: Wsreset UAC Bypass\nid: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\nstatus: experimental\ndescription: Detects a method that uses Wsreset.exe tool that can be used to reset\n the Windows Store to bypass UAC\nreferences:\n- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n- https://www.activecyber.us/activelabs/windows-uac-bypass\n- https://twitter.com/ReaQta/status/1222548288731217921\nauthor: Florian Roth\ndate: 2020/01/30\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - \\WSreset.exe\n condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- Unknown sub processes of Wsreset.exe\nlevel: high\n\n
\n}}'),(11147,'Issue',617,15,'T1088'),(11148,'Issue',618,1,'XSL Script Processing'),(11149,'Issue',618,2,'Timur Zinniatullin, oscd.community'),(11150,'Issue',618,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml'),(11151,'Issue',618,10,'medium'),(11152,'Issue',618,13,'community'),(11153,'Issue',618,14,'windows'),(11155,'Issue',618,11,'53788ea86'),(11156,'Issue',618,12,'05c36dd6-79d6-4a9a-97da-3db20298ab2d'),(11157,'Issue',618,16,'win-proc'),(11158,'Issue',618,17,''),(11159,'Issue',618,7,'gVP62XEBH72G5DlCexmq'),(11160,'Issue',618,3,'Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses'),(11161,'Issue',618,4,''),(11162,'Issue',618,5,'_False Positives_\nWMIC.exe FP depend on scripts and administrative methods used in the monitored environment\nmsxsl.exe is not installed by default so unlikely.'),(11163,'Issue',618,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\/format*) OR process.executable.keyword:*\\\\msxsl.exe))\nindex: so-*\nname: XSL Script Processing\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11164,'Issue',618,9,'{{collapse(View Sigma)\r\n\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n the processing and rendering of data within XML files, rule detects when adversaries\r\n abuse this functionality to execute arbitrary files while potentially bypassing\r\n application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n - Image|endswith: \\wmic.exe\r\n CommandLine|contains: /format\r\n - Image|endswith: \\msxsl.exe\r\n condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(11165,'Issue',618,15,'T1220'),(11166,'Issue',619,1,'Whoami Execution'),(11167,'Issue',619,2,'Florian Roth'),(11168,'Issue',619,10,'high'),(11169,'Issue',619,13,'imported'),(11170,'Issue',619,14,'windows'),(11171,'Issue',619,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(11173,'Issue',619,11,'daadca6a7'),(11174,'Issue',619,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(11175,'Issue',619,16,''),(11176,'Issue',619,17,''),(11177,'Issue',619,7,'aBT41nEBbPAf_3hf59Nr'),(11178,'Issue',619,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(11179,'Issue',619,4,''),(11180,'Issue',619,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(11181,'Issue',619,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11182,'Issue',619,9,'{{collapse(View Sigma)\r\n\r\n\r\ntitle: Whoami Execution\r\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\r\nstatus: experimental\r\ndescription: Detects the execution of whoami, which is often used by attackers after\r\n exloitation / privilege escalation but rarely used by administrators\r\nreferences:\r\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\r\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\r\nauthor: Florian Roths\r\ndate: 2018/08/13\r\ntags:\r\n- attack.discovery\r\n- attack.t1033\r\n- car.2016-03-001\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image: \'*\\whoami.exe\'\r\n selection2:\r\n OriginalFileName: whoami.exe\r\n condition: selection or selection2\r\nfalsepositives:\r\n- Admin activity\r\n- Scripts and administrative tools used in the monitored environment\r\nlevel: high\r\n\r\n
\r\n}}'),(11183,'Issue',619,15,'T1033');
+INSERT INTO `custom_values` VALUES (5638,'Issue',313,1,'Executable in ADS'),(5639,'Issue',313,2,'Florian Roth, @0xrawsec'),(5640,'Issue',313,8,'https://twitter.com/0xrawsec/status/1002478725605273600?s=21'),(5641,'Issue',313,10,'critical'),(5642,'Issue',313,13,'community'),(5643,'Issue',313,14,'windows'),(5645,'Issue',313,11,'7a9593a8c'),(5646,'Issue',313,12,'b69888d4-380c-45ce-9cf9-d9ce46e67821'),(5647,'Issue',313,16,'win-sysmon'),(5648,'Issue',313,17,''),(5649,'Issue',313,7,''),(5650,'Issue',313,3,'Detects the creation of an ADS data stream that contains an executable (non-empty imphash)'),(5651,'Issue',313,4,''),(5652,'Issue',313,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nTargetFilename\nImage'),(5653,'Issue',313,6,'{{collapse(View ElastAlert Config)\n\n\n\n
\n}}'),(5654,'Issue',313,9,'{{collapse(View Sigma)\n\n\ntitle: Executable in ADS\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: experimental\ndescription: Detects the creation of an ADS data stream that contains an executable\n (non-empty imphash)\nreferences:\n- https://twitter.com/0xrawsec/status/1002478725605273600?s=21\ntags:\n- attack.defense_evasion\n- attack.t1027\n- attack.s0139\nauthor: Florian Roth, @0xrawsec\ndate: 2018/06/03\nlogsource:\n product: windows\n service: sysmon\n definition: \'Requirements: Sysmon config with Imphash logging activated\'\ndetection:\n selection:\n EventID: 15\n filter:\n Imphash:\n - \'00000000000000000000000000000000\'\n - \n condition: selection and not filter\nfields:\n- TargetFilename\n- Image\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(5655,'Issue',313,15,'T1027'),(5656,'Issue',314,1,'Alternate PowerShell Hosts Module Load'),(5657,'Issue',314,2,'Roberto Rodriguez @Cyb3rWard0g'),(5658,'Issue',314,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5659,'Issue',314,10,'high'),(5660,'Issue',314,13,'community'),(5661,'Issue',314,14,'windows'),(5663,'Issue',314,11,'2f468dc10'),(5664,'Issue',314,12,'f67f6c57-257d-4919-a416-69cd31f9aac3'),(5665,'Issue',314,16,'win-sysmon'),(5666,'Issue',314,17,''),(5667,'Issue',314,7,''),(5668,'Issue',314,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5669,'Issue',314,4,''),(5670,'Issue',314,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.'),(5671,'Issue',314,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Module Load\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5672,'Issue',314,9,'{{collapse(View Sigma)\n\n\ntitle: Alternate PowerShell Hosts Module Load\nid: f67f6c57-257d-4919-a416-69cd31f9aac3\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Description: system.management.automation\n ImageLoaded|contains: system.management.automation\n filter:\n Image|endswith: \\powershell.exe\n condition: selection and not filter\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: high\n\n
\n}}'),(5673,'Issue',314,15,'T1086'),(5674,'Issue',315,1,'Alternate PowerShell Hosts Pipe'),(5675,'Issue',315,2,'Roberto Rodriguez @Cyb3rWard0g'),(5676,'Issue',315,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md'),(5677,'Issue',315,10,'medium'),(5678,'Issue',315,13,'community'),(5679,'Issue',315,14,'windows'),(5681,'Issue',315,11,'705958333'),(5682,'Issue',315,12,'58cb02d5-78ce-4692-b3e1-dce850aae41a'),(5683,'Issue',315,16,'win-sysmon'),(5684,'Issue',315,17,''),(5685,'Issue',315,7,''),(5686,'Issue',315,3,'Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe'),(5687,'Issue',315,4,''),(5688,'Issue',315,5,'_False Positives_\nPrograms using PowerShell directly without invocation of a dedicated interpreter.\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nPipeName'),(5689,'Issue',315,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"17\" AND event_data.PipeName.keyword:\\\\PSHost*) AND (NOT (process.executable.keyword:*\\\\powershell.exe)))\nindex: so-*\nname: Alternate PowerShell Hosts Pipe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5690,'Issue',315,9,'{{collapse(View Sigma)\n\n\ntitle: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking\n for powershell.exe\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 17\n PipeName|startswith: \\PSHost\n filter:\n Image|endswith: \\powershell.exe\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- PipeName\nfalsepositives:\n- Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n\n
\n}}'),(5691,'Issue',315,15,'T1086'),(5692,'Issue',316,1,'OceanLotus Registry Activity'),(5693,'Issue',316,2,'megan201296'),(5694,'Issue',316,8,'https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/'),(5695,'Issue',316,10,'critical'),(5696,'Issue',316,13,'community'),(5697,'Issue',316,14,'windows'),(5699,'Issue',316,11,'515c55bec'),(5700,'Issue',316,12,'4ac5fc44-a601-4c06-955b-309df8c4e9d4'),(5701,'Issue',316,16,'win-sysmon'),(5702,'Issue',316,17,''),(5703,'Issue',316,7,''),(5704,'Issue',316,3,'Detects registry keys created in OceanLotus (also known as APT32) attacks'),(5705,'Issue',316,4,''),(5706,'Issue',316,5,'_False Positives_\nUnknown'),(5707,'Issue',316,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(HKCR\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E08A0F4B\\-1F65\\-4D4D\\-9A09\\-BD4625B9C5A1\\}\\\\Model OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppXbf13d4ea2945444d8b13e2121cb6b663\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX70162486c7554f7f80f481985d67586d\\\\DefaultIcon OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\Application OR *\\\\SOFTWARE\\\\App\\\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\DefaultIcon OR HKU\\\\*_Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\* OR HKU\\\\*_Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\* OR HKU\\\\*_Classes\\\\CLSID\\\\\\{E3517E26\\-8E93\\-458D\\-A6DF\\-8030BC80528B\\}\\\\*))\nindex: so-*\nname: OceanLotus Registry Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5708,'Issue',316,9,'{{collapse(View Sigma)\n\n\ntitle: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: experimental\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\ntags:\n- attack.t1112\nauthor: megan201296\ndate: 2019/04/14\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject:\n - HKCR\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n - HKU\\\\*_Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\n - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\Application\'\n - \'*\\SOFTWARE\\App\\AppXbf13d4ea2945444d8b13e2121cb6b663\\DefaultIcon\'\n - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\Application\'\n - \'*\\SOFTWARE\\App\\AppX70162486c7554f7f80f481985d67586d\\DefaultIcon\'\n - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\Application\'\n - \'*\\SOFTWARE\\App\\AppX37cc7fdccd644b4f85f4b22d5a3f105a\\DefaultIcon\'\n - HKU\\\\*_Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\*\n - HKU\\\\*_Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\\*\n - HKU\\\\*_Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\*\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5709,'Issue',316,15,'T1112'),(5710,'Issue',317,1,'Turla Group Named Pipes'),(5711,'Issue',317,2,'Markus Neis'),(5712,'Issue',317,8,'Internal Research'),(5713,'Issue',317,10,'critical'),(5714,'Issue',317,13,'community'),(5715,'Issue',317,14,'windows'),(5716,'Issue',317,15,''),(5717,'Issue',317,11,'9f6d31f18'),(5718,'Issue',317,12,'739915e4-1e70-4778-8b8a-17db02f66db1'),(5719,'Issue',317,16,'win-sysmon'),(5720,'Issue',317,17,''),(5721,'Issue',317,7,''),(5722,'Issue',317,3,'Detects a named pipe used by Turla group samples'),(5723,'Issue',317,4,''),(5724,'Issue',317,5,'_False Positives_\nUnkown'),(5725,'Issue',317,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName:(\"\\\\atctl\" OR \"\\\\userpipe\" OR \"\\\\iehelper\" OR \"\\\\sdlrpc\" OR \"\\\\comnap\"))\nindex: so-*\nname: Turla Group Named Pipes\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5726,'Issue',317,9,'{{collapse(View Sigma)\n\n\ntitle: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: experimental\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n- Internal Research\ndate: 2017/11/06\ntags:\n- attack.g0010\nauthor: Markus Neis\nlogsource:\n product: windows\n service: sysmon\n definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n selection:\n EventID:\n - 17\n - 18\n PipeName:\n - \\atctl\n - \\userpipe\n - \\iehelper\n - \\sdlrpc\n - \\comnap\n condition: selection\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(5727,'Issue',318,1,'Autorun Keys Modification'),(5728,'Issue',318,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(5729,'Issue',318,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(5730,'Issue',318,10,'medium'),(5731,'Issue',318,13,'community'),(5732,'Issue',318,14,'windows'),(5734,'Issue',318,11,'102e8b3e7'),(5735,'Issue',318,12,'17f878b8-9968-4578-b814-c4217fc5768c'),(5736,'Issue',318,16,'win-sysmon'),(5737,'Issue',318,17,''),(5738,'Issue',318,7,''),(5739,'Issue',318,3,'Detects modification of autostart extensibility point (ASEP) in registry'),(5740,'Issue',318,4,''),(5741,'Issue',318,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason'),(5742,'Issue',318,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders*))\nindex: so-*\nname: Autorun Keys Modification\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5743,'Issue',318,9,'{{collapse(View Sigma)\n\n\ntitle: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject|contains:\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n condition: selection\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(5744,'Issue',318,15,'T1060'),(5745,'Issue',319,1,'CACTUSTORCH Remote Thread Creation'),(5746,'Issue',319,2,'@SBousseaden (detection), Thomas Patzke (rule)'),(5747,'Issue',319,8,'https://twitter.com/SBousseaden/status/1090588499517079552\nhttps://github.com/mdsecactivebreach/CACTUSTORCH'),(5748,'Issue',319,10,'high'),(5749,'Issue',319,13,'community'),(5750,'Issue',319,14,'windows'),(5752,'Issue',319,11,'3ea2f31f8'),(5753,'Issue',319,12,'2e4e488a-6164-4811-9ea1-f960c7359c40'),(5754,'Issue',319,16,'win-sysmon'),(5755,'Issue',319,17,''),(5756,'Issue',319,7,''),(5757,'Issue',319,3,'Detects remote thread creation from CACTUSTORCH as described in references.'),(5758,'Issue',319,4,''),(5759,'Issue',319,5,'_False Positives_\nunknown'),(5760,'Issue',319,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\System32\\\\cscript.exe OR *\\\\System32\\\\wscript.exe OR *\\\\System32\\\\mshta.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND event_data.TargetImage.keyword:*\\\\SysWOW64\\\\* AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: CACTUSTORCH Remote Thread Creation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5761,'Issue',319,9,'{{collapse(View Sigma)\n\n\ntitle: CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n- https://twitter.com/SBousseaden/status/1090588499517079552\n- https://github.com/mdsecactivebreach/CACTUSTORCH\nstatus: experimental\nauthor: \'@SBousseaden (detection), Thomas Patzke (rule)\'\ndate: 2019/02/01\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n SourceImage:\n - \'*\\System32\\cscript.exe\'\n - \'*\\System32\\wscript.exe\'\n - \'*\\System32\\mshta.exe\'\n - \'*\\winword.exe\'\n - \'*\\excel.exe\'\n TargetImage: \'*\\SysWOW64\\\\*\'\n StartModule:\n condition: selection\ntags:\n- attack.execution\n- attack.t1055\n- attack.t1064\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5762,'Issue',319,15,'T1055'),(5763,'Issue',319,15,'T1064'),(5764,'Issue',320,1,'CobaltStrike Process Injection'),(5765,'Issue',320,2,'Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community'),(5766,'Issue',320,8,'https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/'),(5767,'Issue',320,10,'high'),(5768,'Issue',320,13,'community'),(5769,'Issue',320,14,'windows'),(5771,'Issue',320,11,'28d3c60ec'),(5772,'Issue',320,12,'6309645e-122d-4c5b-bb2b-22e4f9c2fa42'),(5773,'Issue',320,16,'win-sysmon'),(5774,'Issue',320,17,''),(5775,'Issue',320,7,''),(5776,'Issue',320,3,'Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons'),(5777,'Issue',320,4,''),(5778,'Issue',320,5,'_False Positives_\nunknown'),(5779,'Issue',320,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND TargetProcessAddress.keyword:(*0B80 OR *0C7C OR *0C88))\nindex: so-*\nname: CobaltStrike Process Injection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5780,'Issue',320,9,'{{collapse(View Sigma)\n\n\ntitle: CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\ndescription: Detects a possible remote threat creation with certain characteristics\n which are typical for Cobalt Strike beacons\nreferences:\n- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\ntags:\n- attack.defense_evasion\n- attack.t1055\nstatus: experimental\nauthor: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community\ndate: 2018/11/30\nmodified: 2019/11/08\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n TargetProcessAddress|endswith:\n - 0B80\n - 0C7C\n - 0C88\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5781,'Issue',320,15,'T1055'),(5782,'Issue',321,1,'CreateRemoteThread API and LoadLibrary'),(5783,'Issue',321,2,'Roberto Rodriguez @Cyb3rWard0g'),(5784,'Issue',321,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md'),(5785,'Issue',321,10,'critical'),(5786,'Issue',321,13,'community'),(5787,'Issue',321,14,'windows'),(5789,'Issue',321,11,'3325ffed5'),(5790,'Issue',321,12,'052ec6f6-1adc-41e6-907a-f1c813478bee'),(5791,'Issue',321,16,'win-sysmon'),(5792,'Issue',321,17,''),(5793,'Issue',321,7,''),(5794,'Issue',321,3,'Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process'),(5795,'Issue',321,4,''),(5796,'Issue',321,5,'_False Positives_\nUnknown'),(5797,'Issue',321,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.StartModule.keyword:*\\\\kernel32.dll AND StartFunction:\"LoadLibraryA\")\nindex: so-*\nname: CreateRemoteThread API and LoadLibrary\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5798,'Issue',321,9,'{{collapse(View Sigma)\n\n\ntitle: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function\n to inject DLL into a process\nstatus: experimental\ndate: 2019/08/11\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n StartModule|endswith: \\kernel32.dll\n StartFunction: LoadLibraryA\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(5799,'Issue',321,15,'T1055'),(5800,'Issue',322,1,'Credentials Dumping Tools Accessing LSASS Memory'),(5801,'Issue',322,2,'Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)'),(5802,'Issue',322,8,'https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf'),(5803,'Issue',322,10,'high'),(5804,'Issue',322,13,'community'),(5805,'Issue',322,14,'windows'),(5807,'Issue',322,11,'38beb365c'),(5808,'Issue',322,12,'32d0d3e2-e58d-4d41-926b-18b520b2b32d'),(5809,'Issue',322,16,'win-sysmon'),(5810,'Issue',322,17,''),(5811,'Issue',322,7,''),(5812,'Issue',322,3,'Detects process access LSASS memory which is typical for credentials dumping tools'),(5813,'Issue',322,4,''),(5814,'Issue',322,5,'_False Positives_\nLegitimate software accessing LSASS process for legitimate reason; update the whitelist with it\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage'),(5815,'Issue',322,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\lsass.exe AND event_data.GrantedAccess.keyword:(*0x40* OR *0x1000* OR *0x1400* OR *0x100000* OR *0x1410* OR *0x1010* OR *0x1438* OR *0x143a* OR *0x1418* OR *0x1f0fff* OR *0x1f1fff* OR *0x1f2fff* OR *0x1f3fff*)) AND (NOT (event_data.ProcessName.keyword:(*\\\\wmiprvse.exe OR *\\\\taskmgr.exe OR *\\\\procexp64.exe OR *\\\\procexp.exe OR *\\\\lsm.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\vmtoolsd.exe))))\nindex: so-*\nname: Credentials Dumping Tools Accessing LSASS Memory\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5816,'Issue',322,9,'{{collapse(View Sigma)\n\n\ntitle: Credentials Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: experimental\ndescription: Detects process access LSASS memory which is typical for credentials\n dumping tools\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas\n Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\n (update)\ndate: 2017/02/16\nmodified: 2019/11/08\nreferences:\n- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage|endswith: \\lsass.exe\n GrantedAccess|contains:\n - \'0x40\'\n - \'0x1000\'\n - \'0x1400\'\n - \'0x100000\'\n - \'0x1410\'\n - \'0x1010\'\n - \'0x1438\'\n - \'0x143a\'\n - \'0x1418\'\n - \'0x1f0fff\'\n - \'0x1f1fff\'\n - \'0x1f2fff\'\n - \'0x1f3fff\'\n filter:\n ProcessName|endswith:\n - \\wmiprvse.exe\n - \\taskmgr.exe\n - \\procexp64.exe\n - \\procexp.exe\n - \\lsm.exe\n - \\csrss.exe\n - \\wininit.exe\n - \\vmtoolsd.exe\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- SourceImage\nfalsepositives:\n- Legitimate software accessing LSASS process for legitimate reason; update the whitelist\n with it\nlevel: high\n\n
\n}}'),(5817,'Issue',322,15,'T1003'),(5818,'Issue',323,1,'Cred Dump Tools Dropped Files'),(5819,'Issue',323,2,'Teymur Kheirkhabarov, oscd.community'),(5820,'Issue',323,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5821,'Issue',323,10,'high'),(5822,'Issue',323,13,'community'),(5823,'Issue',323,14,'windows'),(5825,'Issue',323,11,'3205565a1'),(5826,'Issue',323,12,'8fbf3271-1ef6-4e94-8210-03c2317947f6'),(5827,'Issue',323,16,'win-sysmon'),(5828,'Issue',323,17,''),(5829,'Issue',323,7,''),(5830,'Issue',323,3,'Files with well-known filenames (parts of credential dump software or files produced by them) creation'),(5831,'Issue',323,4,''),(5832,'Issue',323,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5833,'Issue',323,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\pwdump* OR *\\\\kirbi* OR *\\\\pwhashes* OR *\\\\wce_ccache* OR *\\\\wce_krbtkts* OR *\\\\fgdump\\-log*) AND event_data.TargetFilename.keyword:(*\\\\test.pwd OR *\\\\lsremora64.dll OR *\\\\lsremora.dll OR *\\\\fgexec.exe OR *\\\\wceaux.dll OR *\\\\SAM.out OR *\\\\SECURITY.out OR *\\\\SYSTEM.out OR *\\\\NTDS.out OR *\\\\DumpExt.dll OR *\\\\DumpSvc.exe OR *\\\\cachedump64.exe OR *\\\\cachedump.exe OR *\\\\pstgdump.exe OR *\\\\servpw.exe OR *\\\\servpw64.exe OR *\\\\pwdump.exe OR *\\\\procdump64.exe))\nindex: so-*\nname: Cred Dump Tools Dropped Files\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5834,'Issue',323,9,'{{collapse(View Sigma)\n\n\ntitle: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\ndescription: Files with well-known filenames (parts of credential dump software or\n files produced by them) creation\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename|contains:\n - \\pwdump\n - \\kirbi\n - \\pwhashes\n - \\wce_ccache\n - \\wce_krbtkts\n - \\fgdump-log\n TargetFilename|endswith:\n - \\test.pwd\n - \\lsremora64.dll\n - \\lsremora.dll\n - \\fgexec.exe\n - \\wceaux.dll\n - \\SAM.out\n - \\SECURITY.out\n - \\SYSTEM.out\n - \\NTDS.out\n - \\DumpExt.dll\n - \\DumpSvc.exe\n - \\cachedump64.exe\n - \\cachedump.exe\n - \\pstgdump.exe\n - \\servpw.exe\n - \\servpw64.exe\n - \\pwdump.exe\n - \\procdump64.exe\n condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: high\nstatus: experimental\n\n
\n}}'),(5835,'Issue',323,15,'T1003'),(5836,'Issue',324,1,'Cred Dump-Tools Named Pipes'),(5837,'Issue',324,2,'Teymur Kheirkhabarov, oscd.community'),(5838,'Issue',324,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5839,'Issue',324,10,'critical'),(5840,'Issue',324,13,'community'),(5841,'Issue',324,14,'windows'),(5843,'Issue',324,11,'f819bdb50'),(5844,'Issue',324,12,'961d0ba2-3eea-4303-a930-2cf78bbfcc5e'),(5845,'Issue',324,16,'win-sysmon'),(5846,'Issue',324,17,''),(5847,'Issue',324,7,''),(5848,'Issue',324,3,'Detects well-known credential dumping tools execution via specific named pipes'),(5849,'Issue',324,4,''),(5850,'Issue',324,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(5851,'Issue',324,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"17\" AND event_data.PipeName.keyword:(*\\\\lsadump* OR *\\\\cachedump* OR *\\\\wceservicepipe*))\nindex: so-*\nname: Cred Dump-Tools Named Pipes\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5852,'Issue',324,9,'{{collapse(View Sigma)\n\n\ntitle: Cred Dump-Tools Named Pipes\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\ndescription: Detects well-known credential dumping tools execution via specific named\n pipes\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 17\n PipeName|contains:\n - \\lsadump\n - \\cachedump\n - \\wceservicepipe\n condition: selection\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: critical\nstatus: experimental\n\n
\n}}'),(5853,'Issue',324,15,'T1003'),(5854,'Issue',325,1,'DHCP Callout DLL Installation'),(5855,'Issue',325,2,'Dimitrios Slamaris'),(5856,'Issue',325,8,'https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx'),(5857,'Issue',325,10,'high'),(5858,'Issue',325,13,'community'),(5859,'Issue',325,14,'windows'),(5861,'Issue',325,11,'6fbe5639d'),(5862,'Issue',325,12,'9d3436ef-9476-4c43-acca-90ce06bdf33a'),(5863,'Issue',325,16,'win-sysmon'),(5864,'Issue',325,17,''),(5865,'Issue',325,7,''),(5866,'Issue',325,3,'Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)'),(5867,'Issue',325,4,''),(5868,'Issue',325,5,'_False Positives_\nunknown'),(5869,'Issue',325,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls OR *\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled))\nindex: so-*\nname: DHCP Callout DLL Installation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5870,'Issue',325,9,'{{collapse(View Sigma)\n\n\ntitle: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: experimental\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled\n parameter in Registry, which can be used to execute code in context of the DHCP\n server (restart required)\nreferences:\n- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\ndate: 2017/05/15\nauthor: Dimitrios Slamaris\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1112\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject:\n - \'*\\Services\\DHCPServer\\Parameters\\CalloutDlls\'\n - \'*\\Services\\DHCPServer\\Parameters\\CalloutEnabled\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5871,'Issue',325,15,'T1073'),(5872,'Issue',325,15,'T1112'),(5873,'Issue',326,1,'Disable Security Events Logging Adding Reg Key MiniNt'),(5874,'Issue',326,2,'Ilyas Ochkov, oscd.community'),(5875,'Issue',326,8,'https://twitter.com/0gtweet/status/1182516740955226112'),(5876,'Issue',326,10,'high'),(5877,'Issue',326,13,'community'),(5878,'Issue',326,14,'windows'),(5880,'Issue',326,11,'685c808fd'),(5881,'Issue',326,12,'919f2ef0-be2d-4a7a-b635-eb2b41fde044'),(5882,'Issue',326,16,'win-sysmon'),(5883,'Issue',326,17,''),(5884,'Issue',326,7,''),(5885,'Issue',326,3,'Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot, Windows Event Log service will stopped write events.'),(5886,'Issue',326,4,''),(5887,'Issue',326,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(5888,'Issue',326,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt\")))\nindex: so-*\nname: Disable Security Events Logging Adding Reg Key MiniNt\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5889,'Issue',326,9,'{{collapse(View Sigma)\n\n\ntitle: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: experimental\ndescription: Detects the addition of a key \'MiniNt\' to the registry. Upon a reboot,\n Windows Event Log service will stopped write events.\nreferences:\n- https://twitter.com/0gtweet/status/1182516740955226112\ntags:\n- attack.defense_evasion\n- attack.t1089\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n - EventID: 12\n TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n - EventID: 14\n NewName: HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\n condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(5890,'Issue',326,15,'T1089'),(5891,'Issue',327,1,'Detection of SafetyKatz'),(5892,'Issue',327,2,'Markus Neis'),(5893,'Issue',327,8,'https://github.com/GhostPack/SafetyKatz'),(5894,'Issue',327,10,'high'),(5895,'Issue',327,13,'community'),(5896,'Issue',327,14,'windows'),(5898,'Issue',327,11,'de878e0bb'),(5899,'Issue',327,12,'e074832a-eada-4fd7-94a1-10642b130e16'),(5900,'Issue',327,16,'win-sysmon'),(5901,'Issue',327,17,''),(5902,'Issue',327,7,''),(5903,'Issue',327,3,'Detects possible SafetyKatz Behaviour'),(5904,'Issue',327,4,''),(5905,'Issue',327,5,'_False Positives_\nUnknown'),(5906,'Issue',327,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Temp\\\\debug.bin)\nindex: so-*\nname: Detection of SafetyKatz\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5907,'Issue',327,9,'{{collapse(View Sigma)\n\n\ntitle: Detection of SafetyKatz\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: experimental\ndescription: Detects possible SafetyKatz Behaviour\nreferences:\n- https://github.com/GhostPack/SafetyKatz\ntags:\n- attack.credential_access\n- attack.t1003\nauthor: Markus Neis\ndate: 2018/07/24\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename: \'*\\Temp\\debug.bin\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(5908,'Issue',327,15,'T1003'),(5909,'Issue',328,1,'Suspicious In-Memory Module Execution'),(5910,'Issue',328,2,'Perez Diego (@darkquassar), oscd.community'),(5911,'Issue',328,8,'https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/'),(5912,'Issue',328,10,'critical'),(5913,'Issue',328,13,'community'),(5914,'Issue',328,14,'windows'),(5916,'Issue',328,11,'0b938deb6'),(5917,'Issue',328,12,'5f113a8f-8b61-41ca-b90f-d374fa7e4a39'),(5918,'Issue',328,16,'win-sysmon'),(5919,'Issue',328,17,''),(5920,'Issue',328,7,''),(5921,'Issue',328,3,'Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.'),(5922,'Issue',328,4,''),(5923,'Issue',328,5,'_False Positives_\nLow\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage\nCallTrace'),(5924,'Issue',328,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND (event_data.CallTrace.keyword:(C\\:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\\+*|C\\:\\\\Windows\\\\System32\\\\KERNELBASE.dll\\+*|UNKNOWN\\(*\\) OR *UNKNOWN\\(*\\)|UNKNOWN\\(*\\)) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.CallTrace.keyword:*UNKNOWN* AND event_data.GrantedAccess:(\"0x1F0FFF\" OR \"0x1F1FFF\" OR \"0x143A\" OR \"0x1410\" OR \"0x1010\" OR \"0x1F2FFF\" OR \"0x1F3FFF\" OR \"0x1FFFFF\"))))\nindex: so-*\nname: Suspicious In-Memory Module Execution\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5925,'Issue',328,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\ndescription: Detects the access to processes by other suspicious processes which have\n reflectively loaded libraries in their memory space. An example is SilentTrinity\n C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack\n call to a dll loaded from disk (the standard way), it will display \"UNKNOWN\" as\n the module name. Usually this means the stack call points to a module that was reflectively\n loaded in memory. Adding to this, it is not common to see such few calls in the\n stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most\n of the functions required by the process to execute certain routines are already\n present in memory, not requiring any calls to external libraries. The latter should\n also be considered suspicious.\nstatus: experimental\ndate: 2019/10/27\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\ntags:\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_01:\n EventID: 10\n CallTrace:\n - C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)\n - \'*UNKNOWN(*)|UNKNOWN(*)\'\n selection_02:\n EventID: 10\n CallTrace: \'*UNKNOWN*\'\n granted_access:\n GrantedAccess:\n - \'0x1F0FFF\'\n - \'0x1F1FFF\'\n - \'0x143A\'\n - \'0x1410\'\n - \'0x1010\'\n - \'0x1F2FFF\'\n - \'0x1F3FFF\'\n - \'0x1FFFFF\'\n condition: selection_01 OR (selection_02 AND granted_access)\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\n- CallTrace\nlevel: critical\nfalsepositives:\n- Low\n\n
\n}}'),(5926,'Issue',328,15,'T1055'),(5927,'Issue',329,1,'In-memory PowerShell'),(5928,'Issue',329,2,'Tom Kern, oscd.community'),(5929,'Issue',329,8,'https://adsecurity.org/?p=2921\nhttps://github.com/p3nt4/PowerShdll'),(5930,'Issue',329,10,'high'),(5931,'Issue',329,13,'community'),(5932,'Issue',329,14,'windows'),(5934,'Issue',329,11,'442bc82a3'),(5935,'Issue',329,12,'092bc4b9-3d1d-43b4-a6b4-8c8acd83522f'),(5936,'Issue',329,16,'win-sysmon'),(5937,'Issue',329,17,''),(5938,'Issue',329,7,''),(5939,'Issue',329,3,'Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter\'s \"load powershell\" extension.'),(5940,'Issue',329,4,''),(5941,'Issue',329,5,'_False Positives_\nUsed by some .NET binaries, minimal on user workstation.'),(5942,'Issue',329,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\System.Management.Automation.Dll OR *\\\\System.Management.Automation.ni.Dll)) AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe) AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: In-memory PowerShell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5943,'Issue',329,9,'{{collapse(View Sigma)\n\n\ntitle: In-memory PowerShell\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nstatus: experimental\ndescription: Detects loading of essential DLL used by PowerShell, but not by the process\n powershell.exe. Detects meterpreter\'s \"load powershell\" extension.\nauthor: Tom Kern, oscd.community\ndate: 2019/11/14\nmodified: 2019/11/30\nreferences:\n- https://adsecurity.org/?p=2921\n- https://github.com/p3nt4/PowerShdll\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n ImageLoaded|endswith:\n - \\System.Management.Automation.Dll\n - \\System.Management.Automation.ni.Dll\n filter:\n Image|endswith:\n - \\powershell.exe\n - \\WINDOWS\\System32\\sdiagnhost.exe\n User: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfalsepositives:\n- Used by some .NET binaries, minimal on user workstation.\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(5944,'Issue',329,15,'T1086'),(5945,'Issue',330,1,'Suspect Svchost Memory Asccess'),(5946,'Issue',330,2,'Tim Burrell'),(5947,'Issue',330,8,'https://github.com/hlldz/Invoke-Phant0m\nhttps://twitter.com/timbmsft/status/900724491076214784'),(5948,'Issue',330,10,'high'),(5949,'Issue',330,13,'community'),(5950,'Issue',330,14,'windows'),(5952,'Issue',330,11,'ff9ac8949'),(5953,'Issue',330,12,'166e9c50-8cd9-44af-815d-d1f0c0e90dde'),(5954,'Issue',330,16,'win-sysmon'),(5955,'Issue',330,17,''),(5956,'Issue',330,7,''),(5957,'Issue',330,3,'Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.'),(5958,'Issue',330,4,''),(5959,'Issue',330,5,'_False Positives_\nunknown'),(5960,'Issue',330,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\windows\\\\system32\\\\svchost.exe AND event_data.GrantedAccess:\"0x1f3fff\" AND event_data.CallTrace.keyword:(*unknown*))\nindex: so-*\nname: Suspect Svchost Memory Asccess\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5961,'Issue',330,9,'{{collapse(View Sigma)\n\n\ntitle: Suspect Svchost Memory Asccess\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: experimental\ndescription: Detects suspect access to svchost process memory such as that used by\n Invoke-Phantom to kill the winRM windows event logging service.\nauthor: Tim Burrell\ndate: 2020/01/02\nreferences:\n- https://github.com/hlldz/Invoke-Phant0m\n- https://twitter.com/timbmsft/status/900724491076214784\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage: \'*\\windows\\system32\\svchost.exe\'\n GrantedAccess: \'0x1f3fff\'\n CallTrace:\n - \'*unknown*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5962,'Issue',330,15,'T1089'),(5963,'Issue',331,1,'LSASS Memory Dump'),(5964,'Issue',331,2,'Samir Bousseaden'),(5965,'Issue',331,8,'https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html'),(5966,'Issue',331,10,'high'),(5967,'Issue',331,13,'community'),(5968,'Issue',331,14,'windows'),(5970,'Issue',331,11,'183b4c501'),(5971,'Issue',331,12,'5ef9853e-4d0e-4a70-846f-a9ca37d876da'),(5972,'Issue',331,16,'win-sysmon'),(5973,'Issue',331,17,''),(5974,'Issue',331,7,''),(5975,'Issue',331,3,'Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10'),(5976,'Issue',331,4,''),(5977,'Issue',331,5,'_False Positives_\nunknown'),(5978,'Issue',331,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.GrantedAccess:\"0x1fffff\" AND event_data.CallTrace.keyword:(*dbghelp.dll* OR *dbgcore.dll*))\nindex: so-*\nname: LSASS Memory Dump\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5979,'Issue',331,9,'{{collapse(View Sigma)\n\n\ntitle: LSASS Memory Dump\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: experimental\ndescription: Detects process LSASS memory dump using procdump or taskmgr based on\n the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10\nauthor: Samir Bousseaden\ndate: 2019/04/03\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\ntags:\n- attack.t1003\n- attack.s0002\n- attack.credential_access\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage: C:\\windows\\system32\\lsass.exe\n GrantedAccess: \'0x1fffff\'\n CallTrace:\n - \'*dbghelp.dll*\'\n - \'*dbgcore.dll*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(5980,'Issue',331,15,'T1003'),(5981,'Issue',332,1,'LSASS Memory Dump File Creation'),(5982,'Issue',332,2,'Teymur Kheirkhabarov, oscd.community'),(5983,'Issue',332,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(5984,'Issue',332,10,'medium'),(5985,'Issue',332,13,'community'),(5986,'Issue',332,14,'windows'),(5988,'Issue',332,11,'d6052fb1a'),(5989,'Issue',332,12,'5e3d3601-0662-4af0-b1d2-36a05e90c40a'),(5990,'Issue',332,16,'win-sysmon'),(5991,'Issue',332,17,''),(5992,'Issue',332,7,''),(5993,'Issue',332,3,'LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified'),(5994,'Issue',332,4,''),(5995,'Issue',332,5,'_False Positives_\nDumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n\n_Interesting Log Fields_\nComputerName\nTargetFileName'),(5996,'Issue',332,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*lsass* AND event_data.TargetFilename.keyword:*dmp)\nindex: so-*\nname: LSASS Memory Dump File Creation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(5997,'Issue',332,9,'{{collapse(View Sigma)\n\n\ntitle: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\ndescription: LSASS memory dump creation using operating systems utilities. Procdump\n will use process name in output file if no name is specified\nauthor: Teymur Kheirkhabarov, oscd.community\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ndate: 2019/10/22\nmodified: 2019/11/13\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename|contains: lsass\n TargetFilename|endswith: dmp\n condition: selection\nfields:\n- ComputerName\n- TargetFileName\nfalsepositives:\n- Dumping lsass memory for forensic investigation purposes by legitimate incident\n responder or forensic invetigator\nlevel: medium\nstatus: experimental\n\n
\n}}'),(5998,'Issue',332,15,'T1003'),(5999,'Issue',333,1,'Malicious Named Pipe'),(6000,'Issue',333,2,'Florian Roth'),(6001,'Issue',333,8,'Various sources'),(6002,'Issue',333,10,'critical'),(6003,'Issue',333,13,'community'),(6004,'Issue',333,14,'windows'),(6006,'Issue',333,11,'192999425'),(6007,'Issue',333,12,'fe3ac066-98bb-432a-b1e7-a5229cb39d4a'),(6008,'Issue',333,16,'win-sysmon'),(6009,'Issue',333,17,''),(6010,'Issue',333,7,''),(6011,'Issue',333,3,'Detects the creation of a named pipe used by known APT malware'),(6012,'Issue',333,4,''),(6013,'Issue',333,5,'_False Positives_\nUnkown'),(6014,'Issue',333,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"17\" OR \"18\") AND event_data.PipeName.keyword:(\\\\isapi_http OR \\\\isapi_dg OR \\\\isapi_dg2 OR \\\\sdlrpc OR \\\\ahexec OR \\\\winsession OR \\\\lsassw OR \\\\46a676ab7f179e511e30dd2dc41bd388 OR \\\\9f81f59bc58452127884ce513865ed20 OR \\\\e710f28d59aa529d6792ca6ff0ca1b34 OR \\\\rpchlp_3 OR \\\\NamePipe_MoreWindows OR \\\\pcheap_reuse OR \\\\msagent_* OR \\\\gruntsvc))\nindex: so-*\nname: Malicious Named Pipe\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6015,'Issue',333,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious Named Pipe\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: experimental\ndescription: Detects the creation of a named pipe used by known APT malware\nreferences:\n- Various sources\ndate: 2017/11/06\nauthor: Florian Roth\nlogsource:\n product: windows\n service: sysmon\n definition: Note that you have to configure logging for PipeEvents in Symson config\ndetection:\n selection:\n EventID:\n - 17\n - 18\n PipeName:\n - \\isapi_http\n - \\isapi_dg\n - \\isapi_dg2\n - \\sdlrpc\n - \\ahexec\n - \\winsession\n - \\lsassw\n - \\46a676ab7f179e511e30dd2dc41bd388\n - \\9f81f59bc58452127884ce513865ed20\n - \\e710f28d59aa529d6792ca6ff0ca1b34\n - \\rpchlp_3\n - \\NamePipe_MoreWindows\n - \\pcheap_reuse\n - \\msagent_*\n - \\gruntsvc\n condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nfalsepositives:\n- Unkown\nlevel: critical\n\n
\n}}'),(6016,'Issue',333,15,'T1055'),(6017,'Issue',334,1,'Suspicious Typical Malware Back Connect Ports'),(6018,'Issue',334,2,'Florian Roth'),(6019,'Issue',334,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6020,'Issue',334,10,'medium'),(6021,'Issue',334,13,'community'),(6022,'Issue',334,14,'windows'),(6024,'Issue',334,11,'1e14702d5'),(6025,'Issue',334,12,'4b89abaa-99fe-4232-afdd-8f9aa4d20382'),(6026,'Issue',334,16,'win-sysmon'),(6027,'Issue',334,17,''),(6028,'Issue',334,7,''),(6029,'Issue',334,3,'Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases'),(6030,'Issue',334,4,''),(6031,'Issue',334,5,'_False Positives_\nunknown'),(6032,'Issue',334,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND event_data.Initiated:\"true\" AND destination_port:(\"4443\" OR \"2448\" OR \"8143\" OR \"1777\" OR \"1443\" OR \"243\" OR \"65535\" OR \"13506\" OR \"3360\" OR \"200\" OR \"198\" OR \"49180\" OR \"13507\" OR \"6625\" OR \"4444\" OR \"4438\" OR \"1904\" OR \"13505\" OR \"13504\" OR \"12102\" OR \"9631\" OR \"5445\" OR \"2443\" OR \"777\" OR \"13394\" OR \"13145\" OR \"12103\" OR \"5552\" OR \"3939\" OR \"3675\" OR \"666\" OR \"473\" OR \"5649\" OR \"4455\" OR \"4433\" OR \"1817\" OR \"100\" OR \"65520\" OR \"1960\" OR \"1515\" OR \"743\" OR \"700\" OR \"14154\" OR \"14103\" OR \"14102\" OR \"12322\" OR \"10101\" OR \"7210\" OR \"4040\" OR \"9943\")) AND (NOT ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\Program\\ Files* OR (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*) AND event_data.DestinationIsIpv6:\"false\"))))))\nindex: so-*\nname: Suspicious Typical Malware Back Connect Ports\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6033,'Issue',334,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Typical Malware Back Connect Ports\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nstatus: experimental\ndescription: Detects programs that connect to typical malware back connect ports based\n on statistical analysis from two different sandbox system databases\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n product: windows\n service: sysmon\n definition: \'Use the following config to generate the necessary Event ID 10 Process\n Access events: VBE7.DLLUNKNOWN\'\ndetection:\n selection:\n EventID: 3\n Initiated: \'true\'\n DestinationPort:\n - \'4443\'\n - \'2448\'\n - \'8143\'\n - \'1777\'\n - \'1443\'\n - \'243\'\n - \'65535\'\n - \'13506\'\n - \'3360\'\n - \'200\'\n - \'198\'\n - \'49180\'\n - \'13507\'\n - \'6625\'\n - \'4444\'\n - \'4438\'\n - \'1904\'\n - \'13505\'\n - \'13504\'\n - \'12102\'\n - \'9631\'\n - \'5445\'\n - \'2443\'\n - \'777\'\n - \'13394\'\n - \'13145\'\n - \'12103\'\n - \'5552\'\n - \'3939\'\n - \'3675\'\n - \'666\'\n - \'473\'\n - \'5649\'\n - \'4455\'\n - \'4433\'\n - \'1817\'\n - \'100\'\n - \'65520\'\n - \'1960\'\n - \'1515\'\n - \'743\'\n - \'700\'\n - \'14154\'\n - \'14103\'\n - \'14102\'\n - \'12322\'\n - \'10101\'\n - \'7210\'\n - \'4040\'\n - \'9943\'\n filter1:\n Image: \'*\\Program Files*\'\n filter2:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.*\n DestinationIsIpv6: \'false\'\n condition: selection and not ( filter1 or filter2 )\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6034,'Issue',334,15,'T1043'),(6035,'Issue',335,1,'Malware Shellcode in Verclsid Target Process'),(6036,'Issue',335,2,'John Lambert (tech), Florian Roth (rule)'),(6037,'Issue',335,8,'https://twitter.com/JohnLaTwC/status/837743453039534080'),(6038,'Issue',335,10,'high'),(6039,'Issue',335,13,'community'),(6040,'Issue',335,14,'windows'),(6042,'Issue',335,11,'0ff3c02c6'),(6043,'Issue',335,12,'b7967e22-3d7e-409b-9ed5-cdae3f9243a1'),(6044,'Issue',335,16,'win-sysmon'),(6045,'Issue',335,17,''),(6046,'Issue',335,7,''),(6047,'Issue',335,3,'Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro'),(6048,'Issue',335,4,''),(6049,'Issue',335,5,'_False Positives_\nunknown'),(6050,'Issue',335,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"10\" AND event_data.TargetImage.keyword:*\\\\verclsid.exe AND event_data.GrantedAccess:\"0x1FFFFF\") AND (event_data.CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (event_data.SourceImage.keyword:*\\\\Microsoft\\ Office\\\\* AND event_data.CallTrace.keyword:*|UNKNOWN*)))\nindex: so-*\nname: Malware Shellcode in Verclsid Target Process\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6051,'Issue',335,9,'{{collapse(View Sigma)\n\n\ntitle: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: experimental\ndescription: Detects a process access to verclsid.exe that injects shellcode from\n a Microsoft Office application / VBA macro\nreferences:\n- https://twitter.com/JohnLaTwC/status/837743453039534080\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nauthor: John Lambert (tech), Florian Roth (rule)\ndate: 2017/03/04\nlogsource:\n product: windows\n service: sysmon\n definition: \'Use the following config to generate the necessary Event ID 10 Process\n Access events: VBE7.DLLUNKNOWN\'\ndetection:\n selection:\n EventID: 10\n TargetImage: \'*\\verclsid.exe\'\n GrantedAccess: \'0x1FFFFF\'\n combination1:\n CallTrace: \'*|UNKNOWN(*VBE7.DLL*\'\n combination2:\n SourceImage: \'*\\Microsoft Office\\\\*\'\n CallTrace: \'*|UNKNOWN*\'\n condition: selection and 1 of combination*\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6052,'Issue',335,15,'T1055'),(6053,'Issue',336,1,'Mimikatz In-Memory'),(6054,'Issue',336,2,'none'),(6055,'Issue',336,8,'https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/'),(6056,'Issue',336,10,'medium'),(6057,'Issue',336,13,'community'),(6058,'Issue',336,14,'windows'),(6060,'Issue',336,11,'aa5743912'),(6061,'Issue',336,12,'c0478ead-5336-46c2-bd5e-b4c84bc3a36e'),(6062,'Issue',336,16,'win-sysmon'),(6063,'Issue',336,17,''),(6064,'Issue',336,7,''),(6065,'Issue',336,3,'Detects certain DLL loads when Mimikatz gets executed'),(6066,'Issue',336,4,''),(6067,'Issue',336,5,'_False Positives_\nunknown'),(6068,'Issue',336,6,'{{collapse(View ElastAlert Config)\n\n\n\n
\n}}'),(6069,'Issue',336,9,'{{collapse(View Sigma)\n\n\ntitle: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: experimental\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n- https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\ntags:\n- attack.s0002\n- attack.t1003\n- attack.lateral_movement\n- attack.credential_access\n- car.2019-04-004\nlogsource:\n product: windows\n service: sysmon\ndate: 2017/03/13\ndetection:\n selector:\n EventID: 7\n Image: C:\\Windows\\System32\\rundll32.exe\n dllload1:\n ImageLoaded: \'*\\vaultcli.dll\'\n dllload2:\n ImageLoaded: \'*\\wlanapi.dll\'\n exclusion:\n ImageLoaded:\n - ntdsapi.dll\n - netapi32.dll\n - imm32.dll\n - samlib.dll\n - combase.dll\n - srvcli.dll\n - shcore.dll\n - ntasn1.dll\n - cryptdll.dll\n - logoncli.dll\n timeframe: 30s\n condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(6070,'Issue',336,15,'T1003'),(6071,'Issue',337,1,'Mimikatz through Windows Remote Management'),(6072,'Issue',337,2,'Patryk Prauze - ING Tech'),(6073,'Issue',337,8,'https://pentestlab.blog/2018/05/15/lateral-movement-winrm/'),(6074,'Issue',337,10,'high'),(6075,'Issue',337,13,'community'),(6076,'Issue',337,14,'windows'),(6078,'Issue',337,11,'e1af444f5'),(6079,'Issue',337,12,'aa35a627-33fb-4d04-a165-d33b4afca3e8'),(6080,'Issue',337,16,'win-sysmon'),(6081,'Issue',337,17,''),(6082,'Issue',337,7,''),(6083,'Issue',337,3,'Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.'),(6084,'Issue',337,4,''),(6085,'Issue',337,5,'_False Positives_\nlow'),(6086,'Issue',337,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"10\" AND event_data.TargetImage:\"C\\:\\\\windows\\\\system32\\\\lsass.exe\" AND event_data.SourceImage:\"C\\:\\\\Windows\\\\system32\\\\wsmprovhost.exe\")\nindex: so-*\nname: Mimikatz through Windows Remote Management\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6087,'Issue',337,9,'{{collapse(View Sigma)\n\n\ntitle: Mimikatz through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\ndescription: Detects usage of mimikatz through WinRM protocol by monitoring access\n to lsass process by wsmprovhost.exe.\nreferences:\n- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nstatus: stable\nauthor: Patryk Prauze - ING Tech\ndate: 2019/05/20\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 10\n TargetImage: C:\\windows\\system32\\lsass.exe\n SourceImage: C:\\Windows\\system32\\wsmprovhost.exe\n condition: selection\ntags:\n- attack.credential_access\n- attack.execution\n- attack.t1003\n- attack.t1028\n- attack.s0005\nfalsepositives:\n- low\nlevel: high\n\n
\n}}'),(6088,'Issue',337,15,'T1003'),(6089,'Issue',337,15,'T1028'),(6090,'Issue',338,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API'),(6091,'Issue',338,2,'Perez Diego (@darkquassar), oscd.community'),(6092,'Issue',338,8,'https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6'),(6093,'Issue',338,10,'critical'),(6094,'Issue',338,13,'community'),(6095,'Issue',338,14,'windows'),(6097,'Issue',338,11,'465ca35d4'),(6098,'Issue',338,12,'dd5ab153-beaa-4315-9647-65abc5f71541'),(6099,'Issue',338,16,'win-sysmon'),(6100,'Issue',338,17,''),(6101,'Issue',338,7,''),(6102,'Issue',338,3,'Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker\'s machine.'),(6103,'Issue',338,4,''),(6104,'Issue',338,5,'_False Positives_\nPenetration tests\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(6105,'Issue',338,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND process.executable.keyword:(*\\\\msbuild.exe OR *\\\\cmd.exe OR *\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\powershell.exe OR *\\\\word.exe OR *\\\\excel.exe OR *\\\\powerpnt.exe OR *\\\\outlook.exe OR *\\\\monitoringhost.exe OR *\\\\wmic.exe OR *\\\\msiexec.exe OR *\\\\bash.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\schtasks.exe OR *\\\\dnx.exe OR *\\\\regsvcs.exe OR *\\\\sc.exe OR *\\\\scriptrunner.exe)) AND (NOT (process.executable.keyword:*Visual\\ Studio*))) OR ((event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\dbghelp.dll OR *\\\\dbgcore.dll) AND Signed:\"FALSE\") AND (NOT (process.executable.keyword:*Visual\\ Studio*)))))\nindex: so-*\nname: Dumping Lsass.exe Memory with MiniDumpWriteDump API\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6106,'Issue',338,9,'{{collapse(View Sigma)\n\n\ntitle: Dumping Lsass.exe Memory with MiniDumpWriteDump API\nid: dd5ab153-beaa-4315-9647-65abc5f71541\nstatus: experimental\ndescription: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory\n in a stealth way. Tools like ProcessHacker and some attacker tradecract use this\n API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework\n has a module that leverages this API to dump the contents of Lsass.exe and transfer\n it over the network back to the attacker\'s machine.\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n signedprocess:\n EventID: 7\n ImageLoaded|endswith:\n - \\dbghelp.dll\n - \\dbgcore.dll\n Image|endswith:\n - \\msbuild.exe\n - \\cmd.exe\n - \\svchost.exe\n - \\rundll32.exe\n - \\powershell.exe\n - \\word.exe\n - \\excel.exe\n - \\powerpnt.exe\n - \\outlook.exe\n - \\monitoringhost.exe\n - \\wmic.exe\n - \\msiexec.exe\n - \\bash.exe\n - \\wscript.exe\n - \\cscript.exe\n - \\mshta.exe\n - \\regsvr32.exe\n - \\schtasks.exe\n - \\dnx.exe\n - \\regsvcs.exe\n - \\sc.exe\n - \\scriptrunner.exe\n unsignedprocess:\n EventID: 7\n ImageLoaded|endswith:\n - \\dbghelp.dll\n - \\dbgcore.dll\n Signed: \'FALSE\'\n filter:\n Image|contains: Visual Studio\n condition: (signedprocess AND NOT filter) OR (unsignedprocess AND NOT filter)\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Penetration tests\nlevel: critical\n\n
\n}}'),(6107,'Issue',338,15,'T1003'),(6108,'Issue',339,1,'Narrator\'s Feedback-Hub Persistence'),(6109,'Issue',339,2,'Dmitriy Lifanov, oscd.community'),(6110,'Issue',339,8,'https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html'),(6111,'Issue',339,10,'high'),(6112,'Issue',339,13,'community'),(6113,'Issue',339,14,'windows'),(6115,'Issue',339,11,'cfdda5bc0'),(6116,'Issue',339,12,'f663a6d9-9d1b-49b8-b2b1-0637914d199a'),(6117,'Issue',339,16,'win-sysmon'),(6118,'Issue',339,17,''),(6119,'Issue',339,7,''),(6120,'Issue',339,3,'Detects abusing Windows 10 Narrator\'s Feedback-Hub'),(6121,'Issue',339,4,''),(6122,'Issue',339,5,'_False Positives_\nunknown'),(6123,'Issue',339,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"12\" AND event_data.EventType:\"DeleteValue\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute) OR (event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\\\(Default\\))))\nindex: so-*\nname: Narrator\'s Feedback-Hub Persistence\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6124,'Issue',339,9,'{{collapse(View Sigma)\n\n\ntitle: Narrator\'s Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\ndescription: Detects abusing Windows 10 Narrator\'s Feedback-Hub\nreferences:\n- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\ntags:\n- attack.persistence\n- attack.t1060\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection1:\n EventID: 12\n EventType: DeleteValue\n TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute\n selection2:\n EventID: 13\n TargetObject|endswith: \\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)\n condition: 1 of them\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6125,'Issue',339,15,'T1060'),(6126,'Issue',340,1,'New DLL Added to AppCertDlls Registry Key'),(6127,'Issue',340,2,'Ilyas Ochkov, oscd.community'),(6128,'Issue',340,8,'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html'),(6129,'Issue',340,10,'medium'),(6130,'Issue',340,13,'community'),(6131,'Issue',340,14,'windows'),(6133,'Issue',340,11,'c62e6aeb2'),(6134,'Issue',340,12,'6aa1d992-5925-4e9f-a49b-845e51d1de01'),(6135,'Issue',340,16,'win-sysmon'),(6136,'Issue',340,17,''),(6137,'Issue',340,7,''),(6138,'Issue',340,3,'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.'),(6139,'Issue',340,4,''),(6140,'Issue',340,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6141,'Issue',340,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject:\"HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\") OR (event.code:\"14\" AND NewName:\"HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\")))\nindex: so-*\nname: New DLL Added to AppCertDlls Registry Key\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6142,'Issue',340,9,'{{collapse(View Sigma)\n\n\ntitle: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: experimental\ndescription: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value\n in the Registry key can be abused to obtain persistence and privilege escalation\n by causing a malicious DLL to be loaded and run in the context of separate processes\n on the computer.\nreferences:\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\ntags:\n- attack.persistence\n- attack.t1182\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n - EventID:\n - 12\n - 13\n TargetObject: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\n - EventID: 14\n NewName: HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls\n condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6143,'Issue',340,15,'T1182'),(6144,'Issue',341,1,'New DLL Added to AppInit_DLLs Registry Key'),(6145,'Issue',341,2,'Ilyas Ochkov, oscd.community'),(6146,'Issue',341,8,'https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html'),(6147,'Issue',341,10,'medium'),(6148,'Issue',341,13,'community'),(6149,'Issue',341,14,'windows'),(6151,'Issue',341,11,'2c5115a75'),(6152,'Issue',341,12,'4f84b697-c9ed-4420-8ab5-e09af5b2345d'),(6153,'Issue',341,16,'win-sysmon'),(6154,'Issue',341,17,''),(6155,'Issue',341,7,''),(6156,'Issue',341,3,'DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll'),(6157,'Issue',341,4,''),(6158,'Issue',341,5,'_False Positives_\nUnkown\n\n_Interesting Log Fields_\nEventID\nImage\nTargetObject\nNewName'),(6159,'Issue',341,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls)) OR (event.code:\"14\" AND NewName.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls OR *\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls))))\nindex: so-*\nname: New DLL Added to AppInit_DLLs Registry Key\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6160,'Issue',341,9,'{{collapse(View Sigma)\n\n\ntitle: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: experimental\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key\n HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll\n into every process that loads user32.dll\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\ntags:\n- attack.persistence\n- attack.t1103\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/13\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n - EventID:\n - 12\n - 13\n TargetObject:\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n - EventID: 14\n NewName:\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n - \'*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls\'\n condition: selection\nfields:\n- EventID\n- Image\n- TargetObject\n- NewName\nfalsepositives:\n- Unkown\nlevel: medium\n\n
\n}}'),(6161,'Issue',341,15,'T1103'),(6162,'Issue',342,1,'Password Dumper Remote Thread in LSASS'),(6163,'Issue',342,2,'Thomas Patzke'),(6164,'Issue',342,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm'),(6165,'Issue',342,10,'high'),(6166,'Issue',342,13,'community'),(6167,'Issue',342,14,'windows'),(6169,'Issue',342,11,'5c5659709'),(6170,'Issue',342,12,'f239b326-2f41-4d6b-9dfa-c846a60ef505'),(6171,'Issue',342,16,'win-sysmon'),(6172,'Issue',342,17,''),(6173,'Issue',342,7,''),(6174,'Issue',342,3,'Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.'),(6175,'Issue',342,4,''),(6176,'Issue',342,5,'_False Positives_\nunknown'),(6177,'Issue',342,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.TargetImage:\"C\\:\\\\Windows\\\\System32\\\\lsass.exe\" AND NOT _exists_:event_data.StartModule)\nindex: so-*\nname: Password Dumper Remote Thread in LSASS\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6178,'Issue',342,9,'{{collapse(View Sigma)\n\n\ntitle: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\ndescription: Detects password dumper activity by monitoring remote thread creation\n EventID 8 in combination with the lsass.exe process as TargetImage. The process\n in field Process is the malicious program. A single execution can lead to hundreds\n of events.\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nstatus: stable\nauthor: Thomas Patzke\ndate: 2017/02/19\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n TargetImage: C:\\Windows\\System32\\lsass.exe\n StartModule:\n condition: selection\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6179,'Issue',342,15,'T1003'),(6180,'Issue',343,1,'Possible DNS Rebinding'),(6181,'Issue',343,2,'Ilyas Ochkov, oscd.community'),(6182,'Issue',343,8,'https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325'),(6183,'Issue',343,10,'medium'),(6184,'Issue',343,13,'community'),(6185,'Issue',343,14,'windows'),(6187,'Issue',343,11,'238493844'),(6188,'Issue',343,12,'eb07e747-2552-44cd-af36-b659ae0958e4'),(6189,'Issue',343,16,'win-sysmon'),(6190,'Issue',343,17,''),(6191,'Issue',343,7,''),(6192,'Issue',343,3,'Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).'),(6193,'Issue',343,4,''),(6194,'Issue',343,5,'_False Positives_\n Unknown'),(6195,'Issue',343,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\" AND QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*) AND (event.code:\"22\" AND QueryName.keyword:* AND QueryStatus:\"0\") AND (NOT (QueryResults.keyword:(\\(\\:\\:ffff\\:\\)?10.* OR \\(\\:\\:ffff\\:\\)?192.168.* OR \\(\\:\\:ffff\\:\\)?172.16.* OR \\(\\:\\:ffff\\:\\)?172.17.* OR \\(\\:\\:ffff\\:\\)?172.18.* OR \\(\\:\\:ffff\\:\\)?172.19.* OR \\(\\:\\:ffff\\:\\)?172.20.* OR \\(\\:\\:ffff\\:\\)?172.21.* OR \\(\\:\\:ffff\\:\\)?172.22.* OR \\(\\:\\:ffff\\:\\)?172.23.* OR \\(\\:\\:ffff\\:\\)?172.24.* OR \\(\\:\\:ffff\\:\\)?172.25.* OR \\(\\:\\:ffff\\:\\)?172.26.* OR \\(\\:\\:ffff\\:\\)?172.27.* OR \\(\\:\\:ffff\\:\\)?172.28.* OR \\(\\:\\:ffff\\:\\)?172.29.* OR \\(\\:\\:ffff\\:\\)?172.30.* OR \\(\\:\\:ffff\\:\\)?172.31.* OR \\(\\:\\:ffff\\:\\)?127.*))))\nindex: so-*\nmax_threshold: 3\nmetric_agg_key: QueryName.keyword\nmetric_agg_type: cardinality\nname: Possible DNS Rebinding\npriority: 3\nquery_key: event_data.ComputerName.keyword\nrealert:\n minutes: 0\ntype: metric_aggregation\n
\n}}'),(6196,'Issue',343,9,'{{collapse(View Sigma)\n\n\ntitle: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: experimental\ndescription: Detects several different DNS-answers by one domain with IPs from internal\n and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved\n in host cache for a while TTL).\ndate: 2019/10/25\nmodified: 2019/11/13\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n- attack.command_and_control\n- attack.t1043\nlogsource:\n product: windows\n service: sysmon\ndetection:\n dns_answer:\n EventID: 22\n QueryName: \'*\'\n QueryStatus: \'0\'\n filter_int_ip:\n QueryResults|startswith:\n - (::ffff:)?10.\n - (::ffff:)?192.168.\n - (::ffff:)?172.16.\n - (::ffff:)?172.17.\n - (::ffff:)?172.18.\n - (::ffff:)?172.19.\n - (::ffff:)?172.20.\n - (::ffff:)?172.21.\n - (::ffff:)?172.22.\n - (::ffff:)?172.23.\n - (::ffff:)?172.24.\n - (::ffff:)?172.25.\n - (::ffff:)?172.26.\n - (::ffff:)?172.27.\n - (::ffff:)?172.28.\n - (::ffff:)?172.29.\n - (::ffff:)?172.30.\n - (::ffff:)?172.31.\n - (::ffff:)?127.\n timeframe: 30s\n condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)\n | count(QueryName) by ComputerName > 3\nlevel: medium\n\n
\n}}'),(6197,'Issue',343,15,'T1043'),(6198,'Issue',344,1,'Possible Privilege Escalation via Service Permissions Weakness'),(6199,'Issue',344,2,'Teymur Kheirkhabarov'),(6200,'Issue',344,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/'),(6201,'Issue',344,10,'high'),(6202,'Issue',344,13,'community'),(6203,'Issue',344,14,'windows'),(6205,'Issue',344,11,'ca6038e23'),(6206,'Issue',344,12,'0f9c21f1-6a73-4b0e-9809-cb562cb8d981'),(6207,'Issue',344,16,'win-sysmon'),(6208,'Issue',344,17,''),(6209,'Issue',344,7,''),(6210,'Issue',344,3,'Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level'),(6211,'Issue',344,4,''),(6212,'Issue',344,5,'_False Positives_\nUnknown'),(6213,'Issue',344,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND IntegrityLevel:\"Medium\" AND event_data.TargetObject.keyword:*\\\\services\\* AND event_data.TargetObject.keyword:(*\\\\ImagePath OR *\\\\FailureCommand OR *\\\\Parameters\\\\ServiceDll))\nindex: so-*\nname: Possible Privilege Escalation via Service Permissions Weakness\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6214,'Issue',344,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\ndescription: Detect modification of services configuration (ImagePath, FailureCommand\n and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1058\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n IntegrityLevel: Medium\n TargetObject|contains: \\services\\\n TargetObject|endswith:\n - \\ImagePath\n - \\FailureCommand\n - \\Parameters\\ServiceDll\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0003_enrich_other_sysmon_events_with_event_id_1_data\n\n
\n}}'),(6215,'Issue',344,15,'T1058'),(6216,'Issue',345,1,'PowerShell Execution'),(6217,'Issue',345,2,'Roberto Rodriguez @Cyb3rWard0g'),(6218,'Issue',345,8,'https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml'),(6219,'Issue',345,10,'medium'),(6220,'Issue',345,13,'community'),(6221,'Issue',345,14,'windows'),(6223,'Issue',345,11,'b785c06a3'),(6224,'Issue',345,12,'867613fb-fa60-4497-a017-a82df74a172c'),(6225,'Issue',345,16,'win-sysmon'),(6226,'Issue',345,17,''),(6227,'Issue',345,7,''),(6228,'Issue',345,3,'Detects execution of PowerShell'),(6229,'Issue',345,4,''),(6230,'Issue',345,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nImageLoaded'),(6231,'Issue',345,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.pe.description:\"system.management.automation\" AND event_data.ImageLoaded.keyword:*system.management.automation*)\nindex: so-*\nname: PowerShell Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6232,'Issue',345,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml\nlogsource:\n product: windows\n service: sysmon\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n selection:\n EventID: 7\n Description: system.management.automation\n ImageLoaded|contains: system.management.automation\n condition: selection\nfields:\n- ComputerName\n- Image\n- ProcessID\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6233,'Issue',345,15,'T1086'),(6234,'Issue',346,1,'Malicious PowerShell Commandlet Names'),(6235,'Issue',346,2,'Markus Neis'),(6236,'Issue',346,8,'https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml'),(6237,'Issue',346,10,'high'),(6238,'Issue',346,13,'community'),(6239,'Issue',346,14,'windows'),(6241,'Issue',346,11,'89b3e1259'),(6242,'Issue',346,12,'f331aa1f-8c53-4fc3-b083-cc159bc971cb'),(6243,'Issue',346,16,'win-sysmon'),(6244,'Issue',346,17,''),(6245,'Issue',346,7,''),(6246,'Issue',346,3,'Detects the creation of known powershell scripts for exploitation'),(6247,'Issue',346,4,''),(6248,'Issue',346,5,'_False Positives_\nPenetration Tests'),(6249,'Issue',346,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 OR *\\\\Invoke\\-WmiCommand.ps1 OR *\\\\Get\\-GPPPassword.ps1 OR *\\\\Get\\-Keystrokes.ps1 OR *\\\\Get\\-VaultCredential.ps1 OR *\\\\Invoke\\-CredentialInjection.ps1 OR *\\\\Invoke\\-Mimikatz.ps1 OR *\\\\Invoke\\-NinjaCopy.ps1 OR *\\\\Invoke\\-TokenManipulation.ps1 OR *\\\\Out\\-Minidump.ps1 OR *\\\\VolumeShadowCopyTools.ps1 OR *\\\\Invoke\\-ReflectivePEInjection.ps1 OR *\\\\Get\\-TimedScreenshot.ps1 OR *\\\\Invoke\\-UserHunter.ps1 OR *\\\\Find\\-GPOLocation.ps1 OR *\\\\Invoke\\-ACLScanner.ps1 OR *\\\\Invoke\\-DowngradeAccount.ps1 OR *\\\\Get\\-ServiceUnquoted.ps1 OR *\\\\Get\\-ServiceFilePermission.ps1 OR *\\\\Get\\-ServicePermission.ps1 OR *\\\\Invoke\\-ServiceAbuse.ps1 OR *\\\\Install\\-ServiceBinary.ps1 OR *\\\\Get\\-RegAutoLogon.ps1 OR *\\\\Get\\-VulnAutoRun.ps1 OR *\\\\Get\\-VulnSchTask.ps1 OR *\\\\Get\\-UnattendedInstallFile.ps1 OR *\\\\Get\\-WebConfig.ps1 OR *\\\\Get\\-ApplicationHost.ps1 OR *\\\\Get\\-RegAlwaysInstallElevated.ps1 OR *\\\\Get\\-Unconstrained.ps1 OR *\\\\Add\\-RegBackdoor.ps1 OR *\\\\Add\\-ScrnSaveBackdoor.ps1 OR *\\\\Gupt\\-Backdoor.ps1 OR *\\\\Invoke\\-ADSBackdoor.ps1 OR *\\\\Enabled\\-DuplicateToken.ps1 OR *\\\\Invoke\\-PsUaCme.ps1 OR *\\\\Remove\\-Update.ps1 OR *\\\\Check\\-VM.ps1 OR *\\\\Get\\-LSASecret.ps1 OR *\\\\Get\\-PassHashes.ps1 OR *\\\\Show\\-TargetScreen.ps1 OR *\\\\Port\\-Scan.ps1 OR *\\\\Invoke\\-PoshRatHttp.ps1 OR *\\\\Invoke\\-PowerShellTCP.ps1 OR *\\\\Invoke\\-PowerShellWMI.ps1 OR *\\\\Add\\-Exfiltration.ps1 OR *\\\\Add\\-Persistence.ps1 OR *\\\\Do\\-Exfiltration.ps1 OR *\\\\Start\\-CaptureServer.ps1 OR *\\\\Invoke\\-ShellCode.ps1 OR *\\\\Get\\-ChromeDump.ps1 OR *\\\\Get\\-ClipboardContents.ps1 OR *\\\\Get\\-FoxDump.ps1 OR *\\\\Get\\-IndexedItem.ps1 OR *\\\\Get\\-Screenshot.ps1 OR *\\\\Invoke\\-Inveigh.ps1 OR *\\\\Invoke\\-NetRipper.ps1 OR *\\\\Invoke\\-EgressCheck.ps1 OR *\\\\Invoke\\-PostExfil.ps1 OR *\\\\Invoke\\-PSInject.ps1 OR *\\\\Invoke\\-RunAs.ps1 OR *\\\\MailRaider.ps1 OR *\\\\New\\-HoneyHash.ps1 OR *\\\\Set\\-MacAttribute.ps1 OR *\\\\Invoke\\-DCSync.ps1 OR *\\\\Invoke\\-PowerDump.ps1 OR *\\\\Exploit\\-Jboss.ps1 OR *\\\\Invoke\\-ThunderStruck.ps1 OR *\\\\Invoke\\-VoiceTroll.ps1 OR *\\\\Set\\-Wallpaper.ps1 OR *\\\\Invoke\\-InveighRelay.ps1 OR *\\\\Invoke\\-PsExec.ps1 OR *\\\\Invoke\\-SSHCommand.ps1 OR *\\\\Get\\-SecurityPackages.ps1 OR *\\\\Install\\-SSP.ps1 OR *\\\\Invoke\\-BackdoorLNK.ps1 OR *\\\\PowerBreach.ps1 OR *\\\\Get\\-SiteListPassword.ps1 OR *\\\\Get\\-System.ps1 OR *\\\\Invoke\\-BypassUAC.ps1 OR *\\\\Invoke\\-Tater.ps1 OR *\\\\Invoke\\-WScriptBypassUAC.ps1 OR *\\\\PowerUp.ps1 OR *\\\\PowerView.ps1 OR *\\\\Get\\-RickAstley.ps1 OR *\\\\Find\\-Fruit.ps1 OR *\\\\HTTP\\-Login.ps1 OR *\\\\Find\\-TrustedDocuments.ps1 OR *\\\\Invoke\\-Paranoia.ps1 OR *\\\\Invoke\\-WinEnum.ps1 OR *\\\\Invoke\\-ARPScan.ps1 OR *\\\\Invoke\\-PortScan.ps1 OR *\\\\Invoke\\-ReverseDNSLookup.ps1 OR *\\\\Invoke\\-SMBScanner.ps1 OR *\\\\Invoke\\-Mimikittenz.ps1))\nindex: so-*\nname: Malicious PowerShell Commandlet Names\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6250,'Issue',346,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious PowerShell Commandlet Names\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nstatus: experimental\ndescription: Detects the creation of known powershell scripts for exploitation\nreferences:\n- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml\ntags:\n- attack.execution\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/04/07\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename:\n - \'*\\Invoke-DllInjection.ps1\'\n - \'*\\Invoke-WmiCommand.ps1\'\n - \'*\\Get-GPPPassword.ps1\'\n - \'*\\Get-Keystrokes.ps1\'\n - \'*\\Get-VaultCredential.ps1\'\n - \'*\\Invoke-CredentialInjection.ps1\'\n - \'*\\Invoke-Mimikatz.ps1\'\n - \'*\\Invoke-NinjaCopy.ps1\'\n - \'*\\Invoke-TokenManipulation.ps1\'\n - \'*\\Out-Minidump.ps1\'\n - \'*\\VolumeShadowCopyTools.ps1\'\n - \'*\\Invoke-ReflectivePEInjection.ps1\'\n - \'*\\Get-TimedScreenshot.ps1\'\n - \'*\\Invoke-UserHunter.ps1\'\n - \'*\\Find-GPOLocation.ps1\'\n - \'*\\Invoke-ACLScanner.ps1\'\n - \'*\\Invoke-DowngradeAccount.ps1\'\n - \'*\\Get-ServiceUnquoted.ps1\'\n - \'*\\Get-ServiceFilePermission.ps1\'\n - \'*\\Get-ServicePermission.ps1\'\n - \'*\\Invoke-ServiceAbuse.ps1\'\n - \'*\\Install-ServiceBinary.ps1\'\n - \'*\\Get-RegAutoLogon.ps1\'\n - \'*\\Get-VulnAutoRun.ps1\'\n - \'*\\Get-VulnSchTask.ps1\'\n - \'*\\Get-UnattendedInstallFile.ps1\'\n - \'*\\Get-WebConfig.ps1\'\n - \'*\\Get-ApplicationHost.ps1\'\n - \'*\\Get-RegAlwaysInstallElevated.ps1\'\n - \'*\\Get-Unconstrained.ps1\'\n - \'*\\Add-RegBackdoor.ps1\'\n - \'*\\Add-ScrnSaveBackdoor.ps1\'\n - \'*\\Gupt-Backdoor.ps1\'\n - \'*\\Invoke-ADSBackdoor.ps1\'\n - \'*\\Enabled-DuplicateToken.ps1\'\n - \'*\\Invoke-PsUaCme.ps1\'\n - \'*\\Remove-Update.ps1\'\n - \'*\\Check-VM.ps1\'\n - \'*\\Get-LSASecret.ps1\'\n - \'*\\Get-PassHashes.ps1\'\n - \'*\\Show-TargetScreen.ps1\'\n - \'*\\Port-Scan.ps1\'\n - \'*\\Invoke-PoshRatHttp.ps1\'\n - \'*\\Invoke-PowerShellTCP.ps1\'\n - \'*\\Invoke-PowerShellWMI.ps1\'\n - \'*\\Add-Exfiltration.ps1\'\n - \'*\\Add-Persistence.ps1\'\n - \'*\\Do-Exfiltration.ps1\'\n - \'*\\Start-CaptureServer.ps1\'\n - \'*\\Invoke-ShellCode.ps1\'\n - \'*\\Get-ChromeDump.ps1\'\n - \'*\\Get-ClipboardContents.ps1\'\n - \'*\\Get-FoxDump.ps1\'\n - \'*\\Get-IndexedItem.ps1\'\n - \'*\\Get-Screenshot.ps1\'\n - \'*\\Invoke-Inveigh.ps1\'\n - \'*\\Invoke-NetRipper.ps1\'\n - \'*\\Invoke-EgressCheck.ps1\'\n - \'*\\Invoke-PostExfil.ps1\'\n - \'*\\Invoke-PSInject.ps1\'\n - \'*\\Invoke-RunAs.ps1\'\n - \'*\\MailRaider.ps1\'\n - \'*\\New-HoneyHash.ps1\'\n - \'*\\Set-MacAttribute.ps1\'\n - \'*\\Invoke-DCSync.ps1\'\n - \'*\\Invoke-PowerDump.ps1\'\n - \'*\\Exploit-Jboss.ps1\'\n - \'*\\Invoke-ThunderStruck.ps1\'\n - \'*\\Invoke-VoiceTroll.ps1\'\n - \'*\\Set-Wallpaper.ps1\'\n - \'*\\Invoke-InveighRelay.ps1\'\n - \'*\\Invoke-PsExec.ps1\'\n - \'*\\Invoke-SSHCommand.ps1\'\n - \'*\\Get-SecurityPackages.ps1\'\n - \'*\\Install-SSP.ps1\'\n - \'*\\Invoke-BackdoorLNK.ps1\'\n - \'*\\PowerBreach.ps1\'\n - \'*\\Get-SiteListPassword.ps1\'\n - \'*\\Get-System.ps1\'\n - \'*\\Invoke-BypassUAC.ps1\'\n - \'*\\Invoke-Tater.ps1\'\n - \'*\\Invoke-WScriptBypassUAC.ps1\'\n - \'*\\PowerUp.ps1\'\n - \'*\\PowerView.ps1\'\n - \'*\\Get-RickAstley.ps1\'\n - \'*\\Find-Fruit.ps1\'\n - \'*\\HTTP-Login.ps1\'\n - \'*\\Find-TrustedDocuments.ps1\'\n - \'*\\Invoke-Paranoia.ps1\'\n - \'*\\Invoke-WinEnum.ps1\'\n - \'*\\Invoke-ARPScan.ps1\'\n - \'*\\Invoke-PortScan.ps1\'\n - \'*\\Invoke-ReverseDNSLookup.ps1\'\n - \'*\\Invoke-SMBScanner.ps1\'\n - \'*\\Invoke-Mimikittenz.ps1\'\n condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(6251,'Issue',346,15,'T1086'),(6252,'Issue',347,1,'PowerShell Network Connections'),(6253,'Issue',347,2,'Florian Roth'),(6254,'Issue',347,8,'https://www.youtube.com/watch?v=DLtJTxMWZ2o'),(6255,'Issue',347,10,'low'),(6256,'Issue',347,13,'community'),(6257,'Issue',347,14,'windows'),(6259,'Issue',347,11,'bdecf01db'),(6260,'Issue',347,12,'1f21ec3f-810d-4b0e-8045-322202e22b4b'),(6261,'Issue',347,16,'win-sysmon'),(6262,'Issue',347,17,''),(6263,'Issue',347,7,''),(6264,'Issue',347,3,'Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company\'s ip range\')'),(6265,'Issue',347,4,''),(6266,'Issue',347,5,'_False Positives_\nAdministrative scripts'),(6267,'Issue',347,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\powershell.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.0.0.1) AND event_data.DestinationIsIpv6:\"false\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: PowerShell Network Connections\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6268,'Issue',347,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Network Connections\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: experimental\ndescription: Detects a Powershell process that opens network connections - check for\n suspicious target ports and target systems - adjust to your environment (e.g. extend\n filters with company\'s ip range\')\nauthor: Florian Roth\ndate: 2017/03/13\nreferences:\n- https://www.youtube.com/watch?v=DLtJTxMWZ2o\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Image: \'*\\powershell.exe\'\n Initiated: \'true\'\n filter:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.0.0.1\n DestinationIsIpv6: \'false\'\n User: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfalsepositives:\n- Administrative scripts\nlevel: low\n\n
\n}}'),(6269,'Issue',347,15,'T1086'),(6270,'Issue',348,1,'QuarksPwDump Dump File'),(6271,'Issue',348,2,'Florian Roth'),(6272,'Issue',348,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm'),(6273,'Issue',348,10,'critical'),(6274,'Issue',348,13,'community'),(6275,'Issue',348,14,'windows'),(6277,'Issue',348,11,'3ce09ad54'),(6278,'Issue',348,12,'847def9e-924d-4e90-b7c4-5f581395a2b4'),(6279,'Issue',348,16,'win-sysmon'),(6280,'Issue',348,17,''),(6281,'Issue',348,7,''),(6282,'Issue',348,3,'Detects a dump file written by QuarksPwDump password dumper'),(6283,'Issue',348,4,''),(6284,'Issue',348,5,'_False Positives_\nUnknown'),(6285,'Issue',348,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\SAM\\-*.dmp*)\nindex: so-*\nname: QuarksPwDump Dump File\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6286,'Issue',348,9,'{{collapse(View Sigma)\n\n\ntitle: QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: experimental\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth\ndate: 2018/02/10\ntags:\n- attack.credential_access\n- attack.t1003\nlevel: critical\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n TargetFilename: \'*\\AppData\\Local\\Temp\\SAM-*.dmp*\'\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(6287,'Issue',348,15,'T1003'),(6288,'Issue',349,1,'Raw Disk Access Using Illegitimate Tools'),(6289,'Issue',349,2,'Teymur Kheirkhabarov, oscd.community'),(6290,'Issue',349,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(6291,'Issue',349,10,'medium'),(6292,'Issue',349,13,'community'),(6293,'Issue',349,14,'windows'),(6295,'Issue',349,11,'979a4709f'),(6296,'Issue',349,12,'db809f10-56ce-4420-8c86-d6a7d793c79c'),(6297,'Issue',349,16,'win-sysmon'),(6298,'Issue',349,17,''),(6299,'Issue',349,7,''),(6300,'Issue',349,3,'Raw disk access using illegitimate tools, possible defence evasion'),(6301,'Issue',349,4,''),(6302,'Issue',349,5,'_False Positives_\nLegitimate Administrator using tool for raw access or ongoing forensic investigation\n\n_Interesting Log Fields_\nComputerName\nImage\nProcessID\nDevice'),(6303,'Issue',349,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"9\" AND (NOT (Device.keyword:*floppy*))) AND (NOT (process.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\sdiagnhost.exe OR *\\\\searchindexer.exe OR *\\\\csrss.exe OR *\\\\defrag.exe OR *\\\\smss.exe OR *\\\\vssvc.exe OR *\\\\compattelrunner.exe OR *\\\\wininit.exe OR *\\\\autochk.exe OR *\\\\taskhost.exe OR *\\\\dfsrs.exe OR *\\\\vds.exe OR *\\\\lsass.exe))))\nindex: so-*\nname: Raw Disk Access Using Illegitimate Tools\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6304,'Issue',349,9,'{{collapse(View Sigma)\n\n\ntitle: Raw Disk Access Using Illegitimate Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\ndescription: Raw disk access using illegitimate tools, possible defence evasion\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.defense_evasion\n- attack.t1006\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 9\n filter_1:\n Device|contains: floppy\n filter_2:\n - Image|endswith:\n - \\wmiprvse.exe\n - \\sdiagnhost.exe\n - \\searchindexer.exe\n - \\csrss.exe\n - \\defrag.exe\n - \\smss.exe\n - \\vssvc.exe\n - \\compattelrunner.exe\n - \\wininit.exe\n - \\autochk.exe\n - \\taskhost.exe\n - \\dfsrs.exe\n - \\vds.exe\n - \\lsass.exe\n condition: selection and not filter_1 and not filter_2\nfields:\n- ComputerName\n- Image\n- ProcessID\n- Device\nfalsepositives:\n- Legitimate Administrator using tool for raw access or ongoing forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(6305,'Issue',349,15,'T1006'),(6306,'Issue',350,1,'RDP Registry Modification'),(6307,'Issue',350,2,'Roberto Rodriguez @Cyb3rWard0g'),(6308,'Issue',350,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md'),(6309,'Issue',350,10,'high'),(6310,'Issue',350,13,'community'),(6311,'Issue',350,14,'windows'),(6313,'Issue',350,11,'5a3902041'),(6314,'Issue',350,12,'41904ebe-d56c-4904-b9ad-7a77bdf154b3'),(6315,'Issue',350,16,'win-sysmon'),(6316,'Issue',350,17,''),(6317,'Issue',350,7,''),(6318,'Issue',350,3,'Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.'),(6319,'Issue',350,4,''),(6320,'Issue',350,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nImage\nEventType\nTargetObject'),(6321,'Issue',350,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\WinStations\\\\RDP\\-Tcp\\\\UserAuthentication OR *\\\\CurrentControlSet\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections) AND event_data.Details:\"DWORD\\ \\(0x00000000\\)\")\nindex: so-*\nname: RDP Registry Modification\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6322,'Issue',350,9,'{{collapse(View Sigma)\n\n\ntitle: RDP Registry Modification\nid: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\ndescription: Detects potential malicious modification of the property value of fDenyTSConnections\n and UserAuthentication to enable remote desktop connections.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md\ntags:\n- attack.defense_evasion\n- attack.t1112\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject|endswith:\n - \\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\n - \\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections\n Details: DWORD (0x00000000)\n condition: selection\nfields:\n- ComputerName\n- Image\n- EventType\n- TargetObject\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6323,'Issue',350,15,'T1112'),(6324,'Issue',351,1,'RDP Over Reverse SSH Tunnel'),(6325,'Issue',351,2,'Samir Bousseaden'),(6326,'Issue',351,8,'https://twitter.com/SBousseaden/status/1096148422984384514'),(6327,'Issue',351,10,'high'),(6328,'Issue',351,13,'community'),(6329,'Issue',351,14,'windows'),(6331,'Issue',351,11,'31989b88d'),(6332,'Issue',351,12,'5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4'),(6333,'Issue',351,16,'win-sysmon'),(6334,'Issue',351,17,''),(6335,'Issue',351,7,''),(6336,'Issue',351,3,'Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389'),(6337,'Issue',351,4,''),(6338,'Issue',351,5,'_False Positives_\nunknown'),(6339,'Issue',351,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:*\\\\svchost.exe AND event_data.Initiated:\"true\" AND SourcePort:\"3389\" AND destination_ip.keyword:(127.* OR \\:\\:1))\nindex: so-*\nname: RDP Over Reverse SSH Tunnel\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6340,'Issue',351,9,'{{collapse(View Sigma)\n\n\ntitle: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: experimental\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback\n address and on TCP port 3389\nreferences:\n- https://twitter.com/SBousseaden/status/1096148422984384514\nauthor: Samir Bousseaden\ndate: 2019/02/16\ntags:\n- attack.defense_evasion\n- attack.command_and_control\n- attack.t1076\n- car.2013-07-002\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Image: \'*\\svchost.exe\'\n Initiated: \'true\'\n SourcePort: 3389\n DestinationIp:\n - 127.*\n - ::1\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6341,'Issue',351,15,'T1076'),(6342,'Issue',352,1,'RDP Sensitive Settings Changed'),(6343,'Issue',352,2,'Samir Bousseaden'),(6344,'Issue',352,8,'https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html'),(6345,'Issue',352,10,'high'),(6346,'Issue',352,13,'community'),(6347,'Issue',352,14,'windows'),(6348,'Issue',352,15,''),(6349,'Issue',352,11,'548ae70d5'),(6350,'Issue',352,12,'171b67e1-74b4-460e-8d55-b331f3e32d67'),(6351,'Issue',352,16,'win-sysmon'),(6352,'Issue',352,17,''),(6353,'Issue',352,7,''),(6354,'Issue',352,3,'Detects changes to RDP terminal service sensitive settings'),(6355,'Issue',352,4,''),(6356,'Issue',352,5,'_False Positives_\nunknown'),(6357,'Issue',352,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll* OR *\\\\Control\\\\Terminal\\ Server\\\\fSingleSessionPerUser* OR *\\\\Control\\\\Terminal\\ Server\\\\fDenyTSConnections*))\nindex: so-*\nname: RDP Sensitive Settings Changed\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6358,'Issue',352,9,'{{collapse(View Sigma)\n\n\ntitle: RDP Sensitive Settings Changed\nid: 171b67e1-74b4-460e-8d55-b331f3e32d67\ndescription: Detects changes to RDP terminal service sensitive settings\nreferences:\n- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\ndate: 2019/04/03\nauthor: Samir Bousseaden\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_reg:\n EventID: 13\n TargetObject:\n - \'*\\services\\TermService\\Parameters\\ServiceDll*\'\n - \'*\\Control\\Terminal Server\\fSingleSessionPerUser*\'\n - \'*\\Control\\Terminal Server\\fDenyTSConnections*\'\n condition: selection_reg\ntags:\n- attack.defense_evasion\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6359,'Issue',353,1,'Windows Registry Persistence COM Key Linking'),(6360,'Issue',353,2,'Kutepov Anton, oscd.community'),(6361,'Issue',353,8,'https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/'),(6362,'Issue',353,10,'medium'),(6363,'Issue',353,13,'community'),(6364,'Issue',353,14,'windows'),(6366,'Issue',353,11,'6f021fb7c'),(6367,'Issue',353,12,'9b0f8a61-91b2-464f-aceb-0527e0a45020'),(6368,'Issue',353,16,'win-sysmon'),(6369,'Issue',353,17,''),(6370,'Issue',353,7,''),(6371,'Issue',353,3,'Detects COM object hijacking via TreatAs subkey'),(6372,'Issue',353,4,''),(6373,'Issue',353,5,'_False Positives_\nMaybe some system utilities in rare cases use linking keys for backward compability'),(6374,'Issue',353,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\TreatAs)\nindex: so-*\nname: Windows Registry Persistence COM Key Linking\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6375,'Issue',353,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Registry Persistence COM Key Linking\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: experimental\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/07\ntags:\n- attack.persistence\n- attack.t1122\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 12\n TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\TreatAs\n condition: selection\nfalsepositives:\n- Maybe some system utilities in rare cases use linking keys for backward compability\nlevel: medium\n\n
\n}}'),(6376,'Issue',353,15,'T1122'),(6377,'Issue',354,1,'Windows Registry Persistence COM Search Order Hijacking'),(6378,'Issue',354,2,'Maxime Thiebaut (@0xThiebaut)'),(6379,'Issue',354,8,'https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/'),(6380,'Issue',354,10,'medium'),(6381,'Issue',354,13,'community'),(6382,'Issue',354,14,'windows'),(6384,'Issue',354,11,'27898e00b'),(6385,'Issue',354,12,'a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12'),(6386,'Issue',354,16,'win-sysmon'),(6387,'Issue',354,17,''),(6388,'Issue',354,7,''),(6389,'Issue',354,3,'Detects potential COM object hijacking leveraging the COM Search Order'),(6390,'Issue',354,4,''),(6391,'Issue',354,5,'_False Positives_\nSome installed utilities (i.e. OneDrive) may serve new COM objects at user-level'),(6392,'Issue',354,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\CLSID\\\\*\\\\InProcServer32\\\\\\(Default\\)) AND (NOT (event_data.Details.keyword:(%%systemroot%%\\\\system32\\\\* OR %%systemroot%%\\\\SysWow64\\\\* OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileCoAuthLib64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\FileSyncShell64.dll OR *\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\*\\\\Microsoft.Teams.AddinLoader.dll))))\nindex: so-*\nname: Windows Registry Persistence COM Search Order Hijacking\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6393,'Issue',354,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Registry Persistence COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nstatus: experimental\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n- https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/04/14\ntags:\n- attack.persistence\n- attack.t1038\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject: HKU\\\\*_Classes\\CLSID\\\\*\\InProcServer32\\(Default)\n filter:\n Details:\n - \'%%systemroot%%\\system32\\\\*\'\n - \'%%systemroot%%\\SysWow64\\\\*\'\n - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileCoAuthLib64.dll\'\n - \'*\\AppData\\Local\\Microsoft\\OneDrive\\\\*\\FileSyncShell64.dll\'\n - \'*\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\\\*\\Microsoft.Teams.AddinLoader.dll\'\n condition: selection and not filter\nfalsepositives:\n- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n\n
\n}}'),(6394,'Issue',354,15,'T1038'),(6395,'Issue',355,1,'Windows Registry Trust Record Modification'),(6396,'Issue',355,2,'Antonlovesdnb'),(6397,'Issue',355,8,'https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html'),(6398,'Issue',355,10,'medium'),(6399,'Issue',355,13,'community'),(6400,'Issue',355,14,'windows'),(6402,'Issue',355,11,'ab08d709e'),(6403,'Issue',355,12,'295a59c1-7b79-4b47-a930-df12c15fc9c2'),(6404,'Issue',355,16,'win-sysmon'),(6405,'Issue',355,17,''),(6406,'Issue',355,7,''),(6407,'Issue',355,3,'Alerts on trust record modification within the registry, indicating usage of macros'),(6408,'Issue',355,4,''),(6409,'Issue',355,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6410,'Issue',355,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"12\" AND event_data.TargetObject.keyword:*TrustRecords*)\nindex: so-*\nname: Windows Registry Trust Record Modification\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6411,'Issue',355,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nstatus: experimental\ndescription: Alerts on trust record modification within the registry, indicating usage\n of macros\nreferences:\n- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nauthor: Antonlovesdnb\ndate: 2020/02/19\nmodified: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 12\n TargetObject|contains: TrustRecords\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: medium\n\n
\n}}'),(6412,'Issue',355,15,'T1193'),(6413,'Issue',356,1,'Regsvr32 Network Activity'),(6414,'Issue',356,2,'Dmitriy Lifanov, oscd.community'),(6415,'Issue',356,8,'https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md'),(6416,'Issue',356,10,'high'),(6417,'Issue',356,13,'community'),(6418,'Issue',356,14,'windows'),(6420,'Issue',356,11,'2dae90c53'),(6421,'Issue',356,12,'c7e91a02-d771-4a6d-a700-42587e0b1095'),(6422,'Issue',356,16,'win-sysmon'),(6423,'Issue',356,17,''),(6424,'Issue',356,7,''),(6425,'Issue',356,3,'Detects network connections and DNS queries initiated by Regsvr32.exe'),(6426,'Issue',356,4,''),(6427,'Issue',356,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nDestinationIp\nDestinationPort'),(6428,'Issue',356,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"3\" OR \"22\") AND process.executable.keyword:*\\\\regsvr32.exe)\nindex: so-*\nname: Regsvr32 Network Activity\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6429,'Issue',356,9,'{{collapse(View Sigma)\n\n\ntitle: Regsvr32 Network Activity\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\ndescription: Detects network connections and DNS queries initiated by Regsvr32.exe\nreferences:\n- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1117\nauthor: Dmitriy Lifanov, oscd.community\nstatus: experimental\ndate: 2019/10/25\nmodified: 2019/11/10\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID:\n - 3\n - 22\n Image|endswith: \\regsvr32.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- Image\n- DestinationIp\n- DestinationPort\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6430,'Issue',356,15,'T1117'),(6431,'Issue',357,1,'Remote PowerShell Session'),(6432,'Issue',357,2,'Roberto Rodriguez @Cyb3rWard0g'),(6433,'Issue',357,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(6434,'Issue',357,10,'high'),(6435,'Issue',357,13,'community'),(6436,'Issue',357,14,'windows'),(6438,'Issue',357,11,'1a8504907'),(6439,'Issue',357,12,'c539afac-c12a-46ed-b1bd-5a5567c9f045'),(6440,'Issue',357,16,'win-sysmon'),(6441,'Issue',357,17,''),(6442,'Issue',357,7,''),(6443,'Issue',357,3,'Detects remote PowerShell connections by monitoring network outbount connections to ports 5985 or 5986 from not network service account'),(6444,'Issue',357,4,''),(6445,'Issue',357,5,'_False Positives_\nLeigitmate usage of remote PowerShell, e.g. remote administration and monitoring.'),(6446,'Issue',357,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:(\"5985\" OR \"5986\")) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\")))\nindex: so-*\nname: Remote PowerShell Session\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6447,'Issue',357,9,'{{collapse(View Sigma)\n\n\ntitle: Remote PowerShell Session\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\ndescription: Detects remote PowerShell connections by monitoring network outbount\n connections to ports 5985 or 5986 from not network service account\nstatus: experimental\ndate: 2019/09/12\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n DestinationPort:\n - 5985\n - 5986\n filter:\n User: NT AUTHORITY\\NETWORK SERVICE\n condition: selection and not filter\nfalsepositives:\n- Leigitmate usage of remote PowerShell, e.g. remote administration and monitoring.\nlevel: high\n\n
\n}}'),(6448,'Issue',357,15,'T1086'),(6449,'Issue',358,1,'Renamed jusched.exe'),(6450,'Issue',358,2,'Markus Neis, Swisscom'),(6451,'Issue',358,8,'https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf'),(6452,'Issue',358,10,'high'),(6453,'Issue',358,13,'community'),(6454,'Issue',358,14,'windows'),(6456,'Issue',358,11,'3042f2e24'),(6457,'Issue',358,12,'edd8a48c-1b9f-4ba1-83aa-490338cd1ccb'),(6458,'Issue',358,16,'win-sysmon'),(6459,'Issue',358,17,''),(6460,'Issue',358,7,''),(6461,'Issue',358,3,'Detects renamed jusched.exe used by cobalt group'),(6462,'Issue',358,4,''),(6463,'Issue',358,5,'_False Positives_\npenetration tests, red teaming'),(6464,'Issue',358,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.pe.description:\"Java\\ Update\\ Scheduler\" OR process.pe.description:\"Java\\(TM\\)\\ Update\\ Scheduler\")) AND (NOT (process.executable.keyword:(*\\\\jusched.exe))))\nindex: so-*\nname: Renamed jusched.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6465,'Issue',358,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed jusched.exe\nstatus: experimental\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\ndescription: Detects renamed jusched.exe used by cobalt group\nreferences:\n- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\ntags:\n- attack.t1036\n- attack.execution\nauthor: Markus Neis, Swisscom\ndate: 2019/06/04\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Description: Java Update Scheduler\n selection2:\n Description: Java(TM) Update Scheduler\n filter:\n Image|endswith:\n - \\jusched.exe\n condition: (selection1 or selection2) and not filter\nfalsepositives:\n- penetration tests, red teaming\nlevel: high\n\n
\n}}'),(6466,'Issue',358,15,'T1036'),(6467,'Issue',359,1,'Renamed PowerShell'),(6468,'Issue',359,2,'Florian Roth'),(6469,'Issue',359,8,'https://twitter.com/christophetd/status/1164506034720952320'),(6470,'Issue',359,10,'critical'),(6471,'Issue',359,13,'community'),(6472,'Issue',359,14,'windows'),(6473,'Issue',359,15,''),(6474,'Issue',359,11,'a6d71f3ed'),(6475,'Issue',359,12,'d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20'),(6476,'Issue',359,16,'win-sysmon'),(6477,'Issue',359,17,''),(6478,'Issue',359,7,''),(6479,'Issue',359,3,'Detects the execution of a renamed PowerShell often used by attackers or malware'),(6480,'Issue',359,4,''),(6481,'Issue',359,5,'_False Positives_\nUnknown'),(6482,'Issue',359,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Windows\\ PowerShell\" AND event_data.Company:\"Microsoft\\ Corporation\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe))))\nindex: so-*\nname: Renamed PowerShell\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6483,'Issue',359,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: experimental\ndescription: Detects the execution of a renamed PowerShell often used by attackers\n or malware\nreferences:\n- https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth\ndate: 2019/08/22\ntags:\n- car.2013-05-009\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n Description: Windows PowerShell\n Company: Microsoft Corporation\n filter:\n Image:\n - \'*\\powershell.exe\'\n - \'*\\powershell_ise.exe\'\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(6484,'Issue',360,1,'Renamed ProcDump'),(6485,'Issue',360,2,'Florian Roth'),(6486,'Issue',360,8,'https://docs.microsoft.com/en-us/sysinternals/downloads/procdump'),(6487,'Issue',360,10,'critical'),(6488,'Issue',360,13,'community'),(6489,'Issue',360,14,'windows'),(6491,'Issue',360,11,'abbcffccf'),(6492,'Issue',360,12,'4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67'),(6493,'Issue',360,16,'win-sysmon'),(6494,'Issue',360,17,''),(6495,'Issue',360,7,''),(6496,'Issue',360,3,'Detects the execution of a renamed ProcDump executable often used by attackers or malware'),(6497,'Issue',360,4,''),(6498,'Issue',360,5,'_False Positives_\nProcdump illegaly bundled with legitimate software\nWeird admins who renamed binaries'),(6499,'Issue',360,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:\"procdump\" AND (NOT (process.executable.keyword:(*\\\\procdump.exe OR *\\\\procdump64.exe))))\nindex: so-*\nname: Renamed ProcDump\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6500,'Issue',360,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed ProcDump\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nstatus: experimental\ndescription: Detects the execution of a renamed ProcDump executable often used by\n attackers or malware\nreferences:\n- https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth\ndate: 2019/11/18\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n OriginalFileName: procdump\n filter:\n Image:\n - \'*\\procdump.exe\'\n - \'*\\procdump64.exe\'\n condition: selection and not filter\nfalsepositives:\n- Procdump illegaly bundled with legitimate software\n- Weird admins who renamed binaries\nlevel: critical\n\n
\n}}'),(6501,'Issue',360,15,'T1036'),(6502,'Issue',361,1,'Renamed PsExec'),(6503,'Issue',361,2,'Florian Roth'),(6504,'Issue',361,8,'https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks'),(6505,'Issue',361,10,'high'),(6506,'Issue',361,13,'community'),(6507,'Issue',361,14,'windows'),(6508,'Issue',361,15,''),(6509,'Issue',361,11,'297d076c3'),(6510,'Issue',361,12,'a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2'),(6511,'Issue',361,16,'win-sysmon'),(6512,'Issue',361,17,''),(6513,'Issue',361,7,''),(6514,'Issue',361,3,'Detects the execution of a renamed PsExec often used by attackers or malware'),(6515,'Issue',361,4,''),(6516,'Issue',361,5,'_False Positives_\nSoftware that illegaly integrates PsExec in a renamed form\nAdministrators that have renamed PsExec and no one knows why'),(6517,'Issue',361,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.pe.description:\"Execute\\ processes\\ remotely\" AND process.pe.product:\"Sysinternals\\ PsExec\") AND (NOT (process.executable.keyword:(*\\\\PsExec.exe OR *\\\\PsExec64.exe))))\nindex: so-*\nname: Renamed PsExec\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6518,'Issue',361,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: experimental\ndescription: Detects the execution of a renamed PsExec often used by attackers or\n malware\nreferences:\n- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth\ndate: 2019/05/21\ntags:\n- car.2013-05-009\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n Description: Execute processes remotely\n Product: Sysinternals PsExec\n filter:\n Image:\n - \'*\\PsExec.exe\'\n - \'*\\PsExec64.exe\'\n condition: selection and not filter\nfalsepositives:\n- Software that illegaly integrates PsExec in a renamed form\n- Administrators that have renamed PsExec and no one knows why\nlevel: high\n\n
\n}}'),(6519,'Issue',362,1,'Rundll32 Internet Connection'),(6520,'Issue',362,2,'Florian Roth'),(6521,'Issue',362,8,'https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100'),(6522,'Issue',362,10,'medium'),(6523,'Issue',362,13,'community'),(6524,'Issue',362,14,'windows'),(6526,'Issue',362,11,'0381dead4'),(6527,'Issue',362,12,'cdc8da7d-c303-42f8-b08c-b4ab47230263'),(6528,'Issue',362,16,'win-sysmon'),(6529,'Issue',362,17,''),(6530,'Issue',362,7,''),(6531,'Issue',362,3,'Detects a rundll32 that communicates with public IP addresses'),(6532,'Issue',362,4,''),(6533,'Issue',362,5,'_False Positives_\nCommunication to other corporate systems that use IP addresses from public address spaces'),(6534,'Issue',362,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND process.executable.keyword:*\\\\rundll32.exe AND event_data.Initiated:\"true\") AND (NOT (destination_ip.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.*))))\nindex: so-*\nname: Rundll32 Internet Connection\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6535,'Issue',362,9,'{{collapse(View Sigma)\n\n\ntitle: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: experimental\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth\ndate: 2017/11/04\ntags:\n- attack.t1085\n- attack.defense_evasion\n- attack.execution\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Image: \'*\\rundll32.exe\'\n Initiated: \'true\'\n filter:\n DestinationIp:\n - 10.*\n - 192.168.*\n - 172.16.*\n - 172.17.*\n - 172.18.*\n - 172.19.*\n - 172.20.*\n - 172.21.*\n - 172.22.*\n - 172.23.*\n - 172.24.*\n - 172.25.*\n - 172.26.*\n - 172.27.*\n - 172.28.*\n - 172.29.*\n - 172.30.*\n - 172.31.*\n - 127.*\n condition: selection and not filter\nfalsepositives:\n- Communication to other corporate systems that use IP addresses from public address\n spaces\nlevel: medium\n\n
\n}}'),(6536,'Issue',362,15,'T1085'),(6537,'Issue',363,1,'Security Support Provider (SSP) Added to LSA Configuration'),(6538,'Issue',363,2,'iwillkeepwatch'),(6539,'Issue',363,8,'https://attack.mitre.org/techniques/T1101/\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/'),(6540,'Issue',363,10,'critical'),(6541,'Issue',363,13,'community'),(6542,'Issue',363,14,'windows'),(6544,'Issue',363,11,'9bc1e9894'),(6545,'Issue',363,12,'eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc'),(6546,'Issue',363,16,'win-sysmon'),(6547,'Issue',363,17,''),(6548,'Issue',363,7,''),(6549,'Issue',363,3,'Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.'),(6550,'Issue',363,4,''),(6551,'Issue',363,5,'_False Positives_\nUnlikely'),(6552,'Issue',363,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security\\ Packages\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security\\ Packages\")) AND (NOT (process.executable:\"C\\:\\\\Windows\\\\system32\\\\msiexec.exe\" OR process.executable:\"C\\:\\\\Windows\\\\syswow64\\\\MsiExec.exe\")))\nindex: so-*\nname: Security Support Provider (SSP) Added to LSA Configuration\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6553,'Issue',363,9,'{{collapse(View Sigma)\n\n\ntitle: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: experimental\ndescription: Detects the addition of a SSP to the registry. Upon a reboot or API call,\n SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n- https://attack.mitre.org/techniques/T1101/\n- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\ntags:\n- attack.persistence\n- attack.t1011\nauthor: iwillkeepwatch\ndate: 2019/01/18\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_registry:\n EventID: 13\n TargetObject:\n - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\n - HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages\n exclusion_images:\n - Image: C:\\Windows\\system32\\msiexec.exe\n - Image: C:\\Windows\\syswow64\\MsiExec.exe\n condition: selection_registry and not exclusion_images\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(6554,'Issue',363,15,'T1011'),(6555,'Issue',364,1,'Suspicious ADSI-Cache Usage By Unknown Tool'),(6556,'Issue',364,2,'xknow @xknow_infosec'),(6557,'Issue',364,8,'https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://github.com/fox-it/LDAPFragger'),(6558,'Issue',364,10,'high'),(6559,'Issue',364,13,'community'),(6560,'Issue',364,14,'windows'),(6562,'Issue',364,11,'8268e4aa6'),(6563,'Issue',364,12,'75bf09fa-1dd7-4d18-9af9-dd9e492562eb'),(6564,'Issue',364,16,'win-sysmon'),(6565,'Issue',364,17,''),(6566,'Issue',364,7,''),(6567,'Issue',364,3,'detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.'),(6568,'Issue',364,4,''),(6569,'Issue',364,5,'_False Positives_\nOther legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.'),(6570,'Issue',364,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (process.executable.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))\nindex: so-*\nname: Suspicious ADSI-Cache Usage By Unknown Tool\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6571,'Issue',364,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious ADSI-Cache Usage By Unknown Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\ndescription: detects the usage of ADSI (LDAP) operations by tools. This may also detect\n tools like LDAPFragger.\nstatus: experimental\ndate: 2019/03/24\nauthor: xknow @xknow_infosec\nreferences:\n- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n- https://github.com/fox-it/LDAPFragger\ntags:\n- attack.t1041\n- attack.persistence\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 11\n TargetFilename: \'*\\Local\\Microsoft\\Windows\\SchCache\\*.sch\'\n selection_2:\n Image|contains:\n - C:\\windows\\system32\\svchost.exe\n - C:\\windows\\system32\\dllhost.exe\n - C:\\windows\\system32\\mmc.exe\n - C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\n condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity\n by MMC, Powershell, Windows etc.\nlevel: high\n\n
\n}}'),(6572,'Issue',364,15,'T1041'),(6573,'Issue',365,1,'Suspicious desktop.ini Action'),(6574,'Issue',365,2,'Maxime Thiebaut (@0xThiebaut)'),(6575,'Issue',365,8,'https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/'),(6576,'Issue',365,10,'medium'),(6577,'Issue',365,13,'community'),(6578,'Issue',365,14,'windows'),(6580,'Issue',365,11,'370bd2225'),(6581,'Issue',365,12,'81315b50-6b60-4d8f-9928-3466e1022515'),(6582,'Issue',365,16,'win-sysmon'),(6583,'Issue',365,17,''),(6584,'Issue',365,7,''),(6585,'Issue',365,3,'Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.'),(6586,'Issue',365,4,''),(6587,'Issue',365,5,'_False Positives_\nOperations performed through Windows SCCM or equivalent'),(6588,'Issue',365,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (process.executable:(\"C\\:\\\\Windows\\\\explorer.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\mmc.exe\"))))\nindex: so-*\nname: Suspicious desktop.ini Action\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6589,'Issue',365,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious desktop.ini Action\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: experimental\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged\n to alter how Explorer displays a folder\'s content (i.e. renaming files) without\n changing them on disk.\nreferences:\n- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020/03/19\ntags:\n- attack.persistence\n- attack.t1023\nlogsource:\n product: windows\n service: sysmon\ndetection:\n filter:\n Image:\n - C:\\Windows\\explorer.exe\n - C:\\Windows\\System32\\msiexec.exe\n - C:\\Windows\\System32\\mmc.exe\n selection:\n EventID: 11\n TargetFilename|endswith: \\desktop.ini\n condition: selection and not filter\nfalsepositives:\n- Operations performed through Windows SCCM or equivalent\nlevel: medium\n\n
\n}}'),(6590,'Issue',365,15,'T1023'),(6591,'Issue',366,1,'Suspicious RUN Key from Download'),(6592,'Issue',366,2,'Florian Roth'),(6593,'Issue',366,8,'https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/'),(6594,'Issue',366,10,'high'),(6595,'Issue',366,13,'community'),(6596,'Issue',366,14,'windows'),(6598,'Issue',366,11,'4a98c6777'),(6599,'Issue',366,12,'9c5037d1-c568-49b3-88c7-9846a5bdc2be'),(6600,'Issue',366,16,'win-sysmon'),(6601,'Issue',366,17,''),(6602,'Issue',366,7,''),(6603,'Issue',366,3,'Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories'),(6604,'Issue',366,4,''),(6605,'Issue',366,5,'_False Positives_\nSoftware installers downloaded and used by users'),(6606,'Issue',366,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND process.executable.keyword:(*\\\\Downloads\\\\* OR *\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\* OR *\\\\Local\\ Settings\\\\Temporary\\ Internet\\ Files\\\\*) AND event_data.TargetObject.keyword:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*)\nindex: so-*\nname: Suspicious RUN Key from Download\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6607,'Issue',366,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious RUN Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: experimental\ndescription: Detects the suspicious RUN keys created by software located in Download\n or temporary Outlook/Internet Explorer directories\nreferences:\n- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.persistence\n- attack.t1060\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n Image:\n - \'*\\Downloads\\\\*\'\n - \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n - \'*\\Local Settings\\Temporary Internet Files\\\\*\'\n TargetObject: \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n condition: selection\nfalsepositives:\n- Software installers downloaded and used by users\nlevel: high\n\n
\n}}'),(6608,'Issue',366,15,'T1060'),(6609,'Issue',367,1,'Suspicious Driver Load from Temp'),(6610,'Issue',367,2,'Florian Roth'),(6611,'Issue',367,8,'none'),(6612,'Issue',367,10,'medium'),(6613,'Issue',367,13,'community'),(6614,'Issue',367,14,'windows'),(6616,'Issue',367,11,'d9e3b1335'),(6617,'Issue',367,12,'2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75'),(6618,'Issue',367,16,'win-sysmon'),(6619,'Issue',367,17,''),(6620,'Issue',367,7,''),(6621,'Issue',367,3,'Detects a driver load from a temporary directory'),(6622,'Issue',367,4,''),(6623,'Issue',367,5,'_False Positives_\nthere is a relevant set of false positives depending on applications in the environment'),(6624,'Issue',367,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"6\" AND event_data.ImageLoaded.keyword:*\\\\Temp\\\\*)\nindex: so-*\nname: Suspicious Driver Load from Temp\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6625,'Issue',367,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Driver Load from Temp\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\ndescription: Detects a driver load from a temporary directory\nauthor: Florian Roth\ndate: 2017/02/12\ntags:\n- attack.persistence\n- attack.t1050\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 6\n ImageLoaded: \'*\\Temp\\\\*\'\n condition: selection\nfalsepositives:\n- there is a relevant set of false positives depending on applications in the environment\nlevel: medium\n\n
\n}}'),(6626,'Issue',367,15,'T1050'),(6627,'Issue',368,1,'Suspicious File Characteristics Due to Missing Fields'),(6628,'Issue',368,2,'Markus Neis'),(6629,'Issue',368,8,'https://securelist.com/muddywater/88059/\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection'),(6630,'Issue',368,10,'medium'),(6631,'Issue',368,13,'community'),(6632,'Issue',368,14,'windows'),(6634,'Issue',368,11,'c82bedced'),(6635,'Issue',368,12,'9637e8a5-7131-4f7f-bdc7-2b05d8670c43'),(6636,'Issue',368,16,'win-sysmon'),(6637,'Issue',368,17,''),(6638,'Issue',368,7,''),(6639,'Issue',368,3,'Detects Executables without FileVersion,Description,Product,Company likely created with py2exe'),(6640,'Issue',368,4,''),(6641,'Issue',368,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(6642,'Issue',368,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.description:\"\\?\" AND (event_data.FileVersion:\"\\?\" OR process.pe.product:\"\\?\" OR event_data.Company:\"\\?\"))\nindex: so-*\nname: Suspicious File Characteristics Due to Missing Fields\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6643,'Issue',368,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\ndescription: Detects Executables without FileVersion,Description,Product,Company likely\n created with py2exe\nstatus: experimental\nreferences:\n- https://securelist.com/muddywater/88059/\n- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis\ndate: 2018/11/22\nmodified: 2019/11/09\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection1:\n Description: \\?\n FileVersion: \\?\n selection2:\n Description: \\?\n Product: \\?\n selection3:\n Description: \\?\n Company: \\?\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(6644,'Issue',368,15,'T1064'),(6645,'Issue',369,1,'Possible Process Hollowing Image Loading'),(6646,'Issue',369,2,'Markus Neis'),(6647,'Issue',369,8,'https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html'),(6648,'Issue',369,10,'high'),(6649,'Issue',369,13,'community'),(6650,'Issue',369,14,'windows'),(6652,'Issue',369,11,'5e6ed7268'),(6653,'Issue',369,12,'e32ce4f5-46c6-4c47-ba69-5de3c9193cd7'),(6654,'Issue',369,16,'win-sysmon'),(6655,'Issue',369,17,''),(6656,'Issue',369,7,''),(6657,'Issue',369,3,'Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz'),(6658,'Issue',369,4,''),(6659,'Issue',369,5,'_False Positives_\nVery likely, needs more tuning'),(6660,'Issue',369,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\notepad.exe) AND event_data.ImageLoaded.keyword:(*\\\\samlib.dll OR *\\\\WinSCard.dll))\nindex: so-*\nname: Possible Process Hollowing Image Loading\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6661,'Issue',369,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: experimental\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g.\n through process hollowing by Mimikatz\nreferences:\n- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\ntags:\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\notepad.exe\'\n ImageLoaded:\n - \'*\\samlib.dll\'\n - \'*\\WinSCard.dll\'\n condition: selection\nfalsepositives:\n- Very likely, needs more tuning\nlevel: high\n\n
\n}}'),(6662,'Issue',369,15,'T1073'),(6663,'Issue',370,1,'DLL Load via LSASS'),(6664,'Issue',370,2,'Florian Roth'),(6665,'Issue',370,8,'https://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://twitter.com/SBousseaden/status/1183745981189427200'),(6666,'Issue',370,10,'high'),(6667,'Issue',370,13,'community'),(6668,'Issue',370,14,'windows'),(6670,'Issue',370,11,'351d4d774'),(6671,'Issue',370,12,'b3503044-60ce-4bf4-bbcb-e3db98788823'),(6672,'Issue',370,16,'win-sysmon'),(6673,'Issue',370,17,''),(6674,'Issue',370,7,''),(6675,'Issue',370,3,'Detects a method to load DLL via LSASS process using an undocumented Registry key'),(6676,'Issue',370,4,''),(6677,'Issue',370,5,'_False Positives_\nUnknown'),(6678,'Issue',370,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"12\" OR \"13\") AND event_data.TargetObject.keyword:(*\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt* OR *\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt*))\nindex: so-*\nname: DLL Load via LSASS\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6679,'Issue',370,9,'{{collapse(View Sigma)\n\n\ntitle: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: experimental\ndescription: Detects a method to load DLL via LSASS process using an undocumented\n Registry key\nauthor: Florian Roth\ndate: 2019/10/16\nreferences:\n- https://blog.xpnsec.com/exploring-mimikatz-part-1/\n- https://twitter.com/SBousseaden/status/1183745981189427200\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID:\n - 12\n - 13\n TargetObject:\n - \'*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*\'\n - \'*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*\'\n condition: selection\ntags:\n- attack.execution\n- attack.t1177\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6680,'Issue',370,15,'T1177'),(6681,'Issue',371,1,'dotNET DLL Loaded Via Office Applications'),(6682,'Issue',371,2,'Antonlovesdnb'),(6683,'Issue',371,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6684,'Issue',371,10,'high'),(6685,'Issue',371,13,'community'),(6686,'Issue',371,14,'windows'),(6688,'Issue',371,11,'0080b54ee'),(6689,'Issue',371,12,'ff0f2b05-09db-4095-b96d-1b75ca24894a'),(6690,'Issue',371,16,'win-sysmon'),(6691,'Issue',371,17,''),(6692,'Issue',371,7,''),(6693,'Issue',371,3,'Detects any assembly DLL being loaded by an Office Product'),(6694,'Issue',371,4,''),(6695,'Issue',371,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6696,'Issue',371,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\assembly\\*))\nindex: so-*\nname: dotNET DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6697,'Issue',371,9,'{{collapse(View Sigma)\n\n\ntitle: dotNET DLL Loaded Via Office Applications\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: experimental\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*C:\\Windows\\assembly\\*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6698,'Issue',371,15,'T1193'),(6699,'Issue',372,1,'CLR DLL Loaded Via Office Applications'),(6700,'Issue',372,2,'Antonlovesdnb'),(6701,'Issue',372,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6702,'Issue',372,10,'high'),(6703,'Issue',372,13,'community'),(6704,'Issue',372,14,'windows'),(6706,'Issue',372,11,'7105151cd'),(6707,'Issue',372,12,'d13c43f0-f66b-4279-8b2c-5912077c1780'),(6708,'Issue',372,16,'win-sysmon'),(6709,'Issue',372,17,''),(6710,'Issue',372,7,''),(6711,'Issue',372,3,'Detects CLR DLL being loaded by an Office Product'),(6712,'Issue',372,4,''),(6713,'Issue',372,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6714,'Issue',372,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\clr.dll*))\nindex: so-*\nname: CLR DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6715,'Issue',372,9,'{{collapse(View Sigma)\n\n\ntitle: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: experimental\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe\'\n - \'*\\powerpnt.exe\'\n - \'*\\excel.exe\'\n - \'*\\outlook.exe\'\n ImageLoaded:\n - \'*\\clr.dll*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6716,'Issue',372,15,'T1193'),(6717,'Issue',373,1,'GAC DLL Loaded Via Office Applications'),(6718,'Issue',373,2,'Antonlovesdnb'),(6719,'Issue',373,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6720,'Issue',373,10,'high'),(6721,'Issue',373,13,'community'),(6722,'Issue',373,14,'windows'),(6724,'Issue',373,11,'e450b3ce2'),(6725,'Issue',373,12,'90217a70-13fc-48e4-b3db-0d836c5824ac'),(6726,'Issue',373,16,'win-sysmon'),(6727,'Issue',373,17,''),(6728,'Issue',373,7,''),(6729,'Issue',373,3,'Detects any GAC DLL being loaded by an Office Product'),(6730,'Issue',373,4,''),(6731,'Issue',373,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6732,'Issue',373,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*C\\:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL*))\nindex: so-*\nname: GAC DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6733,'Issue',373,9,'{{collapse(View Sigma)\n\n\ntitle: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: experimental\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6734,'Issue',373,15,'T1193'),(6735,'Issue',374,1,'Active Directory Parsing DLL Loaded Via Office Applications'),(6736,'Issue',374,2,'Antonlovesdnb'),(6737,'Issue',374,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6738,'Issue',374,10,'high'),(6739,'Issue',374,13,'community'),(6740,'Issue',374,14,'windows'),(6742,'Issue',374,11,'203be1d6b'),(6743,'Issue',374,12,'a2a3b925-7bb0-433b-b508-db9003263cc4'),(6744,'Issue',374,16,'win-sysmon'),(6745,'Issue',374,17,''),(6746,'Issue',374,7,''),(6747,'Issue',374,3,'Detects DSParse DLL being loaded by an Office Product'),(6748,'Issue',374,4,''),(6749,'Issue',374,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6750,'Issue',374,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\dsparse.dll*))\nindex: so-*\nname: Active Directory Parsing DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6751,'Issue',374,9,'{{collapse(View Sigma)\n\n\ntitle: Active Directory Parsing DLL Loaded Via Office Applications\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: experimental\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe\'\n - \'*\\powerpnt.exe\'\n - \'*\\excel.exe\'\n - \'*\\outlook.exe\'\n ImageLoaded:\n - \'*\\dsparse.dll*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6752,'Issue',374,15,'T1193'),(6753,'Issue',375,1,'Active Directory Kerberos DLL Loaded Via Office Applications'),(6754,'Issue',375,2,'Antonlovesdnb'),(6755,'Issue',375,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6756,'Issue',375,10,'high'),(6757,'Issue',375,13,'community'),(6758,'Issue',375,14,'windows'),(6760,'Issue',375,11,'3ce399676'),(6761,'Issue',375,12,'7417e29e-c2e7-4cf6-a2e8-767228c64837'),(6762,'Issue',375,16,'win-sysmon'),(6763,'Issue',375,17,''),(6764,'Issue',375,7,''),(6765,'Issue',375,3,'Detects Kerberos DLL being loaded by an Office Product'),(6766,'Issue',375,4,''),(6767,'Issue',375,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6768,'Issue',375,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\kerberos.dll*))\nindex: so-*\nname: Active Directory Kerberos DLL Loaded Via Office Applications\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6769,'Issue',375,9,'{{collapse(View Sigma)\n\n\ntitle: Active Directory Kerberos DLL Loaded Via Office Applications\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: experimental\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*\\kerberos.dll*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6770,'Issue',375,15,'T1193'),(6771,'Issue',376,1,'PowerShell Rundll32 Remote Thread Creation'),(6772,'Issue',376,2,'Florian Roth'),(6773,'Issue',376,8,'https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html'),(6774,'Issue',376,10,'high'),(6775,'Issue',376,13,'community'),(6776,'Issue',376,14,'windows'),(6778,'Issue',376,11,'037897459'),(6779,'Issue',376,12,'99b97608-3e21-4bfe-8217-2a127c396a0e'),(6780,'Issue',376,16,'win-sysmon'),(6781,'Issue',376,17,''),(6782,'Issue',376,7,''),(6783,'Issue',376,3,'Detects PowerShell remote thread creation in Rundll32.exe'),(6784,'Issue',376,4,''),(6785,'Issue',376,5,'_False Positives_\nUnkown'),(6786,'Issue',376,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"8\" AND event_data.SourceImage.keyword:*\\\\powershell.exe AND event_data.TargetImage.keyword:*\\\\rundll32.exe)\nindex: so-*\nname: PowerShell Rundll32 Remote Thread Creation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6787,'Issue',376,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Rundll32 Remote Thread Creation\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nstatus: experimental\ndescription: Detects PowerShell remote thread creation in Rundll32.exe\nauthor: Florian Roth\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\ndate: 2018/06/25\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 8\n SourceImage: \'*\\powershell.exe\'\n TargetImage: \'*\\rundll32.exe\'\n condition: selection\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\n- attack.t1086\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(6788,'Issue',376,15,'T1085'),(6789,'Issue',376,15,'T1086'),(6790,'Issue',377,1,'Suspicious PROCEXP152.sys File Created In TMP'),(6791,'Issue',377,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6792,'Issue',377,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6793,'Issue',377,10,'medium'),(6794,'Issue',377,13,'community'),(6795,'Issue',377,14,'windows'),(6797,'Issue',377,11,'9af1e153b'),(6798,'Issue',377,12,'3da70954-0f2c-4103-adff-b7440368f50e'),(6799,'Issue',377,16,'win-sysmon'),(6800,'Issue',377,17,''),(6801,'Issue',377,7,''),(6802,'Issue',377,3,'Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.'),(6803,'Issue',377,4,''),(6804,'Issue',377,5,'_False Positives_\nOther legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don\'t rely on it.'),(6805,'Issue',377,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"11\" AND event_data.TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*\\\\PROCEXP152.sys) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*))))\nindex: so-*\nname: Suspicious PROCEXP152.sys File Created In TMP\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6806,'Issue',377,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\ndescription: Detects the creation of the PROCEXP152.sys file in the application-data\n local temporary folder. This driver is used by Sysinternals Process Explorer but\n also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n which uses KDU.\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 11\n TargetFilename: \'*\\AppData\\Local\\Temp\\*\\PROCEXP152.sys\'\n selection_2:\n Image|contains:\n - \'*\\procexp64.exe\'\n - \'*\\procexp.exe\'\n - \'*\\procmon64.exe\'\n - \'*\\procmon.exe\'\n condition: selection_1 and not selection_2\nfalsepositives:\n- Other legimate tools using this driver and filename (like Sysinternals). Note -\n Clever attackers may easily bypass this detection by just renaming the driver filename.\n Therefore just Medium-level and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6807,'Issue',377,15,'T1089'),(6808,'Issue',378,1,'Suspicious Program Location with Network Connections'),(6809,'Issue',378,2,'Florian Roth'),(6810,'Issue',378,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(6811,'Issue',378,10,'high'),(6812,'Issue',378,13,'community'),(6813,'Issue',378,14,'windows'),(6814,'Issue',378,15,''),(6815,'Issue',378,11,'58575f239'),(6816,'Issue',378,12,'7b434893-c57d-4f41-908d-6a17bf1ae98f'),(6817,'Issue',378,16,'win-sysmon'),(6818,'Issue',378,17,''),(6819,'Issue',378,7,''),(6820,'Issue',378,3,'Detects programs with network connections running in suspicious files system locations'),(6821,'Issue',378,4,''),(6822,'Issue',378,5,'_False Positives_\nunknown'),(6823,'Issue',378,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR *\\\\Users\\\\Contacts\\\\* OR *\\\\Users\\\\Searches\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Suspicious Program Location with Network Connections\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6824,'Issue',378,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Program Location with Network Connections\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: experimental\ndescription: Detects programs with network connections running in suspicious files\n system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n product: windows\n service: sysmon\n definition: Use the following config to generate the necessary Event ID 3 Network\n Connection events\ndetection:\n selection:\n EventID: 3\n Image:\n - \'*\\$Recycle.bin\'\n - \'*\\Users\\All Users\\\\*\'\n - \'*\\Users\\Default\\\\*\'\n - \'*\\Users\\Public\\\\*\'\n - \'*\\Users\\Contacts\\\\*\'\n - \'*\\Users\\Searches\\\\*\'\n - C:\\Perflogs\\\\*\n - \'*\\config\\systemprofile\\\\*\'\n - \'*\\Windows\\Fonts\\\\*\'\n - \'*\\Windows\\IME\\\\*\'\n - \'*\\Windows\\addins\\\\*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(6825,'Issue',379,1,'Suspicious Outbound RDP Connections'),(6826,'Issue',379,2,'Markus Neis - Swisscom'),(6827,'Issue',379,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708'),(6828,'Issue',379,10,'high'),(6829,'Issue',379,13,'community'),(6830,'Issue',379,14,'windows'),(6832,'Issue',379,11,'9f1b0b238'),(6833,'Issue',379,12,'ed74fe75-7594-4b4b-ae38-e38e3fd2eb23'),(6834,'Issue',379,16,'win-sysmon'),(6835,'Issue',379,17,''),(6836,'Issue',379,7,''),(6837,'Issue',379,3,'Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement'),(6838,'Issue',379,4,''),(6839,'Issue',379,5,'_False Positives_\nOther Remote Desktop RDP tools'),(6840,'Issue',379,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"3389\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\mstsc.exe OR *\\\\RTSApp.exe OR *\\\\RTS2App.exe OR *\\\\RDCMan.exe OR *\\\\ws_TunnelService.exe OR *\\\\RSSensor.exe OR *\\\\RemoteDesktopManagerFree.exe OR *\\\\RemoteDesktopManager.exe OR *\\\\RemoteDesktopManager64.exe OR *\\\\mRemoteNG.exe OR *\\\\mRemote.exe OR *\\\\Terminals.exe OR *\\\\spiceworks\\-finder.exe OR *\\\\FSDiscovery.exe OR *\\\\FSAssessment.exe OR *\\\\MobaRTE.exe OR *\\\\chrome.exe OR *\\\\thor.exe OR *\\\\thor64.exe))))\nindex: so-*\nname: Suspicious Outbound RDP Connections\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6841,'Issue',379,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Outbound RDP Connections\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: experimental\ndescription: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible\n lateral movement\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis - Swisscom\ndate: 2019/05/15\ntags:\n- attack.lateral_movement\n- attack.t1210\n- car.2013-07-002\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n DestinationPort: 3389\n Initiated: \'true\'\n filter:\n Image:\n - \'*\\mstsc.exe\'\n - \'*\\RTSApp.exe\'\n - \'*\\RTS2App.exe\'\n - \'*\\RDCMan.exe\'\n - \'*\\ws_TunnelService.exe\'\n - \'*\\RSSensor.exe\'\n - \'*\\RemoteDesktopManagerFree.exe\'\n - \'*\\RemoteDesktopManager.exe\'\n - \'*\\RemoteDesktopManager64.exe\'\n - \'*\\mRemoteNG.exe\'\n - \'*\\mRemote.exe\'\n - \'*\\Terminals.exe\'\n - \'*\\spiceworks-finder.exe\'\n - \'*\\FSDiscovery.exe\'\n - \'*\\FSAssessment.exe\'\n - \'*\\MobaRTE.exe\'\n - \'*\\chrome.exe\'\n - \'*\\thor.exe\'\n - \'*\\thor64.exe\'\n condition: selection and not filter\nfalsepositives:\n- Other Remote Desktop RDP tools\nlevel: high\n\n
\n}}'),(6842,'Issue',379,15,'T1210'),(6843,'Issue',380,1,'Registry Persistence via Explorer Run Key'),(6844,'Issue',380,2,'Florian Roth'),(6845,'Issue',380,8,'https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/'),(6846,'Issue',380,10,'high'),(6847,'Issue',380,13,'community'),(6848,'Issue',380,14,'windows'),(6850,'Issue',380,11,'d976ce159'),(6851,'Issue',380,12,'b7916c2a-fa2f-4795-9477-32b731f70f11'),(6852,'Issue',380,16,'win-sysmon'),(6853,'Issue',380,17,''),(6854,'Issue',380,7,''),(6855,'Issue',380,3,'Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder'),(6856,'Issue',380,4,''),(6857,'Issue',380,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nImage\nParentImage'),(6858,'Issue',380,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run AND event_data.Details.keyword:(C\\:\\\\Windows\\\\Temp\\\\* OR C\\:\\\\ProgramData\\\\* OR *\\\\AppData\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Temp\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\Default\\\\*))\nindex: so-*\nname: Registry Persistence via Explorer Run Key\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6859,'Issue',380,9,'{{collapse(View Sigma)\n\n\ntitle: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: experimental\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer\n and pointing to a suspicious folder\nauthor: Florian Roth\ndate: 2018/07/18\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject: \'*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\'\n Details:\n - C:\\Windows\\Temp\\\\*\n - C:\\ProgramData\\\\*\n - \'*\\AppData\\\\*\'\n - C:\\$Recycle.bin\\\\*\n - C:\\Temp\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\Default\\\\*\n condition: selection\ntags:\n- attack.persistence\n- attack.t1060\n- capec.270\nfields:\n- Image\n- ParentImage\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(6860,'Issue',380,15,'T1060'),(6861,'Issue',381,1,'New RUN Key Pointing to Suspicious Folder'),(6862,'Issue',381,2,'Florian Roth, Markus Neis'),(6863,'Issue',381,8,'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'),(6864,'Issue',381,10,'high'),(6865,'Issue',381,13,'community'),(6866,'Issue',381,14,'windows'),(6868,'Issue',381,11,'321e02b21'),(6869,'Issue',381,12,'02ee49e2-e294-4d0f-9278-f5b3212fc588'),(6870,'Issue',381,16,'win-sysmon'),(6871,'Issue',381,17,''),(6872,'Issue',381,7,''),(6873,'Issue',381,3,'Detects suspicious new RUN key element pointing to an executable in a suspicious folder'),(6874,'Issue',381,4,''),(6875,'Issue',381,5,'_False Positives_\nSoftware using the AppData folders for updates\n\n_Interesting Log Fields_\nImage'),(6876,'Issue',381,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\* OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*) AND event_data.Details.keyword:(*C\\:\\\\Windows\\\\Temp\\\\* OR *\\\\AppData\\\\* OR %AppData%\\\\* OR *C\\:\\\\$Recycle.bin\\\\* OR *C\\:\\\\Temp\\\\* OR *C\\:\\\\Users\\\\Public\\\\* OR %Public%\\\\* OR *C\\:\\\\Users\\\\Default\\\\* OR *C\\:\\\\Users\\\\Desktop\\\\* OR wscript* OR cscript*)) AND (NOT (event_data.Details.keyword:(*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\*))))\nindex: so-*\nname: New RUN Key Pointing to Suspicious Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6877,'Issue',381,9,'{{collapse(View Sigma)\n\n\ntitle: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a\n suspicious folder\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nauthor: Florian Roth, Markus Neis\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2018/08/25\nmodified: 2020/02/26\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject:\n - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*\'\n - \'*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*\'\n Details:\n - \'*C:\\Windows\\Temp\\\\*\'\n - \'*\\AppData\\\\*\'\n - \'%AppData%\\\\*\'\n - \'*C:\\$Recycle.bin\\\\*\'\n - \'*C:\\Temp\\\\*\'\n - \'*C:\\Users\\Public\\\\*\'\n - \'%Public%\\\\*\'\n - \'*C:\\Users\\Default\\\\*\'\n - \'*C:\\Users\\Desktop\\\\*\'\n - wscript*\n - cscript*\n filter:\n Details|contains:\n - \\AppData\\Local\\Microsoft\\OneDrive\\\n condition: selection and not filter\nfields:\n- Image\nfalsepositives:\n- Software using the AppData folders for updates\nlevel: high\n\n
\n}}'),(6878,'Issue',381,15,'T1060'),(6879,'Issue',382,1,'Suspicious Service Installed'),(6880,'Issue',382,2,'xknow (@xknow_infosec), xorxes (@xor_xes)'),(6881,'Issue',382,8,'https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/'),(6882,'Issue',382,10,'medium'),(6883,'Issue',382,13,'community'),(6884,'Issue',382,14,'windows'),(6886,'Issue',382,11,'9842ac371'),(6887,'Issue',382,12,'f2485272-a156-4773-82d7-1d178bc4905b'),(6888,'Issue',382,16,'win-sysmon'),(6889,'Issue',382,17,''),(6890,'Issue',382,7,''),(6891,'Issue',382,3,'Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)'),(6892,'Issue',382,4,''),(6893,'Issue',382,5,'_False Positives_\nOther legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don\'t rely on it.'),(6894,'Issue',382,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject:(\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath\" OR \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath\")) AND (NOT (process.executable.keyword:(*\\\\procexp64.exe* OR *\\\\procexp.exe* OR *\\\\procmon64.exe* OR *\\\\procmon.exe*)))) AND (NOT (event_data.Details.keyword:(*\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS*))))\nindex: so-*\nname: Suspicious Service Installed\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6895,'Issue',382,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\ndescription: Detects installation of NalDrv or PROCEXP152 services via registry-keys\n to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs),\n which uses KDU (https://github.com/hfiref0x/KDU)\nstatus: experimental\ndate: 2019/04/08\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\nreferences:\n- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\ntags:\n- attack.t1089\n- attack.defense_evasion\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 13\n TargetObject:\n - HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath\n - HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath\n selection_2:\n Image|contains:\n - \'*\\procexp64.exe\'\n - \'*\\procexp.exe\'\n - \'*\\procmon64.exe\'\n - \'*\\procmon.exe\'\n selection_3:\n Details|contains:\n - \'*\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS\'\n condition: selection_1 and not selection_2 and not selection_3\nfalsepositives:\n- Other legimate tools using this service names and drivers. Note - clever attackers\n may easily bypass this detection by just renaming the services. Therefore just Medium-level\n and don\'t rely on it.\nlevel: medium\n\n
\n}}'),(6896,'Issue',382,15,'T1089'),(6897,'Issue',383,1,'VBA DLL Loaded Via Microsoft Word'),(6898,'Issue',383,2,'Antonlovesdnb'),(6899,'Issue',383,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16'),(6900,'Issue',383,10,'high'),(6901,'Issue',383,13,'community'),(6902,'Issue',383,14,'windows'),(6904,'Issue',383,11,'53eb4530b'),(6905,'Issue',383,12,'e6ce8457-68b1-485b-9bdd-3c2b5d679aa9'),(6906,'Issue',383,16,'win-sysmon'),(6907,'Issue',383,17,''),(6908,'Issue',383,7,''),(6909,'Issue',383,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros'),(6910,'Issue',383,4,''),(6911,'Issue',383,5,'_False Positives_\nAlerts on legitimate macro usage as well, will need to filter as appropriate'),(6912,'Issue',383,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe* OR *\\\\powerpnt.exe* OR *\\\\excel.exe* OR *\\\\outlook.exe*) AND event_data.ImageLoaded.keyword:(*\\\\VBE7.DLL* OR *\\\\VBEUI.DLL* OR *\\\\VBE7INTL.DLL*))\nindex: so-*\nname: VBA DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6913,'Issue',383,9,'{{collapse(View Sigma)\n\n\ntitle: VBA DLL Loaded Via Microsoft Word\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020/02/19\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe*\'\n - \'*\\powerpnt.exe*\'\n - \'*\\excel.exe*\'\n - \'*\\outlook.exe*\'\n ImageLoaded:\n - \'*\\VBE7.DLL*\'\n - \'*\\VBEUI.DLL*\'\n - \'*\\VBE7INTL.DLL*\'\n condition: selection\nfalsepositives:\n- Alerts on legitimate macro usage as well, will need to filter as appropriate\nlevel: high\n\n
\n}}'),(6914,'Issue',383,15,'T1193'),(6915,'Issue',384,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word'),(6916,'Issue',384,2,'Michael R. (@nahamike01)'),(6917,'Issue',384,8,'https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\nhttps://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf'),(6918,'Issue',384,10,'high'),(6919,'Issue',384,13,'community'),(6920,'Issue',384,14,'windows'),(6922,'Issue',384,11,'b23e2aa5c'),(6923,'Issue',384,12,'a457f232-7df9-491d-898f-b5aabd2cbe2f'),(6924,'Issue',384,16,'win-sysmon'),(6925,'Issue',384,17,''),(6926,'Issue',384,7,''),(6927,'Issue',384,3,'Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands'),(6928,'Issue',384,4,''),(6929,'Issue',384,5,'_False Positives_\nPossible. Requires further testing.'),(6930,'Issue',384,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:(*\\\\winword.exe OR *\\\\powerpnt.exe OR *\\\\excel.exe OR *\\\\outlook.exe) AND event_data.ImageLoaded.keyword:(*\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\wbemdisp.dll OR *\\\\wbemsvc.dll))\nindex: so-*\nname: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6931,'Issue',384,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: experimental\ndescription: Detects DLL\'s Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\winword.exe\'\n - \'*\\powerpnt.exe\'\n - \'*\\excel.exe\'\n - \'*\\outlook.exe\'\n ImageLoaded:\n - \'*\\wmiutils.dll\'\n - \'*\\wbemcomn.dll\'\n - \'*\\wbemprox.dll\'\n - \'*\\wbemdisp.dll\'\n - \'*\\wbemsvc.dll\'\n condition: selection\nfalsepositives:\n- Possible. Requires further testing.\nlevel: high\n\n
\n}}'),(6932,'Issue',384,15,'T1047'),(6933,'Issue',385,1,'Suspicious Keyboard Layout Load'),(6934,'Issue',385,2,'Florian Roth'),(6935,'Issue',385,8,'https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'),(6936,'Issue',385,10,'medium'),(6937,'Issue',385,13,'community'),(6938,'Issue',385,14,'windows'),(6939,'Issue',385,15,''),(6940,'Issue',385,11,'496ab3e58'),(6941,'Issue',385,12,'34aa0252-6039-40ff-951f-939fd6ce47d8'),(6942,'Issue',385,16,'win-sysmon'),(6943,'Issue',385,17,''),(6944,'Issue',385,7,''),(6945,'Issue',385,3,'Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only'),(6946,'Issue',385,4,''),(6947,'Issue',385,5,'_False Positives_\nAdministrators or users that actually use the selected keyboard layouts (heavily depends on the organisation\'s user base)'),(6948,'Issue',385,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\Keyboard\\ Layout\\\\Preload\\* OR *\\\\Keyboard\\ Layout\\\\Substitutes\\*) AND event_data.Details.keyword:(*00000429* OR *00050429* OR *0000042a*))\nindex: so-*\nname: Suspicious Keyboard Layout Load\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6949,'Issue',385,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\ndescription: Detects the keyboard preload installation with a suspicious keyboard\n layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems\n maintained by US staff only\nreferences:\n- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth\ndate: 2019/10/12\nmodified: 2019/10/15\nlogsource:\n product: windows\n service: sysmon\n definition: \'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload\n subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\'\ndetection:\n selection_registry:\n EventID: 13\n TargetObject:\n - \'*\\Keyboard Layout\\Preload\\*\'\n - \'*\\Keyboard Layout\\Substitutes\\*\'\n Details|contains:\n - 429\n - 50429\n - 0000042a\n condition: selection_registry\nfalsepositives:\n- Administrators or users that actually use the selected keyboard layouts (heavily\n depends on the organisation\'s user base)\nlevel: medium\n\n
\n}}'),(6950,'Issue',386,1,'Suspicious Outbound Kerberos Connection'),(6951,'Issue',386,2,'Ilyas Ochkov, oscd.community'),(6952,'Issue',386,8,'https://github.com/GhostPack/Rubeus8'),(6953,'Issue',386,10,'high'),(6954,'Issue',386,13,'community'),(6955,'Issue',386,14,'windows'),(6957,'Issue',386,11,'b61a1dd2a'),(6958,'Issue',386,12,'e54979bd-c5f9-4d6c-967b-a04b19ac4c74'),(6959,'Issue',386,16,'win-sysmon'),(6960,'Issue',386,17,''),(6961,'Issue',386,7,''),(6962,'Issue',386,3,'Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.'),(6963,'Issue',386,4,''),(6964,'Issue',386,5,'_False Positives_\nOther browsers'),(6965,'Issue',386,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"3\" AND destination_port:\"88\" AND event_data.Initiated:\"true\") AND (NOT (process.executable.keyword:(*\\\\lsass.exe OR *\\\\opera.exe OR *\\\\chrome.exe OR *\\\\firefox.exe))))\nindex: so-*\nname: Suspicious Outbound Kerberos Connection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6966,'Issue',386,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nstatus: experimental\ndescription: Detects suspicious outbound network activity via kerberos default port\n indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n- https://github.com/GhostPack/Rubeus8\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\ntags:\n- attack.lateral_movement\n- attack.t1208\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n DestinationPort: 88\n Initiated: \'true\'\n filter:\n Image|endswith:\n - \\lsass.exe\n - \\opera.exe\n - \\chrome.exe\n - \\firefox.exe\n condition: selection and not filter\nfalsepositives:\n- Other browsers\nlevel: high\n\n
\n}}'),(6967,'Issue',386,15,'T1208'),(6968,'Issue',387,1,'Suspicious Remote Thread Created'),(6969,'Issue',387,2,'Perez Diego (@darkquassar), oscd.community'),(6970,'Issue',387,8,'Personal research, statistical analysis\nhttps://lolbas-project.github.io'),(6971,'Issue',387,10,'high'),(6972,'Issue',387,13,'community'),(6973,'Issue',387,14,'windows'),(6975,'Issue',387,11,'d107c9166'),(6976,'Issue',387,12,'66d31e5f-52d6-40a4-9615-002d3789a119'),(6977,'Issue',387,16,'win-sysmon'),(6978,'Issue',387,17,''),(6979,'Issue',387,7,''),(6980,'Issue',387,3,'Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.'),(6981,'Issue',387,4,''),(6982,'Issue',387,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nSourceImage\nTargetImage'),(6983,'Issue',387,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"8\" AND event_data.SourceImage.keyword:(*\\\\bash.exe OR *\\\\cvtres.exe OR *\\\\defrag.exe OR *\\\\dnx.exe OR *\\\\esentutl.exe OR *\\\\excel.exe OR *\\\\expand.exe OR *\\\\explorer.exe OR *\\\\find.exe OR *\\\\findstr.exe OR *\\\\forfiles.exe OR *\\\\git.exe OR *\\\\gpupdate.exe OR *\\\\hh.exe OR *\\\\iexplore.exe OR *\\\\installutil.exe OR *\\\\lync.exe OR *\\\\makecab.exe OR *\\\\mDNSResponder.exe OR *\\\\monitoringhost.exe OR *\\\\msbuild.exe OR *\\\\mshta.exe OR *\\\\msiexec.exe OR *\\\\mspaint.exe OR *\\\\outlook.exe OR *\\\\ping.exe OR *\\\\powerpnt.exe OR *\\\\powershell.exe OR *\\\\provtool.exe OR *\\\\python.exe OR *\\\\regsvr32.exe OR *\\\\robocopy.exe OR *\\\\runonce.exe OR *\\\\sapcimc.exe OR *\\\\schtasks.exe OR *\\\\smartscreen.exe OR *\\\\spoolsv.exe OR *\\\\tstheme.exe OR *\\\\userinit.exe OR *\\\\vssadmin.exe OR *\\\\vssvc.exe OR *\\\\w3wp.exe* OR *\\\\winlogon.exe OR *\\\\winscp.exe OR *\\\\wmic.exe OR *\\\\word.exe OR *\\\\wscript.exe)) AND (NOT (event_data.SourceImage.keyword:*Visual\\ Studio*)))\nindex: so-*\nname: Suspicious Remote Thread Created\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(6984,'Issue',387,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Remote Thread Created\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\ndescription: Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\",\n however, this is still largely observed in the wild. This rule aims to detect suspicious\n processes (those we would not expect to behave in this way like word.exe or outlook.exe)\n creating remote threads on other processes. It is a generalistic rule, but it should\n have a low FP ratio due to the selected range of processes.\nnotes:\n- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite\n for process injection for .NET in-memory offensive tools.\nstatus: experimental\ndate: 2019/10/27\nmodified: 2019/11/13\nauthor: Perez Diego (@darkquassar), oscd.community\nreferences:\n- Personal research, statistical analysis\n- https://lolbas-project.github.io\nlogsource:\n product: windows\n service: sysmon\ntags:\n- attack.privilege_escalation\n- attack.t1055\ndetection:\n selection:\n EventID: 8\n SourceImage|endswith:\n - \\bash.exe\n - \\cvtres.exe\n - \\defrag.exe\n - \\dnx.exe\n - \\esentutl.exe\n - \\excel.exe\n - \\expand.exe\n - \\explorer.exe\n - \\find.exe\n - \\findstr.exe\n - \\forfiles.exe\n - \\git.exe\n - \\gpupdate.exe\n - \\hh.exe\n - \\iexplore.exe\n - \\installutil.exe\n - \\lync.exe\n - \\makecab.exe\n - \\mDNSResponder.exe\n - \\monitoringhost.exe\n - \\msbuild.exe\n - \\mshta.exe\n - \\msiexec.exe\n - \\mspaint.exe\n - \\outlook.exe\n - \\ping.exe\n - \\powerpnt.exe\n - \\powershell.exe\n - \\provtool.exe\n - \\python.exe\n - \\regsvr32.exe\n - \\robocopy.exe\n - \\runonce.exe\n - \\sapcimc.exe\n - \\schtasks.exe\n - \\smartscreen.exe\n - \\spoolsv.exe\n - \\tstheme.exe\n - \\userinit.exe\n - \\vssadmin.exe\n - \\vssvc.exe\n - \\w3wp.exe*\n - \\winlogon.exe\n - \\winscp.exe\n - \\wmic.exe\n - \\word.exe\n - \\wscript.exe\n filter:\n SourceImage|contains: Visual Studio\n condition: selection AND NOT filter\nfields:\n- ComputerName\n- User\n- SourceImage\n- TargetImage\nlevel: high\nfalsepositives:\n- Unknown\n\n
\n}}'),(6985,'Issue',387,15,'T1055'),(6986,'Issue',388,1,'Svchost DLL Search Order Hijack'),(6987,'Issue',388,2,'SBousseaden'),(6988,'Issue',388,8,'https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992'),(6989,'Issue',388,10,'high'),(6990,'Issue',388,13,'community'),(6991,'Issue',388,14,'windows'),(6993,'Issue',388,11,'6ca7b2b85'),(6994,'Issue',388,12,'602a1f13-c640-4d73-b053-be9a2fa58b77'),(6995,'Issue',388,16,'win-sysmon'),(6996,'Issue',388,17,''),(6997,'Issue',388,7,''),(6998,'Issue',388,3,'IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.'),(6999,'Issue',388,4,''),(7000,'Issue',388,5,'_False Positives_\nPentest'),(7001,'Issue',388,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded.keyword:(*\\\\tsmsisrv.dll OR *\\\\tsvipsrv.dll OR *\\\\wlbsctrl.dll)) AND (NOT (event.code:\"7\" AND process.executable.keyword:(*\\\\svchost.exe) AND event_data.ImageLoaded:(\"C\\:\\\\Windows\\\\WinSxS\\*\"))))\nindex: so-*\nname: Svchost DLL Search Order Hijack\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7002,'Issue',388,9,'{{collapse(View Sigma)\n\n\ntitle: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: experimental\ndescription: IKEEXT and SessionEnv service, as they call LoadLibrary on files that\n do not exist within C:\\Windows\\System32\\ by default. An attacker can place their\n malicious logic within the PROCESS_ATTACH block of their library and restart the\n aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote\n machine.\nreferences:\n- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\ntags:\n- attack.persistence\n- attack.defense_evasion\n- attack.t1073\n- attack.t1038\n- attack.t1112\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image:\n - \'*\\svchost.exe\'\n ImageLoaded:\n - \'*\\tsmsisrv.dll\'\n - \'*\\tsvipsrv.dll\'\n - \'*\\wlbsctrl.dll\'\n filter:\n EventID: 7\n Image:\n - \'*\\svchost.exe\'\n ImageLoaded:\n - C:\\Windows\\WinSxS\\*\n condition: selection and not filter\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(7003,'Issue',388,15,'T1073'),(7004,'Issue',388,15,'T1038'),(7005,'Issue',388,15,'T1112'),(7006,'Issue',389,1,'Hijack Legit RDP Session to Move Laterally'),(7007,'Issue',389,2,'Samir Bousseaden'),(7008,'Issue',389,8,'none'),(7009,'Issue',389,10,'high'),(7010,'Issue',389,13,'community'),(7011,'Issue',389,14,'windows'),(7012,'Issue',389,15,''),(7013,'Issue',389,11,'edf49a6c5'),(7014,'Issue',389,12,'52753ea4-b3a0-4365-910d-36cff487b789'),(7015,'Issue',389,16,'win-sysmon'),(7016,'Issue',389,17,''),(7017,'Issue',389,7,''),(7018,'Issue',389,3,'Detects the usage of tsclient share to place a backdoor on the RDP source machine\'s startup folder'),(7019,'Issue',389,4,''),(7020,'Issue',389,5,'_False Positives_\nunknown'),(7021,'Issue',389,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable.keyword:*\\\\mstsc.exe AND TargetFileName.keyword:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\Startup\\\\*)\nindex: so-*\nname: Hijack Legit RDP Session to Move Laterally\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7022,'Issue',389,9,'{{collapse(View Sigma)\n\n\ntitle: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: experimental\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source\n machine\'s startup folder\ndate: 2019/02/21\nauthor: Samir Bousseaden\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n Image: \'*\\mstsc.exe\'\n TargetFileName: \'*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\\*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7023,'Issue',390,1,'UAC Bypass via Event Viewer'),(7024,'Issue',390,2,'Florian Roth'),(7025,'Issue',390,8,'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100'),(7026,'Issue',390,10,'critical'),(7027,'Issue',390,13,'community'),(7028,'Issue',390,14,'windows'),(7030,'Issue',390,11,'266938263'),(7031,'Issue',390,12,'7c81fec3-1c1d-43b0-996a-46753041b1b6'),(7032,'Issue',390,16,'win-sysmon'),(7033,'Issue',390,17,''),(7034,'Issue',390,7,''),(7035,'Issue',390,3,'Detects UAC bypass method using Windows event viewer'),(7036,'Issue',390,4,''),(7037,'Issue',390,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7038,'Issue',390,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*\\\\mscfile\\\\shell\\\\open\\\\command) OR (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND process.parent.executable.keyword:*\\\\eventvwr.exe) AND (NOT (process.executable.keyword:*\\\\mmc.exe)))))\nindex: so-*\nname: UAC Bypass via Event Viewer\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7039,'Issue',390,9,'{{collapse(View Sigma)\n\n\ntitle: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: experimental\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth\ndate: 2017/03/19\nlogsource:\n product: windows\n service: sysmon\ndetection:\n methregistry:\n EventID: 13\n TargetObject: HKU\\\\*\\mscfile\\shell\\open\\command\n methprocess:\n EventID: 1\n ParentImage: \'*\\eventvwr.exe\'\n filterprocess:\n Image: \'*\\mmc.exe\'\n condition: methregistry or ( methprocess and not filterprocess )\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7040,'Issue',390,15,'T1088'),(7041,'Issue',391,1,'UAC Bypass via Sdclt'),(7042,'Issue',391,2,'Omer Yampel'),(7043,'Issue',391,8,'https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/'),(7044,'Issue',391,10,'high'),(7045,'Issue',391,13,'community'),(7046,'Issue',391,14,'windows'),(7048,'Issue',391,11,'269c211ef'),(7049,'Issue',391,12,'5b872a46-3b90-45c1-8419-f675db8053aa'),(7050,'Issue',391,16,'win-sysmon'),(7051,'Issue',391,17,''),(7052,'Issue',391,7,''),(7053,'Issue',391,3,'Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'),(7054,'Issue',391,4,''),(7055,'Issue',391,5,'_False Positives_\nunknown'),(7056,'Issue',391,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:HKU\\\\*_Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand)\nindex: so-*\nname: UAC Bypass via Sdclt\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7057,'Issue',391,9,'{{collapse(View Sigma)\n\n\ntitle: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: experimental\ndescription: Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand\nreferences:\n- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nauthor: Omer Yampel\ndate: 2017/03/17\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 13\n TargetObject: HKU\\\\*_Classes\\exefile\\shell\\runas\\command\\isolatedCommand\n condition: selection\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7058,'Issue',391,15,'T1088'),(7059,'Issue',392,1,'Unsigned Image Loaded Into LSASS Process'),(7060,'Issue',392,2,'Teymur Kheirkhabarov, oscd.community'),(7061,'Issue',392,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(7062,'Issue',392,10,'medium'),(7063,'Issue',392,13,'community'),(7064,'Issue',392,14,'windows'),(7066,'Issue',392,11,'23f5b5af8'),(7067,'Issue',392,12,'857c8db3-c89b-42fb-882b-f681c7cf4da2'),(7068,'Issue',392,16,'win-sysmon'),(7069,'Issue',392,17,''),(7070,'Issue',392,7,''),(7071,'Issue',392,3,'Loading unsigned image (DLL, EXE) into LSASS process'),(7072,'Issue',392,4,''),(7073,'Issue',392,5,'_False Positives_\nValid user connecting using RDP'),(7074,'Issue',392,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable.keyword:*\\\\lsass.exe AND Signed:\"false\")\nindex: so-*\nname: Unsigned Image Loaded Into LSASS Process\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7075,'Issue',392,9,'{{collapse(View Sigma)\n\n\ntitle: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image|endswith: \\lsass.exe\n Signed: \'false\'\n condition: selection\nfalsepositives:\n- Valid user connecting using RDP\nstatus: experimental\nlevel: medium\n\n
\n}}'),(7076,'Issue',392,15,'T1003'),(7077,'Issue',393,1,'Windows Webshell Creation'),(7078,'Issue',393,2,'Beyu Denis, oscd.community'),(7079,'Issue',393,8,'PT ESC rule and personal experience'),(7080,'Issue',393,10,'critical'),(7081,'Issue',393,13,'community'),(7082,'Issue',393,14,'windows'),(7084,'Issue',393,11,'2f30d8784'),(7085,'Issue',393,12,'39f1f9f2-9636-45de-98f6-a4046aa8e4b9'),(7086,'Issue',393,16,'win-sysmon'),(7087,'Issue',393,17,''),(7088,'Issue',393,7,''),(7089,'Issue',393,3,'Possible webshell file creation on a static web site'),(7090,'Issue',393,4,''),(7091,'Issue',393,5,'_False Positives_\nLegitimate administrator or developer creating legitimate executable files in a web application folder'),(7092,'Issue',393,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND ((event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((event_data.TargetFilename.keyword:*\\\\inetpub\\\\wwwroot\\* AND event_data.TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (event_data.TargetFilename.keyword:(*\\\\www\\* OR *\\\\htdocs\\* OR *\\\\html\\*) AND event_data.TargetFilename.keyword:*.ph*))) OR (event_data.TargetFilename.keyword:*.jsp OR (event_data.TargetFilename.keyword:*\\\\cgi\\-bin\\* AND event_data.TargetFilename.keyword:*.pl*))))\nindex: so-*\nname: Windows Webshell Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7093,'Issue',393,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Webshell Creation\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: experimental\ndescription: Possible webshell file creation on a static web site\nreferences:\n- PT ESC rule and personal experience\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1100\nlevel: critical\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_1:\n EventID: 11\n selection_2:\n TargetFilename|contains: \\inetpub\\wwwroot\\\n selection_3:\n TargetFilename|contains:\n - .asp\n - .ashx\n - .ph\n selection_4:\n TargetFilename|contains:\n - \\www\\\n - \\htdocs\\\n - \\html\\\n selection_5:\n TargetFilename|contains: .ph\n selection_6:\n - TargetFilename|endswith: .jsp\n - TargetFilename|contains|all:\n - \\cgi-bin\\\n - .pl\n condition: selection_1 and ( selection_2 and selection_3 ) or selection_1 and (\n selection_4 and selection_5 ) or selection_1 and selection_6\nfalsepositives:\n- Legitimate administrator or developer creating legitimate executable files in a\n web application folder\n\n
\n}}'),(7094,'Issue',393,15,'T1100'),(7095,'Issue',394,1,'Microsoft Binary Github Communication'),(7096,'Issue',394,2,'Michael Haag (idea), Florian Roth (rule)'),(7097,'Issue',394,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7098,'Issue',394,10,'high'),(7099,'Issue',394,13,'community'),(7100,'Issue',394,14,'windows'),(7102,'Issue',394,11,'04a41c5fb'),(7103,'Issue',394,12,'635dbb88-67b3-4b41-9ea5-a3af2dd88153'),(7104,'Issue',394,16,'win-sysmon'),(7105,'Issue',394,17,''),(7106,'Issue',394,7,''),(7107,'Issue',394,3,'Detects an executable in the Windows folder accessing github.com'),(7108,'Issue',394,4,''),(7109,'Issue',394,5,'_False Positives_\nUnknown\n@subTee in your network'),(7110,'Issue',394,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*.github.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Github Communication\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7111,'Issue',394,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Michael Haag (idea), Florian Roth (rule)\ndate: 2017/08/24\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Initiated: \'true\'\n DestinationHostname:\n - \'*.github.com\'\n - \'*.githubusercontent.com\'\n Image: C:\\Windows\\\\*\n condition: selection\nfalsepositives:\n- Unknown\n- \'@subTee in your network\'\nlevel: high\n\n
\n}}'),(7112,'Issue',394,15,'T1105'),(7113,'Issue',395,1,'Microsoft Binary Suspicious Communication Endpoint'),(7114,'Issue',395,2,'Florian Roth'),(7115,'Issue',395,8,'https://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/M_haggis/status/1032799638213066752'),(7116,'Issue',395,10,'high'),(7117,'Issue',395,13,'community'),(7118,'Issue',395,14,'windows'),(7120,'Issue',395,11,'847f9c649'),(7121,'Issue',395,12,'e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97'),(7122,'Issue',395,16,'win-sysmon'),(7123,'Issue',395,17,''),(7124,'Issue',395,7,''),(7125,'Issue',395,3,'Detects an executable in the Windows folder accessing suspicious domains'),(7126,'Issue',395,4,''),(7127,'Issue',395,5,'_False Positives_\nUnknown'),(7128,'Issue',395,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"3\" AND event_data.Initiated:\"true\" AND event_data.DestinationHostname.keyword:(*dl.dropboxusercontent.com OR *.pastebin.com OR *.githubusercontent.com) AND process.executable.keyword:C\\:\\\\Windows\\\\*)\nindex: so-*\nname: Microsoft Binary Suspicious Communication Endpoint\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7129,'Issue',395,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Binary Suspicious Communication Endpoint\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nstatus: experimental\ndescription: Detects an executable in the Windows folder accessing suspicious domains\nreferences:\n- https://twitter.com/M_haggis/status/900741347035889665\n- https://twitter.com/M_haggis/status/1032799638213066752\nauthor: Florian Roth\ndate: 2018/08/30\ntags:\n- attack.lateral_movement\n- attack.t1105\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 3\n Initiated: \'true\'\n DestinationHostname:\n - \'*dl.dropboxusercontent.com\'\n - \'*.pastebin.com\'\n - \'*.githubusercontent.com\'\n Image: C:\\Windows\\\\*\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7130,'Issue',395,15,'T1105'),(7131,'Issue',396,1,'Registry Persistence Mechanisms'),(7132,'Issue',396,2,'Karneades'),(7133,'Issue',396,8,'https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/'),(7134,'Issue',396,10,'critical'),(7135,'Issue',396,13,'community'),(7136,'Issue',396,14,'windows'),(7138,'Issue',396,11,'b6d5e6bc2'),(7139,'Issue',396,12,'36803969-5421-41ec-b92f-8500f79c23b0'),(7140,'Issue',396,16,'win-sysmon'),(7141,'Issue',396,17,''),(7142,'Issue',396,7,''),(7143,'Issue',396,3,'Detects persistence registry keys'),(7144,'Issue',396,4,''),(7145,'Issue',396,5,'_False Positives_\nunknown'),(7146,'Issue',396,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"13\" AND event_data.TargetObject.keyword:(*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\*\\\\GlobalFlag OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\ReportingMode OR *\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess) AND event_data.EventType:\"SetValue\")\nindex: so-*\nname: Registry Persistence Mechanisms\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7147,'Issue',396,9,'{{collapse(View Sigma)\n\n\ntitle: Registry Persistence Mechanisms\nid: 36803969-5421-41ec-b92f-8500f79c23b0\ndescription: Detects persistence registry keys\nreferences:\n- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\ndate: 2018/04/11\nauthor: Karneades\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection_reg1:\n EventID: 13\n TargetObject:\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag\'\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode\'\n - \'*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess\'\n EventType: SetValue\n condition: selection_reg1\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.defense_evasion\n- attack.t1183\n- car.2013-01-002\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7148,'Issue',396,15,'T1183'),(7149,'Issue',397,1,'WMI Event Subscription'),(7150,'Issue',397,2,'Tom Ueltschi (@c_APT_ure)'),(7151,'Issue',397,8,'https://attack.mitre.org/techniques/T1084/'),(7152,'Issue',397,10,'high'),(7153,'Issue',397,13,'community'),(7154,'Issue',397,14,'windows'),(7156,'Issue',397,11,'9dd7ef828'),(7157,'Issue',397,12,'0f06a3a5-6a09-413f-8743-e6cf35561297'),(7158,'Issue',397,16,'win-sysmon'),(7159,'Issue',397,17,''),(7160,'Issue',397,7,''),(7161,'Issue',397,3,'Detects creation of WMI event subscription persistence method'),(7162,'Issue',397,4,''),(7163,'Issue',397,5,'_False Positives_\nexclude legitimate (vetted) use of WMI event subscription in your network'),(7164,'Issue',397,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:(\"19\" OR \"20\" OR \"21\"))\nindex: so-*\nname: WMI Event Subscription\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7165,'Issue',397,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: experimental\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n- https://attack.mitre.org/techniques/T1084/\ntags:\n- attack.t1084\n- attack.persistence\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019/01/12\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selector:\n EventID:\n - 19\n - 20\n - 21\n condition: selector\nfalsepositives:\n- exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: high\n\n
\n}}'),(7166,'Issue',397,15,'T1084'),(7167,'Issue',398,1,'WMI Modules Loaded'),(7168,'Issue',398,2,'Roberto Rodriguez @Cyb3rWard0g'),(7169,'Issue',398,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md'),(7170,'Issue',398,10,'high'),(7171,'Issue',398,13,'community'),(7172,'Issue',398,14,'windows'),(7174,'Issue',398,11,'eaf1ac318'),(7175,'Issue',398,12,'671bb7e3-a020-4824-a00e-2ee5b55f385e'),(7176,'Issue',398,16,'win-sysmon'),(7177,'Issue',398,17,''),(7178,'Issue',398,7,''),(7179,'Issue',398,3,'Detects non wmiprvse loading WMI modules'),(7180,'Issue',398,4,''),(7181,'Issue',398,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nImage\nImageLoaded'),(7182,'Issue',398,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"7\" AND event_data.ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (process.executable.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))\nindex: so-*\nname: WMI Modules Loaded\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7183,'Issue',398,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Modules Loaded\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\ndescription: Detects non wmiprvse loading WMI modules\nstatus: experimental\ndate: 2019/08/10\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n ImageLoaded|endswith:\n - \\wmiclnt.dll\n - \\WmiApRpl.dll\n - \\wmiprov.dll\n - \\wmiutils.dll\n - \\wbemcomn.dll\n - \\wbemprox.dll\n - \\WMINet_Utils.dll\n - \\wbemsvc.dll\n - \\fastprox.dll\n filter:\n Image|endswith:\n - \\WmiPrvSe.exe\n - \\WmiPrvSE.exe\n - \\WmiAPsrv.exe\n - \\svchost.exe\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\n- ImageLoaded\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7184,'Issue',398,15,'T1047'),(7185,'Issue',399,1,'WMI Persistence - Command Line Event Consumer'),(7186,'Issue',399,2,'Thomas Patzke'),(7187,'Issue',399,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7188,'Issue',399,10,'high'),(7189,'Issue',399,13,'community'),(7190,'Issue',399,14,'windows'),(7192,'Issue',399,11,'9e9efa320'),(7193,'Issue',399,12,'05936ce2-ee05-4dae-9d03-9a391cf2d2c6'),(7194,'Issue',399,16,'win-sysmon'),(7195,'Issue',399,17,''),(7196,'Issue',399,7,''),(7197,'Issue',399,3,'Detects WMI command line event consumers'),(7198,'Issue',399,4,''),(7199,'Issue',399,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7200,'Issue',399,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"7\" AND process.executable:\"C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\" AND event_data.ImageLoaded:\"wbemcons.dll\")\nindex: so-*\nname: WMI Persistence - Command Line Event Consumer\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7201,'Issue',399,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: experimental\ndescription: Detects WMI command line event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 7\n Image: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n ImageLoaded: wbemcons.dll\n condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7202,'Issue',399,15,'T1084'),(7203,'Issue',400,1,'WMI Persistence - Script Event Consumer File Write'),(7204,'Issue',400,2,'Thomas Patzke'),(7205,'Issue',400,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(7206,'Issue',400,10,'high'),(7207,'Issue',400,13,'community'),(7208,'Issue',400,14,'windows'),(7210,'Issue',400,11,'9ec7edf07'),(7211,'Issue',400,12,'33f41cdd-35ac-4ba8-814b-c6a4244a1ad4'),(7212,'Issue',400,16,'win-sysmon'),(7213,'Issue',400,17,''),(7214,'Issue',400,7,''),(7215,'Issue',400,3,'Detects file writes of WMI script event consumer'),(7216,'Issue',400,4,''),(7217,'Issue',400,5,'_False Positives_\nUnknown (data set is too small; further testing needed)'),(7218,'Issue',400,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"11\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer File Write\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7219,'Issue',400,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: experimental\ndescription: Detects file writes of WMI script event consumer\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.t1084\n- attack.persistence\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 11\n Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n condition: selection\nfalsepositives:\n- Unknown (data set is too small; further testing needed)\nlevel: high\n\n
\n}}'),(7220,'Issue',400,15,'T1084'),(7221,'Issue',401,1,'Suspicious Scripting in a WMI Consumer'),(7222,'Issue',401,2,'Florian Roth'),(7223,'Issue',401,8,'https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19'),(7224,'Issue',401,10,'high'),(7225,'Issue',401,13,'community'),(7226,'Issue',401,14,'windows'),(7228,'Issue',401,11,'5e0c4b4b2'),(7229,'Issue',401,12,'fe21810c-2a8c-478f-8dd3-5a287fb2a0e0'),(7230,'Issue',401,16,'win-sysmon'),(7231,'Issue',401,17,''),(7232,'Issue',401,7,''),(7233,'Issue',401,3,'Detects suspicious scripting in WMI Event Consumers'),(7234,'Issue',401,4,''),(7235,'Issue',401,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7236,'Issue',401,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event.code:\"20\" AND Destination.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(* OR *\\ iex\\(* OR *WScript.shell* OR *\\ \\-nop\\ * OR *\\ \\-noprofile\\ * OR *\\ \\-decode\\ * OR *\\ \\-enc\\ *))\nindex: so-*\nname: Suspicious Scripting in a WMI Consumer\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7237,'Issue',401,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: experimental\ndescription: Detects suspicious scripting in WMI Event Consumers\nauthor: Florian Roth\nreferences:\n- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19\ndate: 2019/04/15\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n product: windows\n service: sysmon\ndetection:\n selection:\n EventID: 20\n Destination:\n - \'*new-object system.net.webclient).downloadstring(*\'\n - \'*new-object system.net.webclient).downloadfile(*\'\n - \'*new-object net.webclient).downloadstring(*\'\n - \'*new-object net.webclient).downloadfile(*\'\n - \'* iex(*\'\n - \'*WScript.shell*\'\n - \'* -nop *\'\n - \'* -noprofile *\'\n - \'* -decode *\'\n - \'* -enc *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(7238,'Issue',401,15,'T1086'),(7239,'Issue',402,1,'APT29'),(7240,'Issue',402,2,'Florian Roth'),(7241,'Issue',402,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'),(7242,'Issue',402,10,'critical'),(7243,'Issue',402,13,'community'),(7244,'Issue',402,14,'windows'),(7246,'Issue',402,11,'3eea01490'),(7247,'Issue',402,12,'033fe7d6-66d1-4240-ac6b-28908009c71f'),(7248,'Issue',402,16,'win-proc'),(7249,'Issue',402,17,''),(7250,'Issue',402,7,''),(7251,'Issue',402,3,'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'),(7252,'Issue',402,4,''),(7253,'Issue',402,5,'_False Positives_\nunknown'),(7254,'Issue',402,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\-noni\\ \\-ep\\ bypass\\ $*)\nindex: so-*\nname: APT29\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7255,'Issue',402,9,'{{collapse(View Sigma)\n\n\ntitle: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\ndescription: This method detects a suspicious powershell command line combination\n as used by APT29 in a campaign against US think tanks\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\ntags:\n- attack.execution\n- attack.g0016\n- attack.t1086\nauthor: Florian Roth\ndate: 2018/12/04\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*-noni -ep bypass $*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7256,'Issue',402,15,'T1086'),(7257,'Issue',403,1,'Baby Shark Activity'),(7258,'Issue',403,2,'Florian Roth'),(7259,'Issue',403,8,'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(7260,'Issue',403,10,'high'),(7261,'Issue',403,13,'community'),(7262,'Issue',403,14,'windows'),(7264,'Issue',403,11,'e1e3ed75c'),(7265,'Issue',403,12,'2b30fa36-3a18-402f-a22d-bf4ce2189f35'),(7266,'Issue',403,16,'win-proc'),(7267,'Issue',403,17,''),(7268,'Issue',403,7,''),(7269,'Issue',403,3,'Detects activity that could be related to Baby Shark malware'),(7270,'Issue',403,4,''),(7271,'Issue',403,5,'_False Positives_\nunknown'),(7272,'Issue',403,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(reg\\ query\\ \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal\\ Server\\ Client\\\\Default\\\" OR powershell.exe\\ mshta.exe\\ http* OR cmd.exe\\ \\/c\\ taskkill\\ \\/im\\ cmd.exe))\nindex: so-*\nname: Baby Shark Activity\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7273,'Issue',403,9,'{{collapse(View Sigma)\n\n\ntitle: Baby Shark Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: experimental\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1086\n- attack.discovery\n- attack.t1012\n- attack.defense_evasion\n- attack.t1170\nlogsource:\n category: process_creation\n product: windows\nauthor: Florian Roth\ndate: 2019/02/24\ndetection:\n selection:\n CommandLine:\n - reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\n - powershell.exe mshta.exe http*\n - cmd.exe /c taskkill /im cmd.exe\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(7274,'Issue',403,15,'T1059'),(7275,'Issue',403,15,'T1086'),(7276,'Issue',403,15,'T1012'),(7277,'Issue',403,15,'T1170'),(7278,'Issue',404,1,'Judgement Panda Credential Access Activity'),(7279,'Issue',404,2,'Florian Roth'),(7280,'Issue',404,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7281,'Issue',404,10,'critical'),(7282,'Issue',404,13,'community'),(7283,'Issue',404,14,'windows'),(7285,'Issue',404,11,'ebeeba7dd'),(7286,'Issue',404,12,'b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee'),(7287,'Issue',404,16,'win-proc'),(7288,'Issue',404,17,''),(7289,'Issue',404,7,''),(7290,'Issue',404,3,'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike'),(7291,'Issue',404,4,''),(7292,'Issue',404,5,'_False Positives_\nunknown'),(7293,'Issue',404,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\xcopy.exe AND process.command_line.keyword:*\\ \\/S\\ \\/E\\ \\/C\\ \\/Q\\ \\/H\\ \\\\*) OR (process.executable.keyword:*\\\\adexplorer.exe AND process.command_line.keyword:*\\ \\-snapshot\\ \\\"\\\"\\ c\\:\\\\users\\\\*)))\nindex: so-*\nname: Judgement Panda Credential Access Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7294,'Issue',404,9,'{{collapse(View Sigma)\n\n\ntitle: Judgement Panda Credential Access Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\ndescription: Detects Russian group activity as described in Global Threat Report 2019\n by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.credential_access\n- attack.t1081\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: \'*\\xcopy.exe\'\n CommandLine: \'* /S /E /C /Q /H \\\\*\'\n selection2:\n Image: \'*\\adexplorer.exe\'\n CommandLine: \'* -snapshot \"\" c:\\users\\\\*\'\n condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7295,'Issue',404,15,'T1081'),(7296,'Issue',404,15,'T1003'),(7297,'Issue',405,1,'BlueMashroom DLL Load'),(7298,'Issue',405,2,'Florian Roth'),(7299,'Issue',405,8,'https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software'),(7300,'Issue',405,10,'critical'),(7301,'Issue',405,13,'community'),(7302,'Issue',405,14,'windows'),(7304,'Issue',405,11,'8bb8cf273'),(7305,'Issue',405,12,'bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0'),(7306,'Issue',405,16,'win-proc'),(7307,'Issue',405,17,''),(7308,'Issue',405,7,''),(7309,'Issue',405,3,'Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report'),(7310,'Issue',405,4,''),(7311,'Issue',405,5,'_False Positives_\nUnlikely'),(7312,'Issue',405,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\regsvr32*\\\\AppData\\\\Local\\\\* OR *\\\\AppData\\\\Local\\\\*,DllEntry*))\nindex: so-*\nname: BlueMashroom DLL Load\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7313,'Issue',405,9,'{{collapse(View Sigma)\n\n\ntitle: BlueMashroom DLL Load\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: experimental\ndescription: Detects a suspicious DLL loading from AppData Local path as described\n in BlueMashroom report\nreferences:\n- https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software\ntags:\n- attack.defense_evasion\n- attack.t1117\nauthor: Florian Roth\ndate: 2019/10/02\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\regsvr32*\\AppData\\Local\\\\*\'\n - \'*\\AppData\\Local\\\\*,DllEntry*\'\n condition: selection\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7314,'Issue',405,15,'T1117'),(7315,'Issue',406,1,'WMIExec VBS Script'),(7316,'Issue',406,2,'Florian Roth'),(7317,'Issue',406,8,'https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf'),(7318,'Issue',406,10,'critical'),(7319,'Issue',406,13,'community'),(7320,'Issue',406,14,'windows'),(7322,'Issue',406,11,'5b1ed0159'),(7323,'Issue',406,12,'966e4016-627f-44f7-8341-f394905c361f'),(7324,'Issue',406,16,'win-proc'),(7325,'Issue',406,17,''),(7326,'Issue',406,7,''),(7327,'Issue',406,3,'Detects suspicious file execution by wscript and cscript'),(7328,'Issue',406,4,''),(7329,'Issue',406,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7330,'Issue',406,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cscript.exe AND process.command_line.keyword:*.vbs\\ \\/shell\\ *)\nindex: so-*\nname: WMIExec VBS Script\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7331,'Issue',406,9,'{{collapse(View Sigma)\n\n\ntitle: WMIExec VBS Script\nid: 966e4016-627f-44f7-8341-f394905c361f\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Florian Roth\ndate: 2017/04/07\nreferences:\n- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\ntags:\n- attack.execution\n- attack.g0045\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\cscript.exe\'\n CommandLine: \'*.vbs /shell *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7332,'Issue',406,15,'T1064'),(7333,'Issue',407,1,'CrackMapExecWin'),(7334,'Issue',407,2,'Markus Neis'),(7335,'Issue',407,8,'https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control'),(7336,'Issue',407,10,'critical'),(7337,'Issue',407,13,'community'),(7338,'Issue',407,14,'windows'),(7339,'Issue',407,15,''),(7340,'Issue',407,11,'3fa886226'),(7341,'Issue',407,12,'04d9079e-3905-4b70-ad37-6bdf11304965'),(7342,'Issue',407,16,'win-proc'),(7343,'Issue',407,17,''),(7344,'Issue',407,7,''),(7345,'Issue',407,3,'Detects CrackMapExecWin Activity as Described by NCSC'),(7346,'Issue',407,4,''),(7347,'Issue',407,5,'_False Positives_\nNone'),(7348,'Issue',407,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\crackmapexec.exe))\nindex: so-*\nname: CrackMapExecWin\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7349,'Issue',407,9,'{{collapse(View Sigma)\n\n\ntitle: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nstatus: experimental\nreferences:\n- https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\ntags:\n- attack.g0035\nauthor: Markus Neis\ndate: 2018/04/08\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\crackmapexec.exe\'\n condition: selection\nfalsepositives:\n- None\nlevel: critical\n\n
\n}}'),(7350,'Issue',408,1,'Elise Backdoor'),(7351,'Issue',408,2,'Florian Roth'),(7352,'Issue',408,8,'https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting'),(7353,'Issue',408,10,'critical'),(7354,'Issue',408,13,'community'),(7355,'Issue',408,14,'windows'),(7356,'Issue',408,15,''),(7357,'Issue',408,11,'c59e20ad4'),(7358,'Issue',408,12,'e507feb7-5f73-4ef6-a970-91bb6f6d744f'),(7359,'Issue',408,16,'win-proc'),(7360,'Issue',408,17,''),(7361,'Issue',408,7,''),(7362,'Issue',408,3,'Detects Elise backdoor acitivty as used by APT32'),(7363,'Issue',408,4,''),(7364,'Issue',408,5,'_False Positives_\nUnknown'),(7365,'Issue',408,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable:\"C\\:\\\\Windows\\\\SysWOW64\\\\cmd.exe\" AND process.command_line.keyword:*\\\\Windows\\\\Caches\\\\NavShExt.dll\\ *) OR process.command_line.keyword:*\\\\AppData\\\\Roaming\\\\MICROS\\~1\\\\Windows\\\\Caches\\\\NavShExt.dll,Setting))\nindex: so-*\nname: Elise Backdoor\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7366,'Issue',408,9,'{{collapse(View Sigma)\n\n\ntitle: Elise Backdoor\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: experimental\ndescription: Detects Elise backdoor acitivty as used by APT32\nreferences:\n- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\ntags:\n- attack.g0030\n- attack.g0050\n- attack.s0081\nauthor: Florian Roth\ndate: 2018/01/31\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: C:\\Windows\\SysWOW64\\cmd.exe\n CommandLine: \'*\\Windows\\Caches\\NavShExt.dll *\'\n selection2:\n CommandLine: \'*\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll,Setting\'\n condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7367,'Issue',409,1,'Emissary Panda Malware SLLauncher'),(7368,'Issue',409,2,'Florian Roth'),(7369,'Issue',409,8,'https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://twitter.com/cyb3rops/status/1168863899531132929'),(7370,'Issue',409,10,'critical'),(7371,'Issue',409,13,'community'),(7372,'Issue',409,14,'windows'),(7373,'Issue',409,15,''),(7374,'Issue',409,11,'5e4b7990b'),(7375,'Issue',409,12,'9aa01d62-7667-4d3b-acb8-8cb5103e2014'),(7376,'Issue',409,16,'win-proc'),(7377,'Issue',409,17,''),(7378,'Issue',409,7,''),(7379,'Issue',409,3,'Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27'),(7380,'Issue',409,4,''),(7381,'Issue',409,5,'_False Positives_\nUnknown'),(7382,'Issue',409,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\sllauncher.exe AND process.executable.keyword:*\\\\svchost.exe)\nindex: so-*\nname: Emissary Panda Malware SLLauncher\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7383,'Issue',409,9,'{{collapse(View Sigma)\n\n\ntitle: Emissary Panda Malware SLLauncher\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: experimental\ndescription: Detects the execution of DLL side-loading malware used by threat group\n Emissary Panda aka APT27\nreferences:\n- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n- https://twitter.com/cyb3rops/status/1168863899531132929\nauthor: Florian Roth\ndate: 2018/09/03\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\sllauncher.exe\'\n Image: \'*\\svchost.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7384,'Issue',410,1,'Equation Group DLL_U Load'),(7385,'Issue',410,2,'Florian Roth'),(7386,'Issue',410,8,'https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://securelist.com/apt-slingshot/84312/\nhttps://twitter.com/cyb3rops/status/972186477512839170'),(7387,'Issue',410,10,'critical'),(7388,'Issue',410,13,'community'),(7389,'Issue',410,14,'windows'),(7391,'Issue',410,11,'8d87ab96d'),(7392,'Issue',410,12,'d465d1d8-27a2-4cca-9621-a800f37cf72e'),(7393,'Issue',410,16,'win-proc'),(7394,'Issue',410,17,''),(7395,'Issue',410,7,''),(7396,'Issue',410,3,'Detects a specific tool and export used by EquationGroup'),(7397,'Issue',410,4,''),(7398,'Issue',410,5,'_False Positives_\nUnknown'),(7399,'Issue',410,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*,dll_u) OR process.command_line.keyword:*\\ \\-export\\ dll_u\\ *))\nindex: so-*\nname: Equation Group DLL_U Load\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7400,'Issue',410,9,'{{collapse(View Sigma)\n\n\ntitle: Equation Group DLL_U Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nauthor: Florian Roth\ndate: 2019/03/04\ndescription: Detects a specific tool and export used by EquationGroup\nreferences:\n- https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n- https://securelist.com/apt-slingshot/84312/\n- https://twitter.com/cyb3rops/status/972186477512839170\ntags:\n- attack.execution\n- attack.g0020\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: \'*\\rundll32.exe\'\n CommandLine: \'*,dll_u\'\n selection2:\n CommandLine: \'* -export dll_u *\'\n condition: 1 of them\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7401,'Issue',410,15,'T1059'),(7402,'Issue',410,15,'T1085'),(7403,'Issue',411,1,'Hurricane Panda Activity'),(7404,'Issue',411,2,'Florian Roth'),(7405,'Issue',411,8,'https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/'),(7406,'Issue',411,10,'high'),(7407,'Issue',411,13,'community'),(7408,'Issue',411,14,'windows'),(7410,'Issue',411,11,'70b43689e'),(7411,'Issue',411,12,'0eb2107b-a596-422e-b123-b389d5594ed7'),(7412,'Issue',411,16,'win-proc'),(7413,'Issue',411,17,''),(7414,'Issue',411,7,''),(7415,'Issue',411,3,'Detects Hurricane Panda Activity'),(7416,'Issue',411,4,''),(7417,'Issue',411,5,'_False Positives_\nUnknown'),(7418,'Issue',411,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ localgroup\\ administrators\\ admin\\ \\/add OR *\\\\Win64.exe*))\nindex: so-*\nname: Hurricane Panda Activity\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7419,'Issue',411,9,'{{collapse(View Sigma)\n\n\ntitle: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nauthor: Florian Roth\ndate: 2019/03/04\nstatus: experimental\ndescription: Detects Hurricane Panda Activity\nreferences:\n- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\ntags:\n- attack.privilege_escalation\n- attack.g0009\n- attack.t1068\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* localgroup administrators admin /add\'\n - \'*\\Win64.exe*\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7420,'Issue',411,15,'T1068'),(7421,'Issue',412,1,'Judgement Panda Exfil Activity'),(7422,'Issue',412,2,'Florian Roth'),(7423,'Issue',412,8,'https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/'),(7424,'Issue',412,10,'critical'),(7425,'Issue',412,13,'community'),(7426,'Issue',412,14,'windows'),(7428,'Issue',412,11,'7b23cf39c'),(7429,'Issue',412,12,'03e2746e-2b31-42f1-ab7a-eb39365b2422'),(7430,'Issue',412,16,'win-proc'),(7431,'Issue',412,17,''),(7432,'Issue',412,7,''),(7433,'Issue',412,3,'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike'),(7434,'Issue',412,4,''),(7435,'Issue',412,5,'_False Positives_\nunknown'),(7436,'Issue',412,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*\\\\ldifde.exe\\ \\-f\\ \\-n\\ * OR *\\\\7za.exe\\ a\\ 1.7z\\ * OR *\\ eprod.ldf OR *\\\\aaaa\\\\procdump64.exe* OR *\\\\aaaa\\\\netsess.exe* OR *\\\\aaaa\\\\7za.exe* OR *copy\\ .\\\\1.7z\\ \\\\* OR *copy\\ \\\\client\\\\c$\\\\aaaa\\\\*) OR process.executable:\"C\\:\\\\Users\\\\Public\\\\7za.exe\"))\nindex: so-*\nname: Judgement Panda Exfil Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7437,'Issue',412,9,'{{collapse(View Sigma)\n\n\ntitle: Judgement Panda Exfil Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\ndescription: Detects Judgement Panda activity as described in Global Threat Report\n 2019 by Crowdstrike\nreferences:\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nauthor: Florian Roth\ndate: 2019/02/21\ntags:\n- attack.lateral_movement\n- attack.g0010\n- attack.credential_access\n- attack.t1098\n- attack.exfiltration\n- attack.t1002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*\\ldifde.exe -f -n *\'\n - \'*\\7za.exe a 1.7z *\'\n - \'* eprod.ldf\'\n - \'*\\aaaa\\procdump64.exe*\'\n - \'*\\aaaa\\netsess.exe*\'\n - \'*\\aaaa\\7za.exe*\'\n - \'*copy .\\1.7z \\\\*\'\n - \'*copy \\\\client\\c$\\aaaa\\\\*\'\n selection2:\n Image: C:\\Users\\Public\\7za.exe\n condition: selection1 or selection2\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7438,'Issue',412,15,'T1098'),(7439,'Issue',412,15,'T1002'),(7440,'Issue',413,1,'Mustang Panda Dropper'),(7441,'Issue',413,2,'Florian Roth'),(7442,'Issue',413,8,'https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations'),(7443,'Issue',413,10,'high'),(7444,'Issue',413,13,'community'),(7445,'Issue',413,14,'windows'),(7446,'Issue',413,15,''),(7447,'Issue',413,11,'aad32826a'),(7448,'Issue',413,12,'2d87d610-d760-45ee-a7e6-7a6f2a65de00'),(7449,'Issue',413,16,'win-proc'),(7450,'Issue',413,17,''),(7451,'Issue',413,7,''),(7452,'Issue',413,3,'Detects specific process parameters as used by Mustang Panda droppers'),(7453,'Issue',413,4,''),(7454,'Issue',413,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7455,'Issue',413,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*Temp\\\\wtask.exe\\ \\/create* OR *%windir\\:\\~\\-3,1%%PUBLIC\\:\\~\\-9,1%* OR *\\/E\\:vbscript\\ *\\ C\\:\\\\Users\\*.txt\\\"\\ \\/F OR *\\/tn\\ \\\"Security\\ Script\\ * OR *%windir\\:\\~\\-1,1%*) OR process.executable.keyword:(*Temp\\\\winwsh.exe)))\nindex: so-*\nname: Mustang Panda Dropper\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7456,'Issue',413,9,'{{collapse(View Sigma)\n\n\ntitle: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: experimental\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*Temp\\wtask.exe /create*\'\n - \'*%windir:~-3,1%%PUBLIC:~-9,1%*\'\n - \'*/E:vbscript * C:\\Users\\*.txt\" /F\'\n - \'*/tn \"Security Script *\'\n - \'*%windir:~-1,1%*\'\n selection2:\n Image:\n - \'*Temp\\winwsh.exe\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(7457,'Issue',414,1,'Sofacy Trojan Loader Activity'),(7458,'Issue',414,2,'Florian Roth'),(7459,'Issue',414,8,'https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\nhttps://twitter.com/ClearskySec/status/960924755355369472'),(7460,'Issue',414,10,'critical'),(7461,'Issue',414,13,'community'),(7462,'Issue',414,14,'windows'),(7464,'Issue',414,11,'6b2144b03'),(7465,'Issue',414,12,'ba778144-5e3d-40cf-8af9-e28fb1df1e20'),(7466,'Issue',414,16,'win-proc'),(7467,'Issue',414,17,''),(7468,'Issue',414,7,''),(7469,'Issue',414,3,'Detects Trojan loader acitivty as used by APT28'),(7470,'Issue',414,4,''),(7471,'Issue',414,5,'_False Positives_\nUnknown'),(7472,'Issue',414,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(rundll32.exe\\ %APPDATA%\\\\*.dat\\\",* OR rundll32.exe\\ %APPDATA%\\\\*.dll\\\",#1))\nindex: so-*\nname: Sofacy Trojan Loader Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7473,'Issue',414,9,'{{collapse(View Sigma)\n\n\ntitle: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nauthor: Florian Roth\nstatus: experimental\ndate: 2018/03/01\ndescription: Detects Trojan loader acitivty as used by APT28\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n- https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100\n- https://twitter.com/ClearskySec/status/960924755355369472\ntags:\n- attack.g0007\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\n- car.2013-10-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - rundll32.exe %APPDATA%\\\\*.dat\",*\n - rundll32.exe %APPDATA%\\\\*.dll\",#1\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7474,'Issue',414,15,'T1059'),(7475,'Issue',414,15,'T1085'),(7476,'Issue',415,1,'Ps.exe Renamed SysInternals Tool'),(7477,'Issue',415,2,'Florian Roth'),(7478,'Issue',415,8,'https://www.us-cert.gov/ncas/alerts/TA17-293A'),(7479,'Issue',415,10,'high'),(7480,'Issue',415,13,'community'),(7481,'Issue',415,14,'windows'),(7483,'Issue',415,11,'0ec020dd0'),(7484,'Issue',415,12,'18da1007-3f26-470f-875d-f77faf1cab31'),(7485,'Issue',415,16,'win-proc'),(7486,'Issue',415,17,''),(7487,'Issue',415,7,''),(7488,'Issue',415,3,'Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report'),(7489,'Issue',415,4,''),(7490,'Issue',415,5,'_False Positives_\nRenamed SysInternals tool'),(7491,'Issue',415,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:\"ps.exe\\ \\-accepteula\")\nindex: so-*\nname: Ps.exe Renamed SysInternals Tool\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7492,'Issue',415,9,'{{collapse(View Sigma)\n\n\ntitle: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe\n as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n- https://www.us-cert.gov/ncas/alerts/TA17-293A\ntags:\n- attack.defense_evasion\n- attack.g0035\n- attack.t1036\n- car.2013-05-009\nauthor: Florian Roth\ndate: 2017/10/22\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: ps.exe -accepteula\n condition: selection\nfalsepositives:\n- Renamed SysInternals tool\nlevel: high\n\n
\n}}'),(7493,'Issue',415,15,'T1036'),(7494,'Issue',416,1,'TropicTrooper Campaign November 2018'),(7495,'Issue',416,2,'@41thexplorer, Microsoft Defender ATP'),(7496,'Issue',416,8,'https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/'),(7497,'Issue',416,10,'high'),(7498,'Issue',416,13,'community'),(7499,'Issue',416,14,'windows'),(7501,'Issue',416,11,'95510b4d4'),(7502,'Issue',416,12,'8c7090c3-e0a0-4944-bd08-08c3a0cecf79'),(7503,'Issue',416,16,'win-proc'),(7504,'Issue',416,17,''),(7505,'Issue',416,7,''),(7506,'Issue',416,3,'Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia'),(7507,'Issue',416,4,''),(7508,'Issue',416,5,'_False Positives_\n Unknown'),(7509,'Issue',416,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*)\nindex: so-*\nname: TropicTrooper Campaign November 2018\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7510,'Issue',416,9,'{{collapse(View Sigma)\n\n\ntitle: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nauthor: \'@41thexplorer, Microsoft Defender ATP\'\nstatus: stable\ndate: 2019/11/12\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations\n in the energy and food and beverage sectors in Asia\nreferences:\n- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\ntags:\n- attack.execution\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*\'\n condition: selection\nlevel: high\n\n
\n}}'),(7511,'Issue',416,15,'T1085'),(7512,'Issue',417,1,'Winnti Malware HK University Campaign'),(7513,'Issue',417,2,'Florian Roth, Markus Neis'),(7514,'Issue',417,8,'https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/'),(7515,'Issue',417,10,'critical'),(7516,'Issue',417,13,'community'),(7517,'Issue',417,14,'windows'),(7519,'Issue',417,11,'c6c18314b'),(7520,'Issue',417,12,'3121461b-5aa0-4a41-b910-66d25524edbb'),(7521,'Issue',417,16,'win-proc'),(7522,'Issue',417,17,''),(7523,'Issue',417,7,''),(7524,'Issue',417,3,'Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities'),(7525,'Issue',417,4,''),(7526,'Issue',417,5,'_False Positives_\nUnlikely'),(7527,'Issue',417,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*C\\:\\\\Windows\\\\Temp* OR *\\\\hpqhvind.exe*) AND process.executable.keyword:C\\:\\\\ProgramData\\\\DRM*) OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM* AND process.executable.keyword:*\\\\wmplayer.exe) OR (process.parent.executable.keyword:*\\\\Test.exe AND process.executable.keyword:*\\\\wmplayer.exe) OR process.executable:\"C\\:\\\\ProgramData\\\\DRM\\\\CLR\\\\CLR.exe\" OR (process.parent.executable.keyword:C\\:\\\\ProgramData\\\\DRM\\\\Windows* AND process.executable.keyword:*\\\\SearchFilterHost.exe)))\nindex: so-*\nname: Winnti Malware HK University Campaign\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7528,'Issue',417,9,'{{collapse(View Sigma)\n\n\ntitle: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: experimental\ndescription: Detects specific process characteristics of Winnti malware noticed in\n Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.g0044\nauthor: Florian Roth, Markus Neis\ndate: 2020/02/01\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n ParentImage|contains:\n - C:\\Windows\\Temp\n - \\hpqhvind.exe\n Image|startswith: C:\\ProgramData\\DRM\n selection2:\n ParentImage|startswith: C:\\ProgramData\\DRM\n Image|endswith: \\wmplayer.exe\n selection3:\n ParentImage|endswith: \\Test.exe\n Image|endswith: \\wmplayer.exe\n selection4:\n Image: C:\\ProgramData\\DRM\\CLR\\CLR.exe\n selection5:\n ParentImage|startswith: C:\\ProgramData\\DRM\\Windows\n Image|endswith: \\SearchFilterHost.exe\n condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7529,'Issue',417,15,'T1073'),(7530,'Issue',418,1,'ZxShell Malware'),(7531,'Issue',418,2,'Florian Roth'),(7532,'Issue',418,8,'https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100'),(7533,'Issue',418,10,'critical'),(7534,'Issue',418,13,'community'),(7535,'Issue',418,14,'windows'),(7537,'Issue',418,11,'948a1b3c3'),(7538,'Issue',418,12,'f0b70adb-0075-43b0-9745-e82a1c608fcc'),(7539,'Issue',418,16,'win-proc'),(7540,'Issue',418,17,''),(7541,'Issue',418,7,''),(7542,'Issue',418,3,'Detects a ZxShell start by the called and well-known function name'),(7543,'Issue',418,4,''),(7544,'Issue',418,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7545,'Issue',418,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND Command.keyword:(rundll32.exe\\ *,zxFunction* OR rundll32.exe\\ *,RemoteDiskXXXXX))\nindex: so-*\nname: ZxShell Malware\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7546,'Issue',418,9,'{{collapse(View Sigma)\n\n\ntitle: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\ndescription: Detects a ZxShell start by the called and well-known function name\nauthor: Florian Roth\ndate: 2017/07/20\nreferences:\n- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\ntags:\n- attack.g0001\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Command:\n - rundll32.exe *,zxFunction*\n - rundll32.exe *,RemoteDiskXXXXX\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(7547,'Issue',418,15,'T1059'),(7548,'Issue',418,15,'T1085'),(7549,'Issue',419,1,'Hiding Files with Attrib.exe'),(7550,'Issue',419,2,'Sami Ruohonen'),(7551,'Issue',419,8,'none'),(7552,'Issue',419,10,'low'),(7553,'Issue',419,13,'community'),(7554,'Issue',419,14,'windows'),(7556,'Issue',419,11,'3ac07f0c1'),(7557,'Issue',419,12,'4281cb20-2994-4580-aa63-c8b86d019934'),(7558,'Issue',419,16,'win-proc'),(7559,'Issue',419,17,''),(7560,'Issue',419,7,''),(7561,'Issue',419,3,'Detects usage of attrib.exe to hide files from users.'),(7562,'Issue',419,4,''),(7563,'Issue',419,5,'_False Positives_\nigfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\nmsiexec.exe hiding desktop.ini\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7564,'Issue',419,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\ \\+h\\ *) AND (NOT (((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\desktop.ini\\ * OR (process.parent.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:\\+R\\ \\+H\\ \\+S\\ \\+A\\ \\\\*.cui AND process.parent.command_line.keyword:C\\:\\\\WINDOWS\\\\system32\\\\*.bat))))))\nindex: so-*\nname: Hiding Files with Attrib.exe\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7565,'Issue',419,9,'{{collapse(View Sigma)\n\n\ntitle: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: experimental\ndescription: Detects usage of attrib.exe to hide files from users.\nauthor: Sami Ruohonen\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\attrib.exe\'\n CommandLine: \'* +h *\'\n ini:\n CommandLine: \'*\\desktop.ini *\'\n intel:\n ParentImage: \'*\\cmd.exe\'\n CommandLine: +R +H +S +A \\\\*.cui\n ParentCommandLine: C:\\WINDOWS\\system32\\\\*.bat\n condition: selection and not (ini or intel)\nfields:\n- CommandLine\n- ParentCommandLine\n- User\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1158\nfalsepositives:\n- igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe\n and igfxCUIService.exe is the parent of the cmd.exe)\n- msiexec.exe hiding desktop.ini\nlevel: low\n\n
\n}}'),(7566,'Issue',419,15,'T1158'),(7567,'Issue',420,1,'Modification of Boot Configuration'),(7568,'Issue',420,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(7569,'Issue',420,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html'),(7570,'Issue',420,10,'high'),(7571,'Issue',420,13,'community'),(7572,'Issue',420,14,'windows'),(7574,'Issue',420,11,'af9bb527e'),(7575,'Issue',420,12,'1444443e-6757-43e4-9ea4-c8fc705f79a2'),(7576,'Issue',420,16,'win-proc'),(7577,'Issue',420,17,''),(7578,'Issue',420,7,''),(7579,'Issue',420,3,'Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.'),(7580,'Issue',420,4,''),(7581,'Issue',420,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7582,'Issue',420,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\bcdedit.exe AND process.command_line:\"set\") AND ((process.command_line.keyword:*bootstatuspolicy* AND process.command_line.keyword:*ignoreallfailures*) OR (process.command_line.keyword:*recoveryenabled* AND process.command_line.keyword:*no*)))\nindex: so-*\nname: Modification of Boot Configuration\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7583,'Issue',420,9,'{{collapse(View Sigma)\n\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n - attack.impact\n - attack.t1490\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image|endswith: \\bcdedit.exe\n CommandLine|contains: set\n selection2:\n - CommandLine|contains|all:\n - bootstatuspolicy\n - ignoreallfailures\n - CommandLine|contains|all:\n - recoveryenabled\n - \'no\'\n condition: selection1 and selection2\nfields:\n - ComputerName\n - User\n - CommandLine\nfalsepositives:\n - Unlikely\nlevel: high\n\n
\n}}'),(7584,'Issue',420,15,'T1490'),(7585,'Issue',421,1,'SquiblyTwo'),(7586,'Issue',421,2,'Markus Neis / Florian Roth'),(7587,'Issue',421,8,'https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://twitter.com/mattifestation/status/986280382042595328'),(7588,'Issue',421,10,'medium'),(7589,'Issue',421,13,'community'),(7590,'Issue',421,14,'windows'),(7592,'Issue',421,11,'0eab446eb'),(7593,'Issue',421,12,'8d63dadf-b91b-4187-87b6-34a1114577ea'),(7594,'Issue',421,16,'win-proc'),(7595,'Issue',421,17,''),(7596,'Issue',421,7,''),(7597,'Issue',421,3,'Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash'),(7598,'Issue',421,4,''),(7599,'Issue',421,5,'_False Positives_\nUnknown'),(7600,'Issue',421,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(wmic\\ *\\ *format\\:\\\\\\\"http* OR wmic\\ *\\ \\/format\\:\'http OR wmic\\ *\\ \\/format\\:http*)) OR (event_data.Imphash:(\"1B1A3F43BF37B5BFE60751F2EE2F326E\" OR \"37777A96245A3C74EB217308F3546F4C\" OR \"9D87C9D67CE724033C0B40CC4CA1B206\") AND process.command_line.keyword:(*\\ *format\\:\\\\\\\"http* OR *\\ \\/format\\:\'http OR *\\ \\/format\\:http*))))\nindex: so-*\nname: SquiblyTwo\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7601,'Issue',421,9,'{{collapse(View Sigma)\n\n\ntitle: SquiblyTwo\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nstatus: experimental\ndescription: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for\n imphash\nreferences:\n- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html\n- https://twitter.com/mattifestation/status/986280382042595328\ntags:\n- attack.defense_evasion\n- attack.t1047\nauthor: Markus Neis / Florian Roth\ndate: 2019/01/16\nfalsepositives:\n- Unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\wmic.exe\'\n CommandLine:\n - wmic * *format:\\\"http*\n - wmic * /format:\'http\n - wmic * /format:http*\n selection2:\n Imphash:\n - 1B1A3F43BF37B5BFE60751F2EE2F326E\n - 37777A96245A3C74EB217308F3546F4C\n - 9D87C9D67CE724033C0B40CC4CA1B206\n CommandLine:\n - \'* *format:\\\"http*\'\n - \"* /format:\'http\"\n - \'* /format:http*\'\n condition: 1 of them\n\n
\n}}'),(7602,'Issue',421,15,'T1047'),(7603,'Issue',422,1,'Change Default File Association'),(7604,'Issue',422,2,'Timur Zinniatullin, oscd.community'),(7605,'Issue',422,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml'),(7606,'Issue',422,10,'low'),(7607,'Issue',422,13,'community'),(7608,'Issue',422,14,'windows'),(7610,'Issue',422,11,'d63bbd05e'),(7611,'Issue',422,12,'3d3aa6cd-6272-44d6-8afc-7e88dfef7061'),(7612,'Issue',422,16,'win-proc'),(7613,'Issue',422,17,''),(7614,'Issue',422,7,''),(7615,'Issue',422,3,'When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.'),(7616,'Issue',422,4,''),(7617,'Issue',422,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7618,'Issue',422,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*assoc*)\nindex: so-*\nname: Change Default File Association\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7619,'Issue',422,9,'{{collapse(View Sigma)\n\n\ntitle: Change Default File Association\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nstatus: experimental\ndescription: When a file is opened, the default program used to open the file (also\n called the file association or handler) is checked. File association selections\n are stored in the Windows Registry and can be edited by users, administrators, or\n programs that have Registry access or by administrators using the built-in assoc\n utility. Applications can modify the file association for a given file extension\n to call an arbitrary program when a file with the given extension is opened.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - cmd\n - /c\n - assoc\n condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.persistence\n- attack.t1042\n\n
\n}}'),(7620,'Issue',422,15,'T1042'),(7621,'Issue',423,1,'Cmdkey Cached Credentials Recon'),(7622,'Issue',423,2,'jmallette'),(7623,'Issue',423,8,'https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx'),(7624,'Issue',423,10,'low'),(7625,'Issue',423,13,'community'),(7626,'Issue',423,14,'windows'),(7628,'Issue',423,11,'38a2cfd6c'),(7629,'Issue',423,12,'07f8bdc2-c9b3-472a-9817-5a670b872f53'),(7630,'Issue',423,16,'win-proc'),(7631,'Issue',423,17,''),(7632,'Issue',423,7,''),(7633,'Issue',423,3,'Detects usage of cmdkey to look for cached credentials'),(7634,'Issue',423,4,''),(7635,'Issue',423,5,'_False Positives_\nLegitimate administrative tasks.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nUser'),(7636,'Issue',423,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\ \\/list\\ *)\nindex: so-*\nname: Cmdkey Cached Credentials Recon\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7637,'Issue',423,9,'{{collapse(View Sigma)\n\n\ntitle: Cmdkey Cached Credentials Recon\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: experimental\ndescription: Detects usage of cmdkey to look for cached credentials\nreferences:\n- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nauthor: jmallette\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\cmdkey.exe\'\n CommandLine: \'* /list *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\n- User\nfalsepositives:\n- Legitimate administrative tasks.\nlevel: low\n\n
\n}}'),(7638,'Issue',423,15,'T1003'),(7639,'Issue',424,1,'CMSTP UAC Bypass via COM Object Access'),(7640,'Issue',424,2,'Nik Seetharaman'),(7641,'Issue',424,8,'http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://twitter.com/hFireF0X/status/897640081053364225'),(7642,'Issue',424,10,'high'),(7643,'Issue',424,13,'community'),(7644,'Issue',424,14,'windows'),(7646,'Issue',424,11,'bdaa50dae'),(7647,'Issue',424,12,'4b60e6f2-bf39-47b4-b4ea-398e33cfe253'),(7648,'Issue',424,16,'win-proc'),(7649,'Issue',424,17,''),(7650,'Issue',424,7,''),(7651,'Issue',424,3,'Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects'),(7652,'Issue',424,4,''),(7653,'Issue',424,5,'_False Positives_\nLegitimate CMSTP use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nHashes'),(7654,'Issue',424,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\DllHost.exe AND process.parent.command_line.keyword:(*\\{3E5FC7F9\\-9A51\\-4367\\-9063\\-A120244FBEC7\\} OR *\\{3E000D72\\-A845\\-4CD9\\-BD83\\-80C07C3B881F\\}))\nindex: so-*\nname: CMSTP UAC Bypass via COM Object Access\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7655,'Issue',424,9,'{{collapse(View Sigma)\n\n\ntitle: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile\n Installer Autoelevate-capable COM Objects\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.execution\n- attack.t1088\n- attack.t1191\n- attack.g0069\n- car.2019-04-001\nauthor: Nik Seetharaman\nmodified: 2019/07/31\ndate: 2019/01/16\nreferences:\n- http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n- https://twitter.com/hFireF0X/status/897640081053364225\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n ParentCommandLine: \'*\\DllHost.exe\'\n selection2:\n ParentCommandLine:\n - \'*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\'\n - \'*{3E000D72-A845-4CD9-BD83-80C07C3B881F}\'\n condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentCommandLine\n- Hashes\nfalsepositives:\n- Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(7656,'Issue',424,15,'T1088'),(7657,'Issue',424,15,'T1191'),(7658,'Issue',425,1,'Control Panel Items'),(7659,'Issue',425,2,'Kyaw Min Thein'),(7660,'Issue',425,8,'none'),(7661,'Issue',425,10,'critical'),(7662,'Issue',425,13,'community'),(7663,'Issue',425,14,'windows'),(7665,'Issue',425,11,'10df22d5c'),(7666,'Issue',425,12,'0ba863e6-def5-4e50-9cea-4dd8c7dc46a4'),(7667,'Issue',425,16,'win-proc'),(7668,'Issue',425,17,''),(7669,'Issue',425,7,''),(7670,'Issue',425,3,'Detects the use of a control panel item (.cpl) outside of the System32 folder'),(7671,'Issue',425,4,''),(7672,'Issue',425,5,'_False Positives_\nUnknown'),(7673,'Issue',425,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*.cpl AND (NOT (process.command_line.keyword:(*\\\\System32\\\\* OR *%System%*))))\nindex: so-*\nname: Control Panel Items\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7674,'Issue',425,9,'{{collapse(View Sigma)\n\n\ntitle: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: experimental\ndescription: Detects the use of a control panel item (.cpl) outside of the System32\n folder\nreference:\n- https://attack.mitre.org/techniques/T1196/\ntags:\n- attack.execution\n- attack.t1196\n- attack.defense_evasion\nauthor: Kyaw Min Thein\ndate: 2019/08/27\nlevel: critical\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n CommandLine: \'*.cpl\'\n filter:\n CommandLine:\n - \'*\\System32\\\\*\'\n - \'*%System%*\'\n condition: selection and not filter\nfalsepositives:\n- Unknown\n\n
\n}}'),(7675,'Issue',425,15,'T1196'),(7676,'Issue',426,1,'Copying Sensitive Files with Credential Data'),(7677,'Issue',426,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(7678,'Issue',426,8,'https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/'),(7679,'Issue',426,10,'high'),(7680,'Issue',426,13,'community'),(7681,'Issue',426,14,'windows'),(7683,'Issue',426,11,'7971e8131'),(7684,'Issue',426,12,'e7be6119-fc37-43f0-ad4f-1f3f99be2f9f'),(7685,'Issue',426,16,'win-proc'),(7686,'Issue',426,17,''),(7687,'Issue',426,7,''),(7688,'Issue',426,3,'Files with well-known filenames (sensitive files with credential data) copying'),(7689,'Issue',426,4,''),(7690,'Issue',426,5,'_False Positives_\nCopying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator'),(7691,'Issue',426,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\esentutl.exe AND process.command_line.keyword:(*vss* OR *\\ \\/m\\ * OR *\\ \\/y\\ *)) OR process.command_line.keyword:(*\\\\windows\\\\ntds\\\\ntds.dit* OR *\\\\config\\\\sam* OR *\\\\config\\\\security* OR *\\\\config\\\\system\\ * OR *\\\\repair\\\\sam* OR *\\\\repair\\\\system* OR *\\\\repair\\\\security* OR *\\\\config\\\\RegBack\\\\sam* OR *\\\\config\\\\RegBack\\\\system* OR *\\\\config\\\\RegBack\\\\security*)))\nindex: so-*\nname: Copying Sensitive Files with Credential Data\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7692,'Issue',426,9,'{{collapse(View Sigma)\n\n\ntitle: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\ndescription: Files with well-known filenames (sensitive files with credential data)\n copying\nstatus: experimental\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nmodified: 2019/11/13\nreferences:\n- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\esentutl.exe\n CommandLine|contains:\n - vss\n - \' /m \'\n - \' /y \'\n - CommandLine|contains:\n - \\windows\\ntds\\ntds.dit\n - \\config\\sam\n - \\config\\security\n - \'\\config\\system \'\n - \\repair\\sam\n - \\repair\\system\n - \\repair\\security\n - \\config\\RegBack\\sam\n - \\config\\RegBack\\system\n - \\config\\RegBack\\security\n condition: selection\nfalsepositives:\n- Copying sensitive files for legitimate use (eg. backup) or forensic investigation\n by legitimate incident responder or forensic invetigator\nlevel: high\n\n
\n}}'),(7693,'Issue',426,15,'T1003'),(7694,'Issue',427,1,'Fireball Archer Install'),(7695,'Issue',427,2,'Florian Roth'),(7696,'Issue',427,8,'https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100'),(7697,'Issue',427,10,'high'),(7698,'Issue',427,13,'community'),(7699,'Issue',427,14,'windows'),(7701,'Issue',427,11,'7652cf061'),(7702,'Issue',427,12,'3d4aebe0-6d29-45b2-a8a4-3dfde586a26d'),(7703,'Issue',427,16,'win-proc'),(7704,'Issue',427,17,''),(7705,'Issue',427,7,''),(7706,'Issue',427,3,'Detects Archer malware invocation via rundll32'),(7707,'Issue',427,4,''),(7708,'Issue',427,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7709,'Issue',427,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,InstallArcherSvc)\nindex: so-*\nname: Fireball Archer Install\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7710,'Issue',427,9,'{{collapse(View Sigma)\n\n\ntitle: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: experimental\ndescription: Detects Archer malware invocation via rundll32\nauthor: Florian Roth\ndate: 2017/06/03\nreferences:\n- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\ntags:\n- attack.execution\n- attack.t1059\n- attack.defense_evasion\n- attack.t1085\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\rundll32.exe *,InstallArcherSvc\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7711,'Issue',427,15,'T1059'),(7712,'Issue',427,15,'T1085'),(7713,'Issue',428,1,'Data Compressed - rar.exe'),(7714,'Issue',428,2,'Timur Zinniatullin, E.M. Anhaus, oscd.community'),(7715,'Issue',428,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html'),(7716,'Issue',428,10,'low'),(7717,'Issue',428,13,'community'),(7718,'Issue',428,14,'windows'),(7720,'Issue',428,11,'d76dd00e5'),(7721,'Issue',428,12,'6f3e2987-db24-4c78-a860-b4f4095a7095'),(7722,'Issue',428,16,'win-proc'),(7723,'Issue',428,17,''),(7724,'Issue',428,7,''),(7725,'Issue',428,3,'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network'),(7726,'Issue',428,4,''),(7727,'Issue',428,5,'_False Positives_\nhighly likely if rar is default archiver in the monitored environment\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(7728,'Issue',428,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\rar.exe AND process.command_line.keyword:*\\ a\\ *)\nindex: so-*\nname: Data Compressed - rar.exe\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7729,'Issue',428,9,'{{collapse(View Sigma)\n\n\ntitle: Data Compressed - rar.exe\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: experimental\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected\n prior to exfiltration in order to make it portable and minimize the amount of data\n sent over the network\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\rar.exe\n CommandLine|contains: \' a \'\n condition: selection\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- highly likely if rar is default archiver in the monitored environment\nlevel: low\ntags:\n- attack.exfiltration\n- attack.t1002\n\n
\n}}'),(7730,'Issue',428,15,'T1002'),(7731,'Issue',429,1,'Domain Trust Discovery'),(7732,'Issue',429,2,'Jakob Weinzettl, oscd.community'),(7733,'Issue',429,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml'),(7734,'Issue',429,10,'medium'),(7735,'Issue',429,13,'community'),(7736,'Issue',429,14,'windows'),(7738,'Issue',429,11,'16e2ea51f'),(7739,'Issue',429,12,'77815820-246c-47b8-9741-e0def3f57308'),(7740,'Issue',429,16,'win-proc'),(7741,'Issue',429,17,''),(7742,'Issue',429,7,''),(7743,'Issue',429,3,'Detects a discovery of domain trusts'),(7744,'Issue',429,4,''),(7745,'Issue',429,5,'_False Positives_\nAdministration of systems'),(7746,'Issue',429,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*\\-filter* AND process.command_line.keyword:*trustedDomain*) OR (process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7747,'Issue',429,9,'{{collapse(View Sigma)\n\n\ntitle: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: experimental\ndescription: Detects a discovery of domain trusts\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\dsquery.exe\n CommandLine|contains|all:\n - -filter\n - trustedDomain\n - Image|endswith: \\nltest.exe\n CommandLine|contains: domain_trusts\n condition: selection\nfalsepositives:\n- Administration of systems\nlevel: medium\n\n
\n}}'),(7748,'Issue',429,15,'T1482'),(7749,'Issue',430,1,'Encoded FromBase64String'),(7750,'Issue',430,2,'Florian Roth'),(7751,'Issue',430,8,'none'),(7752,'Issue',430,10,'critical'),(7753,'Issue',430,13,'community'),(7754,'Issue',430,14,'windows'),(7756,'Issue',430,11,'ad3c56884'),(7757,'Issue',430,12,'fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c'),(7758,'Issue',430,16,'win-proc'),(7759,'Issue',430,17,''),(7760,'Issue',430,7,''),(7761,'Issue',430,3,'Detects a base64 encoded FromBase64String keyword in a process command line'),(7762,'Issue',430,4,''),(7763,'Issue',430,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7764,'Issue',430,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*OjpGcm9tQmFzZTY0U3RyaW5n* OR *o6RnJvbUJhc2U2NFN0cmluZ* OR *6OkZyb21CYXNlNjRTdHJpbm*))\nindex: so-*\nname: Encoded FromBase64String\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7765,'Issue',430,9,'{{collapse(View Sigma)\n\n\ntitle: Encoded FromBase64String\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: experimental\ndescription: Detects a base64 encoded FromBase64String keyword in a process command\n line\nauthor: Florian Roth\ndate: 2019/08/24\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|base64offset|contains: ::FromBase64String\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7766,'Issue',430,15,'T1086'),(7767,'Issue',430,15,'T1140'),(7768,'Issue',431,1,'Encoded IEX'),(7769,'Issue',431,2,'Florian Roth'),(7770,'Issue',431,8,'none'),(7771,'Issue',431,10,'critical'),(7772,'Issue',431,13,'community'),(7773,'Issue',431,14,'windows'),(7775,'Issue',431,11,'111891242'),(7776,'Issue',431,12,'88f680b8-070e-402c-ae11-d2914f2257f1'),(7777,'Issue',431,16,'win-proc'),(7778,'Issue',431,17,''),(7779,'Issue',431,7,''),(7780,'Issue',431,3,'Detects a base64 encoded IEX command string in a process command line'),(7781,'Issue',431,4,''),(7782,'Issue',431,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(7783,'Issue',431,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*SUVYIChb* OR *lFWCAoW* OR *JRVggKF* OR *aWV4IChb* OR *lleCAoW* OR *pZXggKF* OR *aWV4IChOZX* OR *lleCAoTmV3* OR *pZXggKE5ld* OR *SUVYIChOZX* OR *lFWCAoTmV3* OR *JRVggKE5ld*))\nindex: so-*\nname: Encoded IEX\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7784,'Issue',431,9,'{{collapse(View Sigma)\n\n\ntitle: Encoded IEX\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: experimental\ndescription: Detects a base64 encoded IEX command string in a process command line\nauthor: Florian Roth\ndate: 2019/08/23\ntags:\n- attack.t1086\n- attack.t1140\n- attack.execution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|base64offset|contains:\n - IEX ([\n - iex ([\n - iex (New\n - IEX (New\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7785,'Issue',431,15,'T1086'),(7786,'Issue',431,15,'T1140'),(7787,'Issue',432,1,'Disable of ETW Trace'),(7788,'Issue',432,2,'@neu5ron, Florian Roth'),(7789,'Issue',432,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\nhttps://abuse.io/lockergoga.txt'),(7790,'Issue',432,10,'high'),(7791,'Issue',432,13,'community'),(7792,'Issue',432,14,'windows'),(7794,'Issue',432,11,'f0cec20a1'),(7795,'Issue',432,12,'a238b5d0-ce2d-4414-a676-7a531b3d13d6'),(7796,'Issue',432,16,'win-proc'),(7797,'Issue',432,17,''),(7798,'Issue',432,7,''),(7799,'Issue',432,3,'Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.'),(7800,'Issue',432,4,''),(7801,'Issue',432,5,'_False Positives_\nUnknown'),(7802,'Issue',432,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\ cl\\ *\\/Trace* OR process.command_line.keyword:*\\ clear\\-log\\ *\\/Trace* OR process.command_line.keyword:*\\ sl*\\ \\/e\\:false* OR process.command_line.keyword:*\\ set\\-log*\\ \\/e\\:false*))\nindex: so-*\nname: Disable of ETW Trace\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7803,'Issue',432,9,'{{collapse(View Sigma)\n\n\ntitle: Disable of ETW Trace\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\ndescription: Detects a command that clears or disables any ETW trace log which could\n indicate a logging evasion.\nstatus: experimental\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml\n- https://abuse.io/lockergoga.txt\nauthor: \'@neu5ron, Florian Roth\'\ndate: 2019/03/22\ntags:\n- attack.execution\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_clear_1:\n CommandLine: \'* cl */Trace*\'\n selection_clear_2:\n CommandLine: \'* clear-log */Trace*\'\n selection_disable_1:\n CommandLine: \'* sl* /e:false*\'\n selection_disable_2:\n CommandLine: \'* set-log* /e:false*\'\n condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2\nfalsepositives:\n- Unknown\n\n
\n}}'),(7804,'Issue',432,15,'T1070'),(7805,'Issue',433,1,'Exfiltration and Tunneling Tools Execution'),(7806,'Issue',433,2,'Daniil Yugoslavskiy, oscd.community'),(7807,'Issue',433,8,'none'),(7808,'Issue',433,10,'medium'),(7809,'Issue',433,13,'community'),(7810,'Issue',433,14,'windows'),(7812,'Issue',433,11,'800c545f1'),(7813,'Issue',433,12,'c75309a3-59f8-4a8d-9c2c-4c927ad50555'),(7814,'Issue',433,16,'win-proc'),(7815,'Issue',433,17,''),(7816,'Issue',433,7,''),(7817,'Issue',433,3,'Execution of well known tools for data exfiltration and tunneling'),(7818,'Issue',433,4,''),(7819,'Issue',433,5,'_False Positives_\nLegitimate Administrator using tools'),(7820,'Issue',433,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\plink.exe OR *\\\\socat.exe OR *\\\\stunnel.exe OR *\\\\httptunnel.exe))\nindex: so-*\nname: Exfiltration and Tunneling Tools Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7821,'Issue',433,9,'{{collapse(View Sigma)\n\n\ntitle: Exfiltration and Tunneling Tools Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\ndescription: Execution of well known tools for data exfiltration and tunneling\nstatus: experimental\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1020\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName|endswith:\n - \\plink.exe\n - \\socat.exe\n - \\stunnel.exe\n - \\httptunnel.exe\n condition: selection\nfalsepositives:\n- Legitimate Administrator using tools\nlevel: medium\n\n
\n}}'),(7822,'Issue',433,15,'T1020'),(7823,'Issue',434,1,'Exploit for CVE-2015-1641'),(7824,'Issue',434,2,'Florian Roth'),(7825,'Issue',434,8,'https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100'),(7826,'Issue',434,10,'critical'),(7827,'Issue',434,13,'community'),(7828,'Issue',434,14,'windows'),(7830,'Issue',434,11,'e2a1316d4'),(7831,'Issue',434,12,'7993792c-5ce2-4475-a3db-a3a5539827ef'),(7832,'Issue',434,16,'win-proc'),(7833,'Issue',434,17,''),(7834,'Issue',434,7,''),(7835,'Issue',434,3,'Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641'),(7836,'Issue',434,4,''),(7837,'Issue',434,5,'_False Positives_\nUnknown'),(7838,'Issue',434,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\MicroScMgmt.exe\\ )\nindex: so-*\nname: Exploit for CVE-2015-1641\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7839,'Issue',434,9,'{{collapse(View Sigma)\n\n\ntitle: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used\n in exploits for CVE-2015-1641\nreferences:\n- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\WINWORD.EXE\'\n Image: \'*\\MicroScMgmt.exe \'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7840,'Issue',434,15,'T1036'),(7841,'Issue',435,1,'Exploit for CVE-2017-0261'),(7842,'Issue',435,2,'Florian Roth'),(7843,'Issue',435,8,'https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html'),(7844,'Issue',435,10,'medium'),(7845,'Issue',435,13,'community'),(7846,'Issue',435,14,'windows'),(7848,'Issue',435,11,'65dbae284'),(7849,'Issue',435,12,'864403a1-36c9-40a2-a982-4c9a45f7d833'),(7850,'Issue',435,16,'win-proc'),(7851,'Issue',435,17,''),(7852,'Issue',435,7,''),(7853,'Issue',435,3,'Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262'),(7854,'Issue',435,4,''),(7855,'Issue',435,5,'_False Positives_\nSeveral false positives identified, check for suspicious file names or locations (e.g. Temp folders)'),(7856,'Issue',435,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\FLTLDR.exe*)\nindex: so-*\nname: Exploit for CVE-2017-0261\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7857,'Issue',435,9,'{{collapse(View Sigma)\n\n\ntitle: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: experimental\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits\n for CVE-2017-0261 and CVE-2017-0262\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth\ndate: 2018/02/22\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\WINWORD.EXE\'\n Image: \'*\\FLTLDR.exe*\'\n condition: selection\nfalsepositives:\n- Several false positives identified, check for suspicious file names or locations\n (e.g. Temp folders)\nlevel: medium\n\n
\n}}'),(7858,'Issue',435,15,'T1055'),(7859,'Issue',436,1,'Droppers Exploiting CVE-2017-11882'),(7860,'Issue',436,2,'Florian Roth'),(7861,'Issue',436,8,'https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw'),(7862,'Issue',436,10,'critical'),(7863,'Issue',436,13,'community'),(7864,'Issue',436,14,'windows'),(7866,'Issue',436,11,'dcfdfd6d6'),(7867,'Issue',436,12,'678eb5f4-8597-4be6-8be7-905e4234b53a'),(7868,'Issue',436,16,'win-proc'),(7869,'Issue',436,17,''),(7870,'Issue',436,7,''),(7871,'Issue',436,3,'Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe'),(7872,'Issue',436,4,''),(7873,'Issue',436,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine'),(7874,'Issue',436,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EQNEDT32.EXE)\nindex: so-*\nname: Droppers Exploiting CVE-2017-11882\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7875,'Issue',436,9,'{{collapse(View Sigma)\n\n\ntitle: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: experimental\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other\n sub processes like mshta.exe\nreferences:\n- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n- https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nauthor: Florian Roth\ndate: 2017/11/23\ntags:\n- attack.defense_evasion\n- attack.t1211\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\EQNEDT32.EXE\'\n condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(7876,'Issue',436,15,'T1211'),(7877,'Issue',437,1,'Exploit for CVE-2017-8759'),(7878,'Issue',437,2,'Florian Roth'),(7879,'Issue',437,8,'https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100'),(7880,'Issue',437,10,'critical'),(7881,'Issue',437,13,'community'),(7882,'Issue',437,14,'windows'),(7884,'Issue',437,11,'d2eddb460'),(7885,'Issue',437,12,'fdd84c68-a1f6-47c9-9477-920584f94905'),(7886,'Issue',437,16,'win-proc'),(7887,'Issue',437,17,''),(7888,'Issue',437,7,''),(7889,'Issue',437,3,'Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759'),(7890,'Issue',437,4,''),(7891,'Issue',437,5,'_False Positives_\nUnknown'),(7892,'Issue',437,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WINWORD.EXE AND process.executable.keyword:*\\\\csc.exe)\nindex: so-*\nname: Exploit for CVE-2017-8759\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7893,'Issue',437,9,'{{collapse(View Sigma)\n\n\ntitle: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits\n for CVE-2017-8759\nreferences:\n- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\ntags:\n- attack.execution\n- attack.t1203\nauthor: Florian Roth\ndate: 2017/09/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\WINWORD.EXE\'\n Image: \'*\\csc.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7894,'Issue',437,15,'T1203'),(7895,'Issue',438,1,'Exploiting SetupComplete.cmd CVE-2019-1378'),(7896,'Issue',438,2,'Florian Roth'),(7897,'Issue',438,8,'https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua'),(7898,'Issue',438,10,'high'),(7899,'Issue',438,13,'community'),(7900,'Issue',438,14,'windows'),(7902,'Issue',438,11,'b2c8941b7'),(7903,'Issue',438,12,'1c373b6d-76ce-4553-997d-8c1da9a6b5f5'),(7904,'Issue',438,16,'win-proc'),(7905,'Issue',438,17,''),(7906,'Issue',438,7,''),(7907,'Issue',438,3,'Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378'),(7908,'Issue',438,4,''),(7909,'Issue',438,5,'_False Positives_\nUnknown'),(7910,'Issue',438,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(*\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\SetupComplete.cmd OR *\\\\cmd.exe\\ \\/c\\ C\\:\\\\Windows\\\\Setup\\\\Scripts\\\\PartnerSetupComplete.cmd) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR C\\:\\\\Windows\\\\Setup\\\\*))))\nindex: so-*\nname: Exploiting SetupComplete.cmd CVE-2019-1378\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7911,'Issue',438,9,'{{collapse(View Sigma)\n\n\ntitle: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: experimental\ndescription: Detects exploitation attempt of privilege escalation vulnerability via\n SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378\nreferences:\n- https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth\ndate: 2019/11/15\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine:\n - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd\'\n - \'*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd\'\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\WinSxS\\\\*\n - C:\\Windows\\Setup\\\\*\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(7912,'Issue',438,15,'T1055'),(7913,'Issue',439,1,'Exploiting CVE-2019-1388'),(7914,'Issue',439,2,'Florian Roth'),(7915,'Issue',439,8,'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege'),(7916,'Issue',439,10,'critical'),(7917,'Issue',439,13,'community'),(7918,'Issue',439,14,'windows'),(7920,'Issue',439,11,'c6eb81dae'),(7921,'Issue',439,12,'02e0b2ea-a597-428e-b04a-af6a1a403e5c'),(7922,'Issue',439,16,'win-proc'),(7923,'Issue',439,17,''),(7924,'Issue',439,7,''),(7925,'Issue',439,3,'Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM'),(7926,'Issue',439,4,''),(7927,'Issue',439,5,'_False Positives_\nUnknown'),(7928,'Issue',439,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\consent.exe AND process.executable.keyword:*\\\\iexplore.exe AND process.command_line.keyword:*\\ http* AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (IntegrityLevel:\"System\" OR event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\"))\nindex: so-*\nname: Exploiting CVE-2019-1388\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7929,'Issue',439,9,'{{collapse(View Sigma)\n\n\ntitle: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: experimental\ndescription: Detects an explotation attempt in which the UAC consent dialogue is used\n to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth\ndate: 2019/11/20\ntags:\n- attack.privilege_escalation\n- attack.t1068\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\consent.exe\'\n Image: \'*\\iexplore.exe\'\n CommandLine: \'* http*\'\n rights1:\n IntegrityLevel: System\n rights2:\n User: NT AUTHORITY\\SYSTEM\n condition: selection and ( rights1 or rights2 )\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7930,'Issue',439,15,'T1068'),(7931,'Issue',440,1,'Exploited CVE-2020-10189 Zoho ManageEngine'),(7932,'Issue',440,2,'Florian Roth'),(7933,'Issue',440,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224'),(7934,'Issue',440,10,'critical'),(7935,'Issue',440,13,'community'),(7936,'Issue',440,14,'windows'),(7938,'Issue',440,11,'06cab2646'),(7939,'Issue',440,12,'846b866e-2a57-46ee-8e16-85fa92759be7'),(7940,'Issue',440,16,'win-proc'),(7941,'Issue',440,17,''),(7942,'Issue',440,7,''),(7943,'Issue',440,3,'Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189'),(7944,'Issue',440,4,''),(7945,'Issue',440,5,'_False Positives_\nUnknown'),(7946,'Issue',440,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Exploited CVE-2020-10189 Zoho ManageEngine\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7947,'Issue',440,9,'{{collapse(View Sigma)\n\n\ntitle: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: experimental\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization\n vulnerability reported as CVE-2020-10189\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n- https://nvd.nist.gov/vuln/detail/CVE-2020-10189\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189\n- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.initial_access\n- attack.t1190\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: DesktopCentral_Server\\jre\\bin\\java.exe\n Image|endswith:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\bitsadmin.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(7948,'Issue',440,15,'T1190'),(7949,'Issue',441,1,'File or Folder Permissions Modifications'),(7950,'Issue',441,2,'Jakob Weinzettl, oscd.community'),(7951,'Issue',441,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml'),(7952,'Issue',441,10,'medium'),(7953,'Issue',441,13,'community'),(7954,'Issue',441,14,'windows'),(7956,'Issue',441,11,'1c2d67989'),(7957,'Issue',441,12,'37ae075c-271b-459b-8d7b-55ad5f993dd8'),(7958,'Issue',441,16,'win-proc'),(7959,'Issue',441,17,''),(7960,'Issue',441,7,''),(7961,'Issue',441,3,'Detects a file or folder permissions modifications'),(7962,'Issue',441,4,''),(7963,'Issue',441,5,'_False Positives_\nUsers interacting with the files on their own (unlikely unless power users)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(7964,'Issue',441,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\takeown.exe OR *\\\\cacls.exe OR *\\\\icacls.exe) AND process.command_line.keyword:*\\/grant*) OR (process.executable.keyword:*\\\\attrib.exe AND process.command_line.keyword:*\\-r*)))\nindex: so-*\nname: File or Folder Permissions Modifications\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7965,'Issue',441,9,'{{collapse(View Sigma)\n\n\ntitle: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: experimental\ndescription: Detects a file or folder permissions modifications\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1222\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - \\takeown.exe\n - \\cacls.exe\n - \\icacls.exe\n CommandLine|contains: /grant\n - Image|endswith: \\attrib.exe\n CommandLine|contains: -r\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Users interacting with the files on their own (unlikely unless power users)\nlevel: medium\n\n
\n}}'),(7966,'Issue',441,15,'T1222'),(7967,'Issue',442,1,'Grabbing Sensitive Hives via Reg Utility'),(7968,'Issue',442,2,'Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community'),(7969,'Issue',442,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md'),(7970,'Issue',442,10,'medium'),(7971,'Issue',442,13,'community'),(7972,'Issue',442,14,'windows'),(7974,'Issue',442,11,'310cc8a8a'),(7975,'Issue',442,12,'fd877b94-9bb5-4191-bb25-d79cbd93c167'),(7976,'Issue',442,16,'win-proc'),(7977,'Issue',442,17,''),(7978,'Issue',442,7,''),(7979,'Issue',442,3,'Dump sam, system or security hives using REG.exe utility'),(7980,'Issue',442,4,''),(7981,'Issue',442,5,'_False Positives_\nDumping hives for legitimate purpouse i.e. backup or forensic investigation'),(7982,'Issue',442,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\reg.exe AND process.command_line.keyword:(*save* OR *export*) AND process.command_line.keyword:(*hklm* OR *hkey_local_machine*) AND process.command_line.keyword:(*\\\\system OR *\\\\sam OR *\\\\security))\nindex: so-*\nname: Grabbing Sensitive Hives via Reg Utility\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(7983,'Issue',442,9,'{{collapse(View Sigma)\n\n\ntitle: Grabbing Sensitive Hives via Reg Utility\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\ndescription: Dump sam, system or security hives using REG.exe utility\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md\ntags:\n- attack.credential_access\n- attack.t1003\n- car.2013-07-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n NewProcessName: \'*\\reg.exe\'\n CommandLine|contains:\n - save\n - export\n selection_2:\n CommandLine|contains:\n - hklm\n - hkey_local_machine\n selection_3:\n CommandLine|endswith:\n - \\system\n - \\sam\n - \\security\n condition: selection_1 and selection_2 and selection_3\nfalsepositives:\n- Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: medium\nstatus: experimental\n\n
\n}}'),(7984,'Issue',442,15,'T1003'),(7985,'Issue',443,1,'Bloodhound and Sharphound Hack Tool'),(7986,'Issue',443,2,'Florian Roth'),(7987,'Issue',443,8,'https://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/SharpHound'),(7988,'Issue',443,10,'high'),(7989,'Issue',443,13,'community'),(7990,'Issue',443,14,'windows'),(7992,'Issue',443,11,'6b42c6f56'),(7993,'Issue',443,12,'f376c8a7-a2d0-4ddc-aa0c-16c17236d962'),(7994,'Issue',443,16,'win-proc'),(7995,'Issue',443,17,''),(7996,'Issue',443,7,''),(7997,'Issue',443,3,'Detects command line parameters used by Bloodhound and Sharphound hack tools'),(7998,'Issue',443,4,''),(7999,'Issue',443,5,'_False Positives_\nOther programs that use these command line option and accepts an \'All\' parameter'),(8000,'Issue',443,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\Bloodhound.exe* OR *\\\\SharpHound.exe*) OR process.command_line.keyword:(*\\ \\-CollectionMethod\\ All\\ * OR *.exe\\ \\-c\\ All\\ \\-d\\ * OR *Invoke\\-Bloodhound* OR *Get\\-BloodHoundData*) OR (process.command_line.keyword:*\\ \\-JsonFolder\\ * AND process.command_line.keyword:*\\ \\-ZipFileName\\ *) OR (process.command_line.keyword:*\\ DCOnly\\ * AND process.command_line.keyword:*\\ \\-\\-NoSaveCache\\ *)))\nindex: so-*\nname: Bloodhound and Sharphound Hack Tool\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8001,'Issue',443,9,'{{collapse(View Sigma)\n\n\ntitle: Bloodhound and Sharphound Hack Tool\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack\n tools\nauthor: Florian Roth\nreferences:\n- https://github.com/BloodHoundAD/BloodHound\n- https://github.com/BloodHoundAD/SharpHound\ndate: 2019/12/20\nmodified: 2019/12/21\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image|contains:\n - \\Bloodhound.exe\n - \\SharpHound.exe\n selection2:\n CommandLine|contains:\n - \' -CollectionMethod All \'\n - \'.exe -c All -d \'\n - Invoke-Bloodhound\n - Get-BloodHoundData\n selection3:\n CommandLine|contains|all:\n - \' -JsonFolder \'\n - \' -ZipFileName \'\n selection4:\n CommandLine|contains|all:\n - \' DCOnly \'\n - \' --NoSaveCache \'\n condition: 1 of them\nfalsepositives:\n- Other programs that use these command line option and accepts an \'All\' parameter\nlevel: high\n\n
\n}}'),(8002,'Issue',443,15,'T1087'),(8003,'Issue',444,1,'Koadic Execution'),(8004,'Issue',444,2,'wagga'),(8005,'Issue',444,8,'https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/'),(8006,'Issue',444,10,'high'),(8007,'Issue',444,13,'community'),(8008,'Issue',444,14,'windows'),(8010,'Issue',444,11,'fa9937192'),(8011,'Issue',444,12,'5cddf373-ef00-4112-ad72-960ac29bac34'),(8012,'Issue',444,16,'win-proc'),(8013,'Issue',444,17,''),(8014,'Issue',444,7,''),(8015,'Issue',444,3,'Detects command line parameters used by Koadic hack tool'),(8016,'Issue',444,4,''),(8017,'Issue',444,5,'_False Positives_\nPentest\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8018,'Issue',444,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*cmd.exe*\\ \\/q\\ \\/c\\ chcp\\ *))\nindex: so-*\nname: Koadic Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8019,'Issue',444,9,'{{collapse(View Sigma)\n\n\ntitle: Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: experimental\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955\n- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\ntags:\n- attack.execution\n- attack.t1170\ndate: 2020/01/12\nauthor: wagga\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*cmd.exe* /q /c chcp *\'\n condition: selection1\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Pentest\nlevel: high\n\n
\n}}'),(8020,'Issue',444,15,'T1170'),(8021,'Issue',445,1,'Rubeus Hack Tool'),(8022,'Issue',445,2,'Florian Roth'),(8023,'Issue',445,8,'https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/'),(8024,'Issue',445,10,'critical'),(8025,'Issue',445,13,'community'),(8026,'Issue',445,14,'windows'),(8028,'Issue',445,11,'ad40ec27e'),(8029,'Issue',445,12,'7ec2c172-dceb-4c10-92c9-87c1881b7e18'),(8030,'Issue',445,16,'win-proc'),(8031,'Issue',445,17,''),(8032,'Issue',445,7,''),(8033,'Issue',445,3,'Detects command line parameters used by Rubeus hack tool'),(8034,'Issue',445,4,''),(8035,'Issue',445,5,'_False Positives_\nunlikely'),(8036,'Issue',445,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ asreproast\\ * OR *\\ dump\\ \\/service\\:krbtgt\\ * OR *\\ kerberoast\\ * OR *\\ createnetonly\\ \\/program\\:* OR *\\ ptt\\ \\/ticket\\:* OR *\\ \\/impersonateuser\\:* OR *\\ renew\\ \\/ticket\\:* OR *\\ asktgt\\ \\/user\\:* OR *\\ harvest\\ \\/interval\\:*))\nindex: so-*\nname: Rubeus Hack Tool\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8037,'Issue',445,9,'{{collapse(View Sigma)\n\n\ntitle: Rubeus Hack Tool\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\ndescription: Detects command line parameters used by Rubeus hack tool\nauthor: Florian Roth\nreferences:\n- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* asreproast *\'\n - \'* dump /service:krbtgt *\'\n - \'* kerberoast *\'\n - \'* createnetonly /program:*\'\n - \'* ptt /ticket:*\'\n - \'* /impersonateuser:*\'\n - \'* renew /ticket:*\'\n - \'* asktgt /user:*\'\n - \'* harvest /interval:*\'\n condition: selection\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8038,'Issue',445,15,'T1003'),(8039,'Issue',446,1,'SecurityXploded Tool'),(8040,'Issue',446,2,'Florian Roth'),(8041,'Issue',446,8,'https://securityxploded.com/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/'),(8042,'Issue',446,10,'critical'),(8043,'Issue',446,13,'community'),(8044,'Issue',446,14,'windows'),(8046,'Issue',446,11,'21368bb4b'),(8047,'Issue',446,12,'7679d464-4f74-45e2-9e01-ac66c5eb041a'),(8048,'Issue',446,16,'win-proc'),(8049,'Issue',446,17,''),(8050,'Issue',446,7,''),(8051,'Issue',446,3,'Detects the execution of SecurityXploded Tools'),(8052,'Issue',446,4,''),(8053,'Issue',446,5,'_False Positives_\nunlikely'),(8054,'Issue',446,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (event_data.Company:\"SecurityXploded\" OR process.executable.keyword:*PasswordDump.exe OR OriginalFilename.keyword:*PasswordDump.exe))\nindex: so-*\nname: SecurityXploded Tool\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8055,'Issue',446,9,'{{collapse(View Sigma)\n\n\ntitle: SecurityXploded Tool\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\ndescription: Detects the execution of SecurityXploded Tools\nauthor: Florian Roth\nreferences:\n- https://securityxploded.com/\n- https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\ndate: 2018/12/19\ntags:\n- attack.credential_access\n- attack.t1003\n- attack.s0005\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Company: SecurityXploded\n selection2:\n Image|endswith: PasswordDump.exe\n selection3:\n OriginalFilename|endswith: PasswordDump.exe\n condition: 1 of them\nfalsepositives:\n- unlikely\nlevel: critical\n\n
\n}}'),(8056,'Issue',446,15,'T1003'),(8057,'Issue',447,1,'HH.exe Execution'),(8058,'Issue',447,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community'),(8059,'Issue',447,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html'),(8060,'Issue',447,10,'high'),(8061,'Issue',447,13,'community'),(8062,'Issue',447,14,'windows'),(8064,'Issue',447,11,'0cb0c3bd8'),(8065,'Issue',447,12,'68c8acb4-1b60-4890-8e82-3ddf7a6dba84'),(8066,'Issue',447,16,'win-proc'),(8067,'Issue',447,17,''),(8068,'Issue',447,7,''),(8069,'Issue',447,3,'Identifies usage of hh.exe executing recently modified .chm files.'),(8070,'Issue',447,4,''),(8071,'Issue',447,5,'_False Positives_\nunlike\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8072,'Issue',447,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\hh.exe AND process.command_line.keyword:*.chm*)\nindex: so-*\nname: HH.exe Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8073,'Issue',447,9,'{{collapse(View Sigma)\n\n\ntitle: HH.exe Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\ndescription: Identifies usage of hh.exe executing recently modified .chm files.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1223\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\hh.exe\n CommandLine|contains: .chm\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- unlike\nlevel: high\n\n
\n}}'),(8074,'Issue',447,15,'T1223'),(8075,'Issue',448,1,'HTML Help Shell Spawn'),(8076,'Issue',448,2,'Maxim Pavlunin'),(8077,'Issue',448,8,'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/'),(8078,'Issue',448,10,'high'),(8079,'Issue',448,13,'community'),(8080,'Issue',448,14,'windows'),(8082,'Issue',448,11,'6ba3a1ad3'),(8083,'Issue',448,12,'52cad028-0ff0-4854-8f67-d25dfcbc78b4'),(8084,'Issue',448,16,'win-proc'),(8085,'Issue',448,17,''),(8086,'Issue',448,7,''),(8087,'Issue',448,3,'Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)'),(8088,'Issue',448,4,''),(8089,'Issue',448,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8090,'Issue',448,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable:\"C\\:\\\\Windows\\\\hh.exe\" AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))\nindex: so-*\nname: HTML Help Shell Spawn\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8091,'Issue',448,9,'{{collapse(View Sigma)\n\n\ntitle: HTML Help Shell Spawn\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: experimental\ndescription: Detects a suspicious child process of a Microsoft HTML Help system when\n executing compiled HTML files (.chm)\nreferences:\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nauthor: Maxim Pavlunin\ndate: 2020/04/01\nmodified: 2020/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1223\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: C:\\Windows\\hh.exe\n Image|endswith:\n - \\cmd.exe\n - \\powershell.exe\n - \\wscript.exe\n - \\cscript.exe\n - \\regsvr32.exe\n - \\wmic.exe\n - \\rundll32.exe\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8092,'Issue',448,15,'T1223'),(8093,'Issue',449,1,'Suspicious HWP Sub Processes'),(8094,'Issue',449,2,'Florian Roth'),(8095,'Issue',449,8,'https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://blog.alyac.co.kr/1901\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)'),(8096,'Issue',449,10,'high'),(8097,'Issue',449,13,'community'),(8098,'Issue',449,14,'windows'),(8100,'Issue',449,11,'45f9c4d54'),(8101,'Issue',449,12,'023394c4-29d5-46ab-92b8-6a534c6f447b'),(8102,'Issue',449,16,'win-proc'),(8103,'Issue',449,17,''),(8104,'Issue',449,7,''),(8105,'Issue',449,3,'Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation'),(8106,'Issue',449,4,''),(8107,'Issue',449,5,'_False Positives_\nUnknown'),(8108,'Issue',449,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\Hwp.exe AND process.executable.keyword:*\\\\gbb.exe)\nindex: so-*\nname: Suspicious HWP Sub Processes\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8109,'Issue',449,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that\n could indicate an exploitation\nstatus: experimental\nreferences:\n- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n- https://twitter.com/cyberwar_15/status/1187287262054076416\n- https://blog.alyac.co.kr/1901\n- https://en.wikipedia.org/wiki/Hangul_(word_processor)\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.initial_access\n- attack.t1059\n- attack.t1202\n- attack.t1193\n- attack.g0032\nauthor: Florian Roth\ndate: 2019/10/24\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\Hwp.exe\'\n Image: \'*\\gbb.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8110,'Issue',449,15,'T1059'),(8111,'Issue',449,15,'T1202'),(8112,'Issue',449,15,'T1193'),(8113,'Issue',450,1,'Impacket Lateralization Detection'),(8114,'Issue',450,2,'Ecco'),(8115,'Issue',450,8,'https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py'),(8116,'Issue',450,10,'critical'),(8117,'Issue',450,13,'community'),(8118,'Issue',450,14,'windows'),(8120,'Issue',450,11,'bfb0c817e'),(8121,'Issue',450,12,'10c14723-61c7-4c75-92ca-9af245723ad2'),(8122,'Issue',450,16,'win-proc'),(8123,'Issue',450,17,''),(8124,'Issue',450,7,''),(8125,'Issue',450,3,'Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework'),(8126,'Issue',450,4,''),(8127,'Issue',450,5,'_False Positives_\npentesters\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8128,'Issue',450,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:(*\\\\wmiprvse.exe OR *\\\\mmc.exe OR *\\\\explorer.exe OR *\\\\services.exe) AND process.command_line.keyword:(*cmd.exe*\\ \\/Q\\ \\/c\\ *\\ \\\\\\\\127.0.0.1\\\\*&1*)) OR (process.parent.command_line.keyword:(*svchost.exe\\ \\-k\\ netsvcs OR taskeng.exe*) AND process.command_line.keyword:(cmd.exe\\ \\/C\\ *Windows\\\\Temp\\\\*&1))))\nindex: so-*\nname: Impacket Lateralization Detection\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8129,'Issue',450,9,'{{collapse(View Sigma)\n\n\ntitle: Impacket Lateralization Detection\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nstatus: experimental\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py\n- https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py\nauthor: Ecco\ndate: 2019/09/03\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_other:\n ParentImage:\n - \'*\\wmiprvse.exe\'\n - \'*\\mmc.exe\'\n - \'*\\explorer.exe\'\n - \'*\\services.exe\'\n CommandLine:\n - \'*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*\'\n selection_atexec:\n ParentCommandLine:\n - \'*svchost.exe -k netsvcs\'\n - taskeng.exe*\n CommandLine:\n - cmd.exe /C *Windows\\\\Temp\\\\*&1\n condition: (1 of selection_*)\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.lateral_movement\n- attack.t1047\n- attack.t1175\nfalsepositives:\n- pentesters\nlevel: critical\n\n
\n}}'),(8130,'Issue',450,15,'T1047'),(8131,'Issue',450,15,'T1175'),(8132,'Issue',451,1,'Indirect Command Execution'),(8133,'Issue',451,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8134,'Issue',451,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html'),(8135,'Issue',451,10,'low'),(8136,'Issue',451,13,'community'),(8137,'Issue',451,14,'windows'),(8139,'Issue',451,11,'4448f85f5'),(8140,'Issue',451,12,'fa47597e-90e9-41cd-ab72-c3b74cfb0d02'),(8141,'Issue',451,16,'win-proc'),(8142,'Issue',451,17,''),(8143,'Issue',451,7,''),(8144,'Issue',451,3,'Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe'),(8145,'Issue',451,4,''),(8146,'Issue',451,5,'_False Positives_\nNeed to use extra processing with \'unique_count\' / \'filter\' to focus on outliers as opposed to commonly seen artifacts\nLegit usage of scripts\n\n_Interesting Log Fields_\nComputerName\nUser\nParentCommandLine\nCommandLine'),(8147,'Issue',451,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\pcalua.exe OR *\\\\forfiles.exe))\nindex: so-*\nname: Indirect Command Execution\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8148,'Issue',451,9,'{{collapse(View Sigma)\n\n\ntitle: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\ndescription: Detect indirect command execution via Program Compatibility Assistant\n pcalua.exe or forfiles.exe\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1202\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - \\pcalua.exe\n - \\forfiles.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- ParentCommandLine\n- CommandLine\nfalsepositives:\n- Need to use extra processing with \'unique_count\' / \'filter\' to focus on outliers\n as opposed to commonly seen artifacts\n- Legit usage of scripts\nlevel: low\n\n
\n}}'),(8149,'Issue',451,15,'T1202'),(8150,'Issue',452,1,'Suspicious Debugger Registration Cmdline'),(8151,'Issue',452,2,'Florian Roth'),(8152,'Issue',452,8,'https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/'),(8153,'Issue',452,10,'high'),(8154,'Issue',452,13,'community'),(8155,'Issue',452,14,'windows'),(8157,'Issue',452,11,'8447d556d'),(8158,'Issue',452,12,'ae215552-081e-44c7-805f-be16f975c8a2'),(8159,'Issue',452,16,'win-proc'),(8160,'Issue',452,17,''),(8161,'Issue',452,7,''),(8162,'Issue',452,3,'Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).'),(8163,'Issue',452,4,''),(8164,'Issue',452,5,'_False Positives_\nPenetration Tests'),(8165,'Issue',452,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\sethc.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\utilman.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\osk.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\magnify.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\narrator.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\displayswitch.exe* OR *\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\atbroker.exe*))\nindex: so-*\nname: Suspicious Debugger Registration Cmdline\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8166,'Issue',452,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: experimental\ndescription: Detects the registration of a debugger for a program that is available\n in the logon screen (sticky key backdoor).\nreferences:\n- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1015\nauthor: Florian Roth\ndate: 2019/09/06\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\CurrentVersion\\Image File Execution Options\\sethc.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\utilman.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\osk.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\magnify.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\narrator.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*\'\n - \'*\\CurrentVersion\\Image File Execution Options\\atbroker.exe*\'\n condition: selection\nfalsepositives:\n- Penetration Tests\nlevel: high\n\n
\n}}'),(8167,'Issue',452,15,'T1015'),(8168,'Issue',453,1,'Interactive AT Job'),(8169,'Issue',453,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8170,'Issue',453,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html'),(8171,'Issue',453,10,'high'),(8172,'Issue',453,13,'community'),(8173,'Issue',453,14,'windows'),(8175,'Issue',453,11,'deff452c1'),(8176,'Issue',453,12,'60fc936d-2eb0-4543-8a13-911c750a1dfc'),(8177,'Issue',453,16,'win-proc'),(8178,'Issue',453,17,''),(8179,'Issue',453,7,''),(8180,'Issue',453,3,'Detect an interactive AT job, which may be used as a form of privilege escalation'),(8181,'Issue',453,4,''),(8182,'Issue',453,5,'_False Positives_\nUnlikely (at.exe deprecated as of Windows 8)\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8183,'Issue',453,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\at.exe AND process.command_line.keyword:*interactive*)\nindex: so-*\nname: Interactive AT Job\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8184,'Issue',453,9,'{{collapse(View Sigma)\n\n\ntitle: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\ndescription: Detect an interactive AT job, which may be used as a form of privilege\n escalation\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\ndate: 2019/10/24\nmodified: 2019/11/11\ntags:\n- attack.privilege_escalation\n- attack.t1053\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\at.exe\n CommandLine|contains: interactive\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\n\n
\n}}'),(8185,'Issue',453,15,'T1053'),(8186,'Issue',454,1,'Invoke-Obfuscation Obfuscated IEX Invocation'),(8187,'Issue',454,2,'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'),(8188,'Issue',454,8,'none'),(8189,'Issue',454,10,'high'),(8190,'Issue',454,13,'community'),(8191,'Issue',454,14,'windows'),(8193,'Issue',454,11,'6d2baff57'),(8194,'Issue',454,12,'4bf943c6-5146-4273-98dd-e958fd1e3abf'),(8195,'Issue',454,16,'win-proc'),(8196,'Issue',454,17,''),(8197,'Issue',454,7,''),(8198,'Issue',454,3,'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888'),(8199,'Issue',454,4,''),(8200,'Issue',454,5,'_False Positives_\nUnknown'),(8201,'Issue',454,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (process.command_line:/\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[/ OR process.command_line:/\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[/ OR process.command_line:/\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[/ OR process.command_line:/\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}/ OR process.command_line:/\\*mdr\\*\\W\\s*\\)\\.Name/ OR process.command_line:/\\$VerbosePreference\\.ToString\\(/ OR process.command_line:/\\String\\]\\s*\\$VerbosePreference/)\nindex: so-*\nname: Invoke-Obfuscation Obfuscated IEX Invocation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8202,'Issue',454,9,'{{collapse(View Sigma)\n\n\ntitle: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated\n by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: experimental\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\ntags:\n- attack.defense_evasion\n- attack.t1027\nlogsource:\n product: windows\n service: process_creation\ndetection:\n selection:\n - CommandLine|re: \\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[\n - CommandLine|re: \\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[\n - CommandLine|re: \\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[\n - CommandLine|re: \\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}\n - CommandLine|re: \\*mdr\\*\\W\\s*\\)\\.Name\n - CommandLine|re: \\$VerbosePreference\\.ToString\\(\n - CommandLine|re: \\String\\]\\s*\\$VerbosePreference\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8203,'Issue',454,15,'T1027'),(8204,'Issue',455,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing'),(8205,'Issue',455,2,'Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)'),(8206,'Issue',455,8,'https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(8207,'Issue',455,10,'critical'),(8208,'Issue',455,13,'community'),(8209,'Issue',455,14,'windows'),(8211,'Issue',455,11,'1425eee14'),(8212,'Issue',455,12,'8065b1b4-1778-4427-877f-6bf948b26d38'),(8213,'Issue',455,16,'win-proc'),(8214,'Issue',455,17,''),(8215,'Issue',455,7,''),(8216,'Issue',455,3,'Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level'),(8217,'Issue',455,4,''),(8218,'Issue',455,5,'_False Positives_\nUnknown'),(8219,'Issue',455,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ParentIntegrityLevel:\"Medium\" AND IntegrityLevel:\"System\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")\nindex: so-*\nname: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8220,'Issue',455,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n with non-SYSTEM privileges and Medium integrity level\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n- attack.privilege_escalation\n- attack.t1068\nstatus: experimental\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentIntegrityLevel: Medium\n IntegrityLevel: System\n User: NT AUTHORITY\\SYSTEM\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8221,'Issue',455,15,'T1068'),(8222,'Issue',456,1,'MSHTA Spwaned by SVCHOST'),(8223,'Issue',456,2,'Markus Neis'),(8224,'Issue',456,8,'https://codewhitesec.blogspot.com/2018/07/lethalhta.html'),(8225,'Issue',456,10,'high'),(8226,'Issue',456,13,'community'),(8227,'Issue',456,14,'windows'),(8229,'Issue',456,11,'f443dd9d3'),(8230,'Issue',456,12,'ed5d72a6-f8f4-479d-ba79-02f6a80d7471'),(8231,'Issue',456,16,'win-proc'),(8232,'Issue',456,17,''),(8233,'Issue',456,7,''),(8234,'Issue',456,3,'Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report'),(8235,'Issue',456,4,''),(8236,'Issue',456,5,'_False Positives_\nUnknown'),(8237,'Issue',456,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\svchost.exe AND process.executable.keyword:*\\\\mshta.exe)\nindex: so-*\nname: MSHTA Spwaned by SVCHOST\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8238,'Issue',456,9,'{{collapse(View Sigma)\n\n\ntitle: MSHTA Spwaned by SVCHOST\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: experimental\ndescription: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described\n in report\nreferences:\n- https://codewhitesec.blogspot.com/2018/07/lethalhta.html\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\nauthor: Markus Neis\ndate: 2018/06/07\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\svchost.exe\'\n Image: \'*\\mshta.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8239,'Issue',456,15,'T1170'),(8240,'Issue',457,1,'Local Accounts Discovery'),(8241,'Issue',457,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8242,'Issue',457,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml'),(8243,'Issue',457,10,'low'),(8244,'Issue',457,13,'community'),(8245,'Issue',457,14,'windows'),(8247,'Issue',457,11,'94d1a7cce'),(8248,'Issue',457,12,'502b42de-4306-40b4-9596-6f590c81f073'),(8249,'Issue',457,16,'win-proc'),(8250,'Issue',457,17,''),(8251,'Issue',457,7,''),(8252,'Issue',457,3,'Local accounts, System Owner/User discovery using operating systems utilities'),(8253,'Issue',457,4,''),(8254,'Issue',457,5,'_False Positives_\nLegitimate administrator or user enumerates local users for legitimate reason\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8255,'Issue',457,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (((process.executable.keyword:*\\\\whoami.exe OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*useraccount* AND process.command_line.keyword:*get*) OR process.executable.keyword:(*\\\\quser.exe OR *\\\\qwinsta.exe) OR (process.executable.keyword:*\\\\cmdkey.exe AND process.command_line.keyword:*\\/list*) OR (process.executable.keyword:*\\\\cmd.exe AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*dir\\ * AND process.command_line.keyword:*\\\\Users\\*)) AND (NOT (process.command_line.keyword:(*\\ rmdir\\ *)))) OR ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user*) AND (NOT (process.command_line.keyword:(*\\/domain* OR *\\/add* OR *\\/delete* OR *\\/active* OR *\\/expires* OR *\\/passwordreq* OR *\\/scriptpath* OR *\\/times* OR *\\/workstations*))))))\nindex: so-*\nname: Local Accounts Discovery\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8256,'Issue',457,9,'{{collapse(View Sigma)\n\n\ntitle: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: experimental\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n - Image|endswith: \\whoami.exe\n - Image|endswith: \\wmic.exe\n CommandLine|contains|all:\n - useraccount\n - get\n - Image|endswith:\n - \\quser.exe\n - \\qwinsta.exe\n - Image|endswith: \\cmdkey.exe\n CommandLine|contains: /list\n - Image|endswith: \\cmd.exe\n CommandLine|contains|all:\n - /c\n - \'dir \'\n - \\Users\\\n filter_1:\n CommandLine|contains:\n - \' rmdir \'\n selection_2:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: user\n filter_2:\n CommandLine|contains:\n - /domain\n - /add\n - /delete\n - /active\n - /expires\n - /passwordreq\n - /scriptpath\n - /times\n - /workstations\n condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2)\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nfalsepositives:\n- Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\ntags:\n- attack.discovery\n- attack.t1033\n- attack.t1087\n\n
\n}}'),(8257,'Issue',457,15,'T1033'),(8258,'Issue',457,15,'T1087'),(8259,'Issue',458,1,'LSASS Memory Dumping'),(8260,'Issue',458,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(8261,'Issue',458,8,'https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml'),(8262,'Issue',458,10,'high'),(8263,'Issue',458,13,'community'),(8264,'Issue',458,14,'windows'),(8266,'Issue',458,11,'80532cee2'),(8267,'Issue',458,12,'ffa6861c-4461-4f59-8a41-578c39f3f23e'),(8268,'Issue',458,16,'win-proc'),(8269,'Issue',458,17,''),(8270,'Issue',458,7,''),(8271,'Issue',458,3,'Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.'),(8272,'Issue',458,4,''),(8273,'Issue',458,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8274,'Issue',458,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.command_line.keyword:*lsass* AND process.command_line.keyword:*.dmp*) AND (NOT (process.executable.keyword:*\\\\werfault.exe))) OR (process.executable.keyword:*\\\\procdump* AND process.executable.keyword:*.exe AND process.command_line.keyword:*lsass*)))\nindex: so-*\nname: LSASS Memory Dumping\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8275,'Issue',458,9,'{{collapse(View Sigma)\n\n\ntitle: LSASS Memory Dumping\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\ndescription: Detect creation of dump files containing the memory space of lsass.exe,\n which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe\n to export the memory space of lsass.exe which contains sensitive credentials.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html\n- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine|contains|all:\n - lsass\n - .dmp\n selection2:\n Image|endswith: \\werfault.exe\n selection3:\n Image|contains: \\procdump\n Image|endswith: .exe\n CommandLine|contains: lsass\n condition: selection1 and not selection2 or selection3\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}'),(8276,'Issue',458,15,'T1003'),(8277,'Issue',459,1,'Dridex Process Pattern'),(8278,'Issue',459,2,'Florian Roth'),(8279,'Issue',459,8,'https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3'),(8280,'Issue',459,10,'critical'),(8281,'Issue',459,13,'community'),(8282,'Issue',459,14,'windows'),(8284,'Issue',459,11,'89a943e8b'),(8285,'Issue',459,12,'e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e'),(8286,'Issue',459,16,'win-proc'),(8287,'Issue',459,17,''),(8288,'Issue',459,7,''),(8289,'Issue',459,3,'Detects typical Dridex process patterns'),(8290,'Issue',459,4,''),(8291,'Issue',459,5,'_False Positives_\nUnlikely'),(8292,'Issue',459,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\svchost.exe\\ C\\:\\\\Users\\\\*\\\\Desktop\\\\* OR (process.parent.executable.keyword:*\\\\svchost.exe* AND process.command_line.keyword:(*whoami.exe\\ \\/all OR *net.exe\\ view))))\nindex: so-*\nname: Dridex Process Pattern\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8293,'Issue',459,9,'{{collapse(View Sigma)\n\n\ntitle: Dridex Process Pattern\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: experimental\ndescription: Detects typical Dridex process patterns\nreferences:\n- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nauthor: Florian Roth\ndate: 2019/01/10\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine: \'*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*\'\n selection2:\n ParentImage: \'*\\svchost.exe*\'\n CommandLine:\n - \'*whoami.exe /all\'\n - \'*net.exe view\'\n condition: 1 of them\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8294,'Issue',459,15,'T1055'),(8295,'Issue',460,1,'DTRACK Process Creation'),(8296,'Issue',460,2,'Florian Roth'),(8297,'Issue',460,8,'https://securelist.com/my-name-is-dtrack/93338/\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/'),(8298,'Issue',460,10,'critical'),(8299,'Issue',460,13,'community'),(8300,'Issue',460,14,'windows'),(8301,'Issue',460,15,''),(8302,'Issue',460,11,'1265efdfc'),(8303,'Issue',460,12,'f1531fa4-5b84-4342-8f68-9cf3fdbd83d4'),(8304,'Issue',460,16,'win-proc'),(8305,'Issue',460,17,''),(8306,'Issue',460,7,''),(8307,'Issue',460,3,'Detects specific process parameters as seen in DTRACK infections'),(8308,'Issue',460,4,''),(8309,'Issue',460,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8310,'Issue',460,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ echo\\ EEEE\\ \\ *)\nindex: so-*\nname: DTRACK Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8311,'Issue',460,9,'{{collapse(View Sigma)\n\n\ntitle: DTRACK Process Creation\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: experimental\ndescription: Detects specific process parameters as seen in DTRACK infections\nauthor: Florian Roth\ndate: 2019/10/30\nreferences:\n- https://securelist.com/my-name-is-dtrack/93338/\n- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'* echo EEEE > *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8312,'Issue',461,1,'Emotet Process Creation'),(8313,'Issue',461,2,'Florian Roth'),(8314,'Issue',461,8,'https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/'),(8315,'Issue',461,10,'critical'),(8316,'Issue',461,13,'community'),(8317,'Issue',461,14,'windows'),(8318,'Issue',461,15,''),(8319,'Issue',461,11,'22693b62c'),(8320,'Issue',461,12,'d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18'),(8321,'Issue',461,16,'win-proc'),(8322,'Issue',461,17,''),(8323,'Issue',461,7,''),(8324,'Issue',461,3,'Detects all Emotet like process executions that are not covered by the more generic rules'),(8325,'Issue',461,4,''),(8326,'Issue',461,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8327,'Issue',461,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e*\\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*))\nindex: so-*\nname: Emotet Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8328,'Issue',461,9,'{{collapse(View Sigma)\n\n\ntitle: Emotet Process Creation\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: experimental\ndescription: Detects all Emotet like process executions that are not covered by the\n more generic rules\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/16\nreferences:\n- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -e* PAA*\'\n - \'*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*\'\n - \'*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*\'\n - \'*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*\'\n - \'*IgAoACcAKgAnACkAOwAkA*\'\n - \'*IAKAAnACoAJwApADsAJA*\'\n - \'*iACgAJwAqACcAKQA7ACQA*\'\n - \'*JABGAGwAeAByAGgAYwBmAGQ*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8329,'Issue',462,1,'Formbook Process Creation'),(8330,'Issue',462,2,'Florian Roth'),(8331,'Issue',462,8,'https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/'),(8332,'Issue',462,10,'critical'),(8333,'Issue',462,13,'community'),(8334,'Issue',462,14,'windows'),(8335,'Issue',462,15,''),(8336,'Issue',462,11,'a76fc01e3'),(8337,'Issue',462,12,'032f5fb3-d959-41a5-9263-4173c802dc2b'),(8338,'Issue',462,16,'win-proc'),(8339,'Issue',462,17,''),(8340,'Issue',462,7,''),(8341,'Issue',462,3,'Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.'),(8342,'Issue',462,4,''),(8343,'Issue',462,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8344,'Issue',462,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND process.command_line.keyword:(*\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))\nindex: so-*\nname: Formbook Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8345,'Issue',462,9,'{{collapse(View Sigma)\n\n\ntitle: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: experimental\ndescription: Detects Formbook like process executions that inject code into a set\n of files in the System32 folder, which executes a special command command line to\n delete the dropper from the AppData Temp folder. We avoid false positives by excluding\n all parent process with command line parameters.\nauthor: Florian Roth\ndate: 2019/09/30\nmodified: 2019/10/31\nreferences:\n- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentCommandLine:\n - C:\\Windows\\System32\\\\*.exe\n - C:\\Windows\\SysWOW64\\\\*.exe\n CommandLine:\n - \'* /c del \"C:\\Users\\\\*\\AppData\\Local\\Temp\\\\*.exe\'\n - \'* /c del \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n - \'* /C type nul > \"C:\\Users\\\\*\\Desktop\\\\*.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8346,'Issue',463,1,'NotPetya Ransomware Activity'),(8347,'Issue',463,2,'Florian Roth, Tom Ueltschi'),(8348,'Issue',463,8,'https://securelist.com/schroedingers-petya/78870/\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100'),(8349,'Issue',463,10,'critical'),(8350,'Issue',463,13,'community'),(8351,'Issue',463,14,'windows'),(8353,'Issue',463,11,'f1d5345d2'),(8354,'Issue',463,12,'79aeeb41-8156-4fac-a0cd-076495ab82a1'),(8355,'Issue',463,16,'win-proc'),(8356,'Issue',463,17,''),(8357,'Issue',463,7,''),(8358,'Issue',463,3,'Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil'),(8359,'Issue',463,4,''),(8360,'Issue',463,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8361,'Issue',463,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\AppData\\\\Local\\\\Temp\\\\*\\ \\\\.\\\\pipe\\\\* OR (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*.dat,#1) OR *\\\\perfc.dat*))\nindex: so-*\nname: NotPetya Ransomware Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8362,'Issue',463,9,'{{collapse(View Sigma)\n\n\ntitle: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: experimental\ndescription: Detects NotPetya ransomware activity in which the extracted passwords\n are passed back to the main module via named pipe, the file system journal of drive\n C is deleted and windows eventlogs are cleared using wevtutil\nauthor: Florian Roth, Tom Ueltschi\ndate: 2019/01/16\nreferences:\n- https://securelist.com/schroedingers-petya/78870/\n- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\ntags:\n- attack.execution\n- attack.credential_access\n- attack.defense_evasion\n- attack.t1085\n- attack.t1070\n- attack.t1003\n- car.2016-04-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n pipe_com:\n CommandLine: \'*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*\'\n rundll32_dash1:\n Image: \'*\\rundll32.exe\'\n CommandLine: \'*.dat,#1\'\n perfc_keyword:\n - \'*\\perfc.dat*\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Admin activity\nlevel: critical\n\n
\n}}'),(8363,'Issue',463,15,'T1085'),(8364,'Issue',463,15,'T1070'),(8365,'Issue',463,15,'T1003'),(8366,'Issue',464,1,'QBot Process Creation'),(8367,'Issue',464,2,'Florian Roth'),(8368,'Issue',464,8,'https://twitter.com/killamjr/status/1179034907932315648\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/'),(8369,'Issue',464,10,'critical'),(8370,'Issue',464,13,'community'),(8371,'Issue',464,14,'windows'),(8372,'Issue',464,15,''),(8373,'Issue',464,11,'046681e0b'),(8374,'Issue',464,12,'4fcac6eb-0287-4090-8eea-2602e4c20040'),(8375,'Issue',464,16,'win-proc'),(8376,'Issue',464,17,''),(8377,'Issue',464,7,''),(8378,'Issue',464,3,'Detects QBot like process executions'),(8379,'Issue',464,4,''),(8380,'Issue',464,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8381,'Issue',464,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.parent.executable.keyword:*\\\\WinRAR.exe AND process.executable.keyword:*\\\\wscript.exe) OR process.command_line.keyword:*\\ \\/c\\ ping.exe\\ \\-n\\ 6\\ 127.0.0.1\\ &\\ type\\ *))\nindex: so-*\nname: QBot Process Creation\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8382,'Issue',464,9,'{{collapse(View Sigma)\n\n\ntitle: QBot Process Creation\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: experimental\ndescription: Detects QBot like process executions\nauthor: Florian Roth\ndate: 2019/10/01\nreferences:\n- https://twitter.com/killamjr/status/1179034907932315648\n- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n ParentImage: \'*\\WinRAR.exe\'\n Image: \'*\\wscript.exe\'\n selection2:\n CommandLine: \'* /c ping.exe -n 6 127.0.0.1 & type *\'\n condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8383,'Issue',465,1,'Ryuk Ransomware'),(8384,'Issue',465,2,'Florian Roth'),(8385,'Issue',465,8,'https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/'),(8386,'Issue',465,10,'critical'),(8387,'Issue',465,13,'community'),(8388,'Issue',465,14,'windows'),(8389,'Issue',465,15,''),(8390,'Issue',465,11,'78f7434fc'),(8391,'Issue',465,12,'c37510b8-2107-4b78-aa32-72f251e7a844'),(8392,'Issue',465,16,'win-proc'),(8393,'Issue',465,17,''),(8394,'Issue',465,7,''),(8395,'Issue',465,3,'Detects Ryuk ransomware activity'),(8396,'Issue',465,4,''),(8397,'Issue',465,5,'_False Positives_\nUnlikely\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8398,'Issue',465,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* AND process.command_line.keyword:*C\\:\\\\users\\\\Public\\*)\nindex: so-*\nname: Ryuk Ransomware\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8399,'Issue',465,9,'{{collapse(View Sigma)\n\n\ntitle: Ryuk Ransomware\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nstatus: experimental\ndescription: Detects Ryuk ransomware activity\nauthor: Florian Roth\ndate: 2019/12/16\nreferences:\n- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - Microsoft\\Windows\\CurrentVersion\\Run\n - C:\\users\\Public\\\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unlikely\nlevel: critical\n\n
\n}}'),(8400,'Issue',466,1,'WScript or CScript Dropper'),(8401,'Issue',466,2,'Margaritis Dimitrios (idea), Florian Roth (rule)'),(8402,'Issue',466,8,'none'),(8403,'Issue',466,10,'high'),(8404,'Issue',466,13,'community'),(8405,'Issue',466,14,'windows'),(8407,'Issue',466,11,'163533995'),(8408,'Issue',466,12,'cea72823-df4d-4567-950c-0b579eaf0846'),(8409,'Issue',466,16,'win-proc'),(8410,'Issue',466,17,''),(8411,'Issue',466,7,''),(8412,'Issue',466,3,'Detects wscript/cscript executions of scripts located in user directories'),(8413,'Issue',466,4,''),(8414,'Issue',466,5,'_False Positives_\nWinzip\nOther self-extractors\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8415,'Issue',466,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*\\ C\\:\\\\Users\\\\*.jse\\ * OR *\\ C\\:\\\\Users\\\\*.vbe\\ * OR *\\ C\\:\\\\Users\\\\*.js\\ * OR *\\ C\\:\\\\Users\\\\*.vba\\ * OR *\\ C\\:\\\\Users\\\\*.vbs\\ * OR *\\ C\\:\\\\ProgramData\\\\*.jse\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbe\\ * OR *\\ C\\:\\\\ProgramData\\\\*.js\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vba\\ * OR *\\ C\\:\\\\ProgramData\\\\*.vbs\\ *)) AND (NOT (process.parent.executable.keyword:*\\\\winzip*)))\nindex: so-*\nname: WScript or CScript Dropper\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8416,'Issue',466,9,'{{collapse(View Sigma)\n\n\ntitle: WScript or CScript Dropper\nid: cea72823-df4d-4567-950c-0b579eaf0846\nstatus: experimental\ndescription: Detects wscript/cscript executions of scripts located in user directories\nauthor: Margaritis Dimitrios (idea), Florian Roth (rule)\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n CommandLine:\n - \'* C:\\Users\\\\*.jse *\'\n - \'* C:\\Users\\\\*.vbe *\'\n - \'* C:\\Users\\\\*.js *\'\n - \'* C:\\Users\\\\*.vba *\'\n - \'* C:\\Users\\\\*.vbs *\'\n - \'* C:\\ProgramData\\\\*.jse *\'\n - \'* C:\\ProgramData\\\\*.vbe *\'\n - \'* C:\\ProgramData\\\\*.js *\'\n - \'* C:\\ProgramData\\\\*.vba *\'\n - \'* C:\\ProgramData\\\\*.vbs *\'\n falsepositive:\n ParentImage: \'*\\winzip*\'\n condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Winzip\n- Other self-extractors\nlevel: high\n\n
\n}}'),(8417,'Issue',466,15,'T1064'),(8418,'Issue',467,1,'Trickbot Malware Recon Activity'),(8419,'Issue',467,2,'David Burkett'),(8420,'Issue',467,8,'https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/'),(8421,'Issue',467,10,'critical'),(8422,'Issue',467,13,'community'),(8423,'Issue',467,14,'windows'),(8425,'Issue',467,11,'1482df18d'),(8426,'Issue',467,12,'410ad193-a728-4107-bc79-4419789fcbf8'),(8427,'Issue',467,16,'win-proc'),(8428,'Issue',467,17,''),(8429,'Issue',467,7,''),(8430,'Issue',467,3,'Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.'),(8431,'Issue',467,4,''),(8432,'Issue',467,5,'_False Positives_\nRare System Admin Activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8433,'Issue',467,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\nltest.exe) AND process.command_line:(\"\\/domain_trusts\\ \\/all_trusts\" OR \"\\/domain_trusts\"))\nindex: so-*\nname: Trickbot Malware Recon Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8434,'Issue',467,9,'{{collapse(View Sigma)\n\n\ntitle: Trickbot Malware Recon Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nstatus: experimental\ndescription: Trickbot enumerates domain/network topology and executes certain commands\n automatically every few minutes. This detectors attempts to identify that activity\n based off a command rarely observed in an enterprise network.\nreferences:\n- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1482\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\nltest.exe\'\n CommandLine:\n - /domain_trusts /all_trusts\n - /domain_trusts\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Rare System Admin Activity\nlevel: critical\n\n
\n}}'),(8435,'Issue',467,15,'T1482'),(8436,'Issue',468,1,'WannaCry Ransomware'),(8437,'Issue',468,2,'Florian Roth (rule), Tom U. @c_APT_ure (collection)'),(8438,'Issue',468,8,'https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(8439,'Issue',468,10,'critical'),(8440,'Issue',468,13,'community'),(8441,'Issue',468,14,'windows'),(8442,'Issue',468,15,''),(8443,'Issue',468,11,'39c3b0af5'),(8444,'Issue',468,12,'41d40bff-377a-43e2-8e1b-2e543069e079'),(8445,'Issue',468,16,'win-proc'),(8446,'Issue',468,17,''),(8447,'Issue',468,7,''),(8448,'Issue',468,3,'Detects WannaCry ransomware activity'),(8449,'Issue',468,4,''),(8450,'Issue',468,5,'_False Positives_\nDiskpart.exe usage to manage partitions on the local hard drive\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8451,'Issue',468,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\tasksche.exe OR *\\\\mssecsvc.exe OR *\\\\taskdl.exe OR *\\\\@WanaDecryptor@* OR *\\\\WanaDecryptor* OR *\\\\taskhsvc.exe OR *\\\\taskse.exe OR *\\\\111.exe OR *\\\\lhdfrgui.exe OR *\\\\diskpart.exe OR *\\\\linuxnew.exe OR *\\\\wannacry.exe) OR process.command_line.keyword:(*icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q* OR *bcdedit\\ \\/set\\ \\{default\\}\\ recoveryenabled\\ no* OR *wbadmin\\ delete\\ catalog\\ \\-quiet* OR *@Please_Read_Me@.txt*)))\nindex: so-*\nname: WannaCry Ransomware\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8452,'Issue',468,9,'{{collapse(View Sigma)\n\n\ntitle: WannaCry Ransomware\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: experimental\ndescription: Detects WannaCry ransomware activity\nreferences:\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (rule), Tom U. @c_APT_ure (collection)\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\tasksche.exe\'\n - \'*\\mssecsvc.exe\'\n - \'*\\taskdl.exe\'\n - \'*\\@WanaDecryptor@*\'\n - \'*\\WanaDecryptor*\'\n - \'*\\taskhsvc.exe\'\n - \'*\\taskse.exe\'\n - \'*\\111.exe\'\n - \'*\\lhdfrgui.exe\'\n - \'*\\diskpart.exe\'\n - \'*\\linuxnew.exe\'\n - \'*\\wannacry.exe\'\n selection2:\n CommandLine:\n - \'*icacls * /grant Everyone:F /T /C /Q*\'\n - \'*bcdedit /set {default} recoveryenabled no*\'\n - \'*wbadmin delete catalog -quiet*\'\n - \'*@Please_Read_Me@.txt*\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Diskpart.exe usage to manage partitions on the local hard drive\nlevel: critical\n\n
\n}}'),(8453,'Issue',469,1,'MavInject Process Injection'),(8454,'Issue',469,2,'Florian Roth'),(8455,'Issue',469,8,'https://twitter.com/gN3mes1s/status/941315826107510784\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://twitter.com/Hexacorn/status/776122138063409152'),(8456,'Issue',469,10,'critical'),(8457,'Issue',469,13,'community'),(8458,'Issue',469,14,'windows'),(8460,'Issue',469,11,'313d39562'),(8461,'Issue',469,12,'17eb8e57-9983-420d-ad8a-2c4976c22eb8'),(8462,'Issue',469,16,'win-proc'),(8463,'Issue',469,17,''),(8464,'Issue',469,7,''),(8465,'Issue',469,3,'Detects process injection using the signed Windows tool Mavinject32.exe'),(8466,'Issue',469,4,''),(8467,'Issue',469,5,'_False Positives_\nunknown'),(8468,'Issue',469,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/INJECTRUNNING\\ *)\nindex: so-*\nname: MavInject Process Injection\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8469,'Issue',469,9,'{{collapse(View Sigma)\n\n\ntitle: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: experimental\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/941315826107510784\n- https://reaqta.com/2017/12/mavinject-microsoft-injector/\n- https://twitter.com/Hexacorn/status/776122138063409152\nauthor: Florian Roth\ndate: 2018/12/12\ntags:\n- attack.t1055\n- attack.t1218\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'* /INJECTRUNNING *\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(8470,'Issue',469,15,'T1055'),(8471,'Issue',469,15,'T1218'),(8472,'Issue',470,1,'Meterpreter or Cobalt Strike Getsystem Service Start'),(8473,'Issue',470,2,'Teymur Kheirkhabarov'),(8474,'Issue',470,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/'),(8475,'Issue',470,10,'high'),(8476,'Issue',470,13,'community'),(8477,'Issue',470,14,'windows'),(8479,'Issue',470,11,'faf8435b3'),(8480,'Issue',470,12,'15619216-e993-4721-b590-4c520615a67d'),(8481,'Issue',470,16,'win-proc'),(8482,'Issue',470,17,''),(8483,'Issue',470,7,''),(8484,'Issue',470,3,'Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting'),(8485,'Issue',470,4,''),(8486,'Issue',470,5,'_False Positives_\nCommandlines containing components like cmd accidentally\nJobs and services started with cmd\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8487,'Issue',470,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\services.exe AND (process.command_line.keyword:(*cmd* OR *comspec*) OR (process.command_line.keyword:*cmd* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*%COMSPEC%* AND process.command_line.keyword:*\\/c* AND process.command_line.keyword:*echo* AND process.command_line.keyword:*\\\\pipe\\*) OR (process.command_line.keyword:*rundll32* AND process.command_line.keyword:*.dll,a* AND process.command_line.keyword:*\\/p\\:*))) AND (NOT (process.command_line.keyword:*MpCmdRun*)))\nindex: so-*\nname: Meterpreter or Cobalt Strike Getsystem Service Start\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8488,'Issue',470,9,'{{collapse(View Sigma)\n\n\ntitle: Meterpreter or Cobalt Strike Getsystem Service Start\nid: 15619216-e993-4721-b590-4c520615a67d\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting\n a specific service starting\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n ParentImage|endswith: \\services.exe\n selection_2:\n - CommandLine|contains:\n - cmd\n - comspec\n - CommandLine|contains|all:\n - cmd\n - /c\n - echo\n - \\pipe\\\n - CommandLine|contains|all:\n - \'%COMSPEC%\'\n - /c\n - echo\n - \\pipe\\\n - CommandLine|contains|all:\n - rundll32\n - .dll,a\n - \'/p:\'\n filter1:\n CommandLine|contains: MpCmdRun\n condition: selection_1 and selection_2 and not filter1\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Commandlines containing components like cmd accidentally\n- Jobs and services started with cmd\nlevel: high\n\n
\n}}'),(8489,'Issue',470,15,'T1134'),(8490,'Issue',471,1,'Mimikatz Command Line'),(8491,'Issue',471,2,'Teymur Kheirkhabarov, oscd.community'),(8492,'Issue',471,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(8493,'Issue',471,10,'medium'),(8494,'Issue',471,13,'community'),(8495,'Issue',471,14,'windows'),(8497,'Issue',471,11,'f9e688b06'),(8498,'Issue',471,12,'a642964e-bead-4bed-8910-1bb4d63e3b4d'),(8499,'Issue',471,16,'win-proc'),(8500,'Issue',471,17,''),(8501,'Issue',471,7,''),(8502,'Issue',471,3,'Detection well-known mimikatz command line arguments'),(8503,'Issue',471,4,''),(8504,'Issue',471,5,'_False Positives_\nLegitimate Administrator using tool for password recovery'),(8505,'Issue',471,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:(*DumpCreds* OR *invoke\\-mimikatz*) OR (process.command_line.keyword:(*rpc* OR *token* OR *crypto* OR *dpapi* OR *sekurlsa* OR *kerberos* OR *lsadump* OR *privilege* OR *process*) AND process.command_line.keyword:(*\\:\\:*))))\nindex: so-*\nname: Mimikatz Command Line\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8506,'Issue',471,9,'{{collapse(View Sigma)\n\n\ntitle: Mimikatz Command Line\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\ndescription: Detection well-known mimikatz command line arguments\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n CommandLine|contains:\n - DumpCreds\n - invoke-mimikatz\n selection_2:\n CommandLine|contains:\n - rpc\n - token\n - crypto\n - dpapi\n - sekurlsa\n - kerberos\n - lsadump\n - privilege\n - process\n selection_3:\n CommandLine|contains:\n - \'::\'\n condition: selection_1 or selection_2 and selection_3\nfalsepositives:\n- Legitimate Administrator using tool for password recovery\nlevel: medium\nstatus: experimental\n\n
\n}}'),(8507,'Issue',471,15,'T1003'),(8508,'Issue',472,1,'MMC Spawning Windows Shell'),(8509,'Issue',472,2,'Karneades, Swisscom CSIRT'),(8510,'Issue',472,8,'none'),(8511,'Issue',472,10,'high'),(8512,'Issue',472,13,'community'),(8513,'Issue',472,14,'windows'),(8515,'Issue',472,11,'5af2839b3'),(8516,'Issue',472,12,'05a2ab7e-ce11-4b63-86db-ab32e763e11d'),(8517,'Issue',472,16,'win-proc'),(8518,'Issue',472,17,''),(8519,'Issue',472,7,''),(8520,'Issue',472,3,'Detects a Windows command line executable started from MMC.'),(8521,'Issue',472,4,''),(8522,'Issue',472,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nCommandLine\nImage\nParentCommandLine'),(8523,'Issue',472,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mmc.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MMC Spawning Windows Shell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8524,'Issue',472,9,'{{collapse(View Sigma)\n\n\ntitle: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: experimental\ndescription: Detects a Windows command line executable started from MMC.\nauthor: Karneades, Swisscom CSIRT\ndate: 2019/08/05\ntags:\n- attack.lateral_movement\n- attack.t1175\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\mmc.exe\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\reg.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\BITSADMIN*\'\n condition: selection\nfields:\n- CommandLine\n- Image\n- ParentCommandLine\nlevel: high\n\n
\n}}'),(8525,'Issue',472,15,'T1175'),(8526,'Issue',473,1,'MSHTA Spawning Windows Shell'),(8527,'Issue',473,2,'Michael Haag'),(8528,'Issue',473,8,'https://www.trustedsec.com/july-2015/malicious-htas/'),(8529,'Issue',473,10,'high'),(8530,'Issue',473,13,'community'),(8531,'Issue',473,14,'windows'),(8533,'Issue',473,11,'16c1a6c19'),(8534,'Issue',473,12,'03cc0c25-389f-4bf8-b48d-11878079f1ca'),(8535,'Issue',473,16,'win-proc'),(8536,'Issue',473,17,''),(8537,'Issue',473,7,''),(8538,'Issue',473,3,'Detects a Windows command line executable started from MSHTA.'),(8539,'Issue',473,4,''),(8540,'Issue',473,5,'_False Positives_\nPrinter software / driver installations\nHP software\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8541,'Issue',473,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\mshta.exe AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\reg.exe OR *\\\\regsvr32.exe OR *\\\\BITSADMIN*))\nindex: so-*\nname: MSHTA Spawning Windows Shell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8542,'Issue',473,9,'{{collapse(View Sigma)\n\n\ntitle: MSHTA Spawning Windows Shell\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: experimental\ndescription: Detects a Windows command line executable started from MSHTA.\nreferences:\n- https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\mshta.exe\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\reg.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\BITSADMIN*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1170\n- car.2013-02-003\n- car.2013-03-001\n- car.2014-04-003\nfalsepositives:\n- Printer software / driver installations\n- HP software\nlevel: high\n\n
\n}}'),(8543,'Issue',473,15,'T1170'),(8544,'Issue',474,1,'Quick Execution of a Series of Suspicious Commands'),(8545,'Issue',474,2,'juju4'),(8546,'Issue',474,8,'https://car.mitre.org/wiki/CAR-2013-04-002'),(8547,'Issue',474,10,'low'),(8548,'Issue',474,13,'community'),(8549,'Issue',474,14,'windows'),(8550,'Issue',474,15,''),(8551,'Issue',474,11,'9a5d32ef1'),(8552,'Issue',474,12,'61ab5496-748e-4818-a92f-de78e20fe7f1'),(8553,'Issue',474,16,'win-proc'),(8554,'Issue',474,17,''),(8555,'Issue',474,7,''),(8556,'Issue',474,3,'Detects multiple suspicious process in a limited timeframe'),(8557,'Issue',474,4,''),(8558,'Issue',474,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(8559,'Issue',474,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"arp.exe\" OR \"at.exe\" OR \"attrib.exe\" OR \"cscript.exe\" OR \"dsquery.exe\" OR \"hostname.exe\" OR \"ipconfig.exe\" OR \"mimikatz.exe\" OR \"nbtstat.exe\" OR \"net.exe\" OR \"netsh.exe\" OR \"nslookup.exe\" OR \"ping.exe\" OR \"quser.exe\" OR \"qwinsta.exe\" OR \"reg.exe\" OR \"runas.exe\" OR \"sc.exe\" OR \"schtasks.exe\" OR \"ssh.exe\" OR \"systeminfo.exe\" OR \"taskkill.exe\" OR \"telnet.exe\" OR \"tracert.exe\" OR \"wscript.exe\" OR \"xcopy.exe\" OR \"pscp.exe\" OR \"copy.exe\" OR \"robocopy.exe\" OR \"certutil.exe\" OR \"vssadmin.exe\" OR \"powershell.exe\" OR \"wevtutil.exe\" OR \"psexec.exe\" OR \"bcedit.exe\" OR \"wbadmin.exe\" OR \"icacls.exe\" OR \"diskpart.exe\"))\nindex: so-*\nmax_threshold: 5\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Quick Execution of a Series of Suspicious Commands\npriority: 4\nquery_key: MachineName.keyword\nrealert:\n minutes: 0\ntype: metric_aggregation\n
\n}}'),(8560,'Issue',474,9,'{{collapse(View Sigma)\n\n\ntitle: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\ndescription: Detects multiple suspicious process in a limited timeframe\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- car.2013-04-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - arp.exe\n - at.exe\n - attrib.exe\n - cscript.exe\n - dsquery.exe\n - hostname.exe\n - ipconfig.exe\n - mimikatz.exe\n - nbtstat.exe\n - net.exe\n - netsh.exe\n - nslookup.exe\n - ping.exe\n - quser.exe\n - qwinsta.exe\n - reg.exe\n - runas.exe\n - sc.exe\n - schtasks.exe\n - ssh.exe\n - systeminfo.exe\n - taskkill.exe\n - telnet.exe\n - tracert.exe\n - wscript.exe\n - xcopy.exe\n - pscp.exe\n - copy.exe\n - robocopy.exe\n - certutil.exe\n - vssadmin.exe\n - powershell.exe\n - wevtutil.exe\n - psexec.exe\n - bcedit.exe\n - wbadmin.exe\n - icacls.exe\n - diskpart.exe\n timeframe: 5m\n condition: selection | count() by MachineName > 5\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: low\n\n
\n}}'),(8561,'Issue',475,1,'Windows Network Enumeration'),(8562,'Issue',475,2,'Endgame, JHasenbusch (ported for oscd.community)'),(8563,'Issue',475,8,'https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml'),(8564,'Issue',475,10,'low'),(8565,'Issue',475,13,'community'),(8566,'Issue',475,14,'windows'),(8568,'Issue',475,11,'bbe12b620'),(8569,'Issue',475,12,'62510e69-616b-4078-b371-847da438cc03'),(8570,'Issue',475,16,'win-proc'),(8571,'Issue',475,17,''),(8572,'Issue',475,7,''),(8573,'Issue',475,3,'Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.'),(8574,'Issue',475,4,''),(8575,'Issue',475,5,'_False Positives_\nLegitimate use of net.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8576,'Issue',475,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*view*) AND (NOT (process.command_line.keyword:*\\\\*)))\nindex: so-*\nname: Windows Network Enumeration\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8577,'Issue',475,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Network Enumeration\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Identifies attempts to enumerate hosts in a network using the built-in\n Windows net.exe tool.\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.t1018\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: view\n filter:\n CommandLine|contains: \\\\\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of net.exe utility by legitimate user\nlevel: low\n\n
\n}}'),(8578,'Issue',475,15,'T1018'),(8579,'Issue',476,1,'Net.exe User Account Creation'),(8580,'Issue',476,2,'Endgame, JHasenbusch (adapted to sigma for oscd.community)'),(8581,'Issue',476,8,'https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml'),(8582,'Issue',476,10,'medium'),(8583,'Issue',476,13,'community'),(8584,'Issue',476,14,'windows'),(8586,'Issue',476,11,'c9bfceef1'),(8587,'Issue',476,12,'cd219ff3-fa99-45d4-8380-a7d15116c6dc'),(8588,'Issue',476,16,'win-proc'),(8589,'Issue',476,17,''),(8590,'Issue',476,7,''),(8591,'Issue',476,3,'Identifies creation of local users via the net.exe command'),(8592,'Issue',476,4,''),(8593,'Issue',476,5,'_False Positives_\nLegit user creation\nBetter use event ids for user creation rather than command line rules\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8594,'Issue',476,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*user* AND process.command_line.keyword:*add*)\nindex: so-*\nname: Net.exe User Account Creation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8595,'Issue',476,9,'{{collapse(View Sigma)\n\n\ntitle: Net.exe User Account Creation\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nstatus: experimental\ndescription: Identifies creation of local users via the net.exe command\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml\nauthor: Endgame, JHasenbusch (adapted to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.persistence\n- attack.credential_access\n- attack.t1136\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains|all:\n - user\n - add\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legit user creation\n- Better use event ids for user creation rather than command line rules\nlevel: medium\n\n
\n}}'),(8596,'Issue',476,15,'T1136'),(8597,'Issue',477,1,'Netsh'),(8598,'Issue',477,2,'Markus Neis'),(8599,'Issue',477,8,'https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf'),(8600,'Issue',477,10,'medium'),(8601,'Issue',477,13,'community'),(8602,'Issue',477,14,'windows'),(8604,'Issue',477,11,'bdbaabb5e'),(8605,'Issue',477,12,'cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c'),(8606,'Issue',477,16,'win-proc'),(8607,'Issue',477,17,''),(8608,'Issue',477,7,''),(8609,'Issue',477,3,'Allow Incoming Connections by Port or Application on Windows Firewall'),(8610,'Issue',477,4,''),(8611,'Issue',477,5,'_False Positives_\nLegitimate administration'),(8612,'Issue',477,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*netsh\\ firewall\\ add*))\nindex: so-*\nname: Netsh\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8613,'Issue',477,9,'{{collapse(View Sigma)\n\n\ntitle: Netsh\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\ndescription: Allow Incoming Connections by Port or Application on Windows Firewall\nreferences:\n- https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)\n- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Markus Neis\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*netsh firewall add*\'\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8614,'Issue',477,15,'T1090'),(8615,'Issue',478,1,'Capture a Network Trace with netsh.exe'),(8616,'Issue',478,2,'Kutepov Anton, oscd.community'),(8617,'Issue',478,8,'https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/'),(8618,'Issue',478,10,'medium'),(8619,'Issue',478,13,'community'),(8620,'Issue',478,14,'windows'),(8622,'Issue',478,11,'0b2f94184'),(8623,'Issue',478,12,'d3c3861d-c504-4c77-ba55-224ba82d0118'),(8624,'Issue',478,16,'win-proc'),(8625,'Issue',478,17,''),(8626,'Issue',478,7,''),(8627,'Issue',478,3,'Detects capture a network trace via netsh.exe trace functionality'),(8628,'Issue',478,4,''),(8629,'Issue',478,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe trace functionality for legitimate reason'),(8630,'Issue',478,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*netsh* AND process.command_line.keyword:*trace* AND process.command_line.keyword:*start*)\nindex: so-*\nname: Capture a Network Trace with netsh.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8631,'Issue',478,9,'{{collapse(View Sigma)\n\n\ntitle: Capture a Network Trace with netsh.exe\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: experimental\ndescription: Detects capture a network trace via netsh.exe trace functionality\nreferences:\n- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nauthor: Kutepov Anton, oscd.community\ndate: 2019/10/24\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - netsh\n - trace\n - start\n condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe trace functionality for legitimate\n reason\nlevel: medium\n\n
\n}}'),(8632,'Issue',478,15,'T1040'),(8633,'Issue',479,1,'Netsh Port Forwarding'),(8634,'Issue',479,2,'Florian Roth'),(8635,'Issue',479,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8636,'Issue',479,10,'medium'),(8637,'Issue',479,13,'community'),(8638,'Issue',479,14,'windows'),(8640,'Issue',479,11,'6c81001f0'),(8641,'Issue',479,12,'322ed9ec-fcab-4f67-9a34-e7c6aef43614'),(8642,'Issue',479,16,'win-proc'),(8643,'Issue',479,17,''),(8644,'Issue',479,7,''),(8645,'Issue',479,3,'Detects netsh commands that configure a port forwarding'),(8646,'Issue',479,4,''),(8647,'Issue',479,5,'_False Positives_\nLegitimate administration'),(8648,'Issue',479,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ interface\\ portproxy\\ add\\ v4tov4\\ *))\nindex: so-*\nname: Netsh Port Forwarding\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8649,'Issue',479,9,'{{collapse(View Sigma)\n\n\ntitle: Netsh Port Forwarding\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\ndescription: Detects netsh commands that configure a port forwarding\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.command_and_control\n- attack.t1090\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh interface portproxy add v4tov4 *\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(8650,'Issue',479,15,'T1090'),(8651,'Issue',480,1,'Netsh RDP Port Forwarding'),(8652,'Issue',480,2,'Florian Roth'),(8653,'Issue',480,8,'https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html'),(8654,'Issue',480,10,'high'),(8655,'Issue',480,13,'community'),(8656,'Issue',480,14,'windows'),(8658,'Issue',480,11,'e26d39913'),(8659,'Issue',480,12,'782d6f3e-4c5d-4b8c-92a3-1d05fed72e63'),(8660,'Issue',480,16,'win-proc'),(8661,'Issue',480,17,''),(8662,'Issue',480,7,''),(8663,'Issue',480,3,'Detects netsh commands that configure a port forwarding of port 3389 used for RDP'),(8664,'Issue',480,4,''),(8665,'Issue',480,5,'_False Positives_\nLegitimate administration'),(8666,'Issue',480,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ i*\\ p*\\=3389\\ c*))\nindex: so-*\nname: Netsh RDP Port Forwarding\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8667,'Issue',480,9,'{{collapse(View Sigma)\n\n\ntitle: Netsh RDP Port Forwarding\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\ndescription: Detects netsh commands that configure a port forwarding of port 3389\n used for RDP\nreferences:\n- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\ndate: 2019/01/29\ntags:\n- attack.lateral_movement\n- attack.t1021\n- car.2013-07-002\nstatus: experimental\nauthor: Florian Roth\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh i* p*=3389 c*\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: high\n\n
\n}}'),(8668,'Issue',480,15,'T1021'),(8669,'Issue',481,1,'Network Sniffing'),(8670,'Issue',481,2,'Timur Zinniatullin, oscd.community'),(8671,'Issue',481,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml'),(8672,'Issue',481,10,'low'),(8673,'Issue',481,13,'community'),(8674,'Issue',481,14,'windows'),(8676,'Issue',481,11,'94c26afa0'),(8677,'Issue',481,12,'ba1f7802-adc7-48b4-9ecb-81e227fddfd5'),(8678,'Issue',481,16,'win-proc'),(8679,'Issue',481,17,''),(8680,'Issue',481,7,''),(8681,'Issue',481,3,'Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.'),(8682,'Issue',481,4,''),(8683,'Issue',481,5,'_False Positives_\nAdmin activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(8684,'Issue',481,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\tshark.exe AND process.command_line.keyword:*\\-i*) OR process.executable.keyword:*\\\\windump.exe))\nindex: so-*\nname: Network Sniffing\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8685,'Issue',481,9,'{{collapse(View Sigma)\n\n\ntitle: Network Sniffing\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: experimental\ndescription: Network sniffing refers to using the network interface on a system to\n monitor or capture information sent over a wired or wireless connection. An adversary\n may place a network interface into promiscuous mode to passively access data in\n transit over the network, or use span ports to capture a larger amount of data.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\tshark.exe\n CommandLine|contains: -i\n - Image|endswith: \\windump.exe\n condition: selection\nfalsepositives:\n- Admin activity\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.credential_access\n- attack.discovery\n- attack.t1040\n\n
\n}}'),(8686,'Issue',481,15,'T1040'),(8687,'Issue',482,1,'New Service Creation'),(8688,'Issue',482,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(8689,'Issue',482,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml'),(8690,'Issue',482,10,'low'),(8691,'Issue',482,13,'community'),(8692,'Issue',482,14,'windows'),(8694,'Issue',482,11,'6d821e19d'),(8695,'Issue',482,12,'7fe71fc9-de3b-432a-8d57-8c809efc10ab'),(8696,'Issue',482,16,'win-proc'),(8697,'Issue',482,17,''),(8698,'Issue',482,7,''),(8699,'Issue',482,3,'Detects creation if a new service'),(8700,'Issue',482,4,''),(8701,'Issue',482,5,'_False Positives_\nLegitimate administrator or user creates a service for legitimate reason'),(8702,'Issue',482,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*create* AND process.command_line.keyword:*binpath*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*new\\-service*)))\nindex: so-*\nname: New Service Creation\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8703,'Issue',482,9,'{{collapse(View Sigma)\n\n\ntitle: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: experimental\ndescription: Detects creation if a new service\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1050\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\sc.exe\n CommandLine|contains|all:\n - create\n - binpath\n - Image|endswith: \\powershell.exe\n CommandLine|contains: new-service\n condition: selection\nfalsepositives:\n- Legitimate administrator or user creates a service for legitimate reason\nlevel: low\n\n
\n}}'),(8704,'Issue',482,15,'T1050'),(8705,'Issue',483,1,'Non Interactive PowerShell'),(8706,'Issue',483,2,'Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)'),(8707,'Issue',483,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md'),(8708,'Issue',483,10,'medium'),(8709,'Issue',483,13,'community'),(8710,'Issue',483,14,'windows'),(8712,'Issue',483,11,'1e5e14278'),(8713,'Issue',483,12,'f4bbd493-b796-416e-bbf2-121235348529'),(8714,'Issue',483,16,'win-proc'),(8715,'Issue',483,17,''),(8716,'Issue',483,7,''),(8717,'Issue',483,3,'Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.'),(8718,'Issue',483,4,''),(8719,'Issue',483,5,'_False Positives_\nLegitimate programs executing PowerShell scripts'),(8720,'Issue',483,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND (NOT (process.parent.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Non Interactive PowerShell\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8721,'Issue',483,9,'{{collapse(View Sigma)\n\n\ntitle: Non Interactive PowerShell\nid: f4bbd493-b796-416e-bbf2-121235348529\ndescription: Detects non-interactive PowerShell activity by looking at powershell.exe\n with not explorer.exe as a parent.\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\powershell.exe\n filter:\n ParentImage|endswith: \\explorer.exe\n condition: selection and not filter\nfalsepositives:\n- Legitimate programs executing PowerShell scripts\nlevel: medium\n\n
\n}}'),(8722,'Issue',483,15,'T1086'),(8723,'Issue',484,1,'Microsoft Office Product Spawning Windows Shell'),(8724,'Issue',484,2,'Michael Haag, Florian Roth, Markus Neis'),(8725,'Issue',484,8,'https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(8726,'Issue',484,10,'high'),(8727,'Issue',484,13,'community'),(8728,'Issue',484,14,'windows'),(8730,'Issue',484,11,'6393d359f'),(8731,'Issue',484,12,'438025f9-5856-4663-83f7-52f878a70a50'),(8732,'Issue',484,16,'win-proc'),(8733,'Issue',484,17,''),(8734,'Issue',484,7,''),(8735,'Issue',484,3,'Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.'),(8736,'Issue',484,4,''),(8737,'Issue',484,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8738,'Issue',484,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\scrcons.exe OR *\\\\schtasks.exe OR *\\\\regsvr32.exe OR *\\\\hh.exe OR *\\\\wmic.exe OR *\\\\mshta.exe OR *\\\\rundll32.exe OR *\\\\msiexec.exe OR *\\\\forfiles.exe OR *\\\\scriptrunner.exe OR *\\\\mftrace.exe OR *\\\\AppVLP.exe OR *\\\\svchost.exe))\nindex: so-*\nname: Microsoft Office Product Spawning Windows Shell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8739,'Issue',484,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Office Product Spawning Windows Shell\nid: 438025f9-5856-4663-83f7-52f878a70a50\nstatus: experimental\ndescription: Detects a Windows command line executable started from Microsoft Word,\n Excel, Powerpoint, Publisher and Visio.\nreferences:\n- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- car.2013-02-003\n- car.2014-04-003\nauthor: Michael Haag, Florian Roth, Markus Neis\ndate: 2018/04/06\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\WINWORD.EXE\'\n - \'*\\EXCEL.EXE\'\n - \'*\\POWERPNT.exe\'\n - \'*\\MSPUB.exe\'\n - \'*\\VISIO.exe\'\n - \'*\\OUTLOOK.EXE\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\powershell.exe\'\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\scrcons.exe\'\n - \'*\\schtasks.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\hh.exe\'\n - \'*\\wmic.exe\'\n - \'*\\mshta.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\msiexec.exe\'\n - \'*\\forfiles.exe\'\n - \'*\\scriptrunner.exe\'\n - \'*\\mftrace.exe\'\n - \'*\\AppVLP.exe\'\n - \'*\\svchost.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8740,'Issue',484,15,'T1059'),(8741,'Issue',484,15,'T1202'),(8742,'Issue',485,1,'MS Office Product Spawning Exe in User Dir'),(8743,'Issue',485,2,'Jason Lynch'),(8744,'Issue',485,8,'sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign'),(8745,'Issue',485,10,'high'),(8746,'Issue',485,13,'community'),(8747,'Issue',485,14,'windows'),(8749,'Issue',485,11,'73473d045'),(8750,'Issue',485,12,'aa3a6f94-890e-4e22-b634-ffdfd54792cc'),(8751,'Issue',485,16,'win-proc'),(8752,'Issue',485,17,''),(8753,'Issue',485,7,''),(8754,'Issue',485,3,'Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio'),(8755,'Issue',485,4,''),(8756,'Issue',485,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8757,'Issue',485,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WINWORD.EXE OR *\\\\EXCEL.EXE OR *\\\\POWERPNT.exe OR *\\\\MSPUB.exe OR *\\\\VISIO.exe OR *\\\\OUTLOOK.EXE) AND process.executable.keyword:(C\\:\\\\users\\\\*.exe))\nindex: so-*\nname: MS Office Product Spawning Exe in User Dir\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8758,'Issue',485,9,'{{collapse(View Sigma)\n\n\ntitle: MS Office Product Spawning Exe in User Dir\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: experimental\ndescription: Detects an executable in the users directory started from Microsoft Word,\n Excel, Powerpoint, Publisher or Visio\nreferences:\n- sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c\n- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1059\n- attack.t1202\n- FIN7\n- car.2013-05-002\nauthor: Jason Lynch\ndate: 2019/04/02\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\WINWORD.EXE\'\n - \'*\\EXCEL.EXE\'\n - \'*\\POWERPNT.exe\'\n - \'*\\MSPUB.exe\'\n - \'*\\VISIO.exe\'\n - \'*\\OUTLOOK.EXE\'\n Image:\n - C:\\users\\\\*.exe\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(8759,'Issue',485,15,'T1059'),(8760,'Issue',485,15,'T1202'),(8761,'Issue',486,1,'Executable Used by PlugX in Uncommon Location'),(8762,'Issue',486,2,'Florian Roth'),(8763,'Issue',486,8,'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'),(8764,'Issue',486,10,'high'),(8765,'Issue',486,13,'community'),(8766,'Issue',486,14,'windows'),(8768,'Issue',486,11,'7c4ef5068'),(8769,'Issue',486,12,'aeab5ec5-be14-471a-80e8-e344418305c2'),(8770,'Issue',486,16,'win-proc'),(8771,'Issue',486,17,''),(8772,'Issue',486,7,''),(8773,'Issue',486,3,'Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location'),(8774,'Issue',486,4,''),(8775,'Issue',486,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8776,'Issue',486,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ((((((((((((process.executable.keyword:*\\\\CamMute.exe AND (NOT (process.executable.keyword:*\\\\Lenovo\\\\Communication\\ Utility\\\\*))) OR (process.executable.keyword:*\\\\chrome_frame_helper.exe AND (NOT (process.executable.keyword:*\\\\Google\\\\Chrome\\\\application\\\\*)))) OR (process.executable.keyword:*\\\\dvcemumanager.exe AND (NOT (process.executable.keyword:*\\\\Microsoft\\ Device\\ Emulator\\\\*)))) OR (process.executable.keyword:*\\\\Gadget.exe AND (NOT (process.executable.keyword:*\\\\Windows\\ Media\\ Player\\\\*)))) OR (process.executable.keyword:*\\\\hcc.exe AND (NOT (process.executable.keyword:*\\\\HTML\\ Help\\ Workshop\\\\*)))) OR (process.executable.keyword:*\\\\hkcmd.exe AND (NOT (process.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysNative\\\\* OR *\\\\SysWowo64\\\\*))))) OR (process.executable.keyword:*\\\\Mc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit*))))) OR (process.executable.keyword:*\\\\MsMpEng.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Windows\\ Defender\\\\* OR *\\\\AntiMalware\\\\*))))) OR (process.executable.keyword:*\\\\msseces.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Security\\ Center\\\\* OR *\\\\Microsoft\\ Security\\ Client\\\\* OR *\\\\Microsoft\\ Security\\ Essentials\\\\*))))) OR (process.executable.keyword:*\\\\OInfoP11.exe AND (NOT (process.executable.keyword:*\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\*)))) OR (process.executable.keyword:*\\\\OleView.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\*))))) OR (process.executable.keyword:*\\\\rc.exe AND (NOT (process.executable.keyword:(*\\\\Microsoft\\ Visual\\ Studio* OR *\\\\Microsoft\\ SDK* OR *\\\\Windows\\ Kit* OR *\\\\Windows\\ Resource\\ Kit\\\\* OR *\\\\Microsoft.NET\\\\*))))))\nindex: so-*\nname: Executable Used by PlugX in Uncommon Location\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8777,'Issue',486,9,'{{collapse(View Sigma)\n\n\ntitle: Executable Used by PlugX in Uncommon Location\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: experimental\ndescription: Detects the execution of an executable that is typically used by PlugX\n for DLL side loading started from an uncommon location\nreferences:\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth\ndate: 2017/06/12\ntags:\n- attack.s0013\n- attack.defense_evasion\n- attack.t1073\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_cammute:\n Image: \'*\\CamMute.exe\'\n filter_cammute:\n Image: \'*\\Lenovo\\Communication Utility\\\\*\'\n selection_chrome_frame:\n Image: \'*\\chrome_frame_helper.exe\'\n filter_chrome_frame:\n Image: \'*\\Google\\Chrome\\application\\\\*\'\n selection_devemu:\n Image: \'*\\dvcemumanager.exe\'\n filter_devemu:\n Image: \'*\\Microsoft Device Emulator\\\\*\'\n selection_gadget:\n Image: \'*\\Gadget.exe\'\n filter_gadget:\n Image: \'*\\Windows Media Player\\\\*\'\n selection_hcc:\n Image: \'*\\hcc.exe\'\n filter_hcc:\n Image: \'*\\HTML Help Workshop\\\\*\'\n selection_hkcmd:\n Image: \'*\\hkcmd.exe\'\n filter_hkcmd:\n Image:\n - \'*\\System32\\\\*\'\n - \'*\\SysNative\\\\*\'\n - \'*\\SysWowo64\\\\*\'\n selection_mc:\n Image: \'*\\Mc.exe\'\n filter_mc:\n Image:\n - \'*\\Microsoft Visual Studio*\'\n - \'*\\Microsoft SDK*\'\n - \'*\\Windows Kit*\'\n selection_msmpeng:\n Image: \'*\\MsMpEng.exe\'\n filter_msmpeng:\n Image:\n - \'*\\Microsoft Security Client\\\\*\'\n - \'*\\Windows Defender\\\\*\'\n - \'*\\AntiMalware\\\\*\'\n selection_msseces:\n Image: \'*\\msseces.exe\'\n filter_msseces:\n Image:\n - \'*\\Microsoft Security Center\\\\*\'\n - \'*\\Microsoft Security Client\\\\*\'\n - \'*\\Microsoft Security Essentials\\\\*\'\n selection_oinfo:\n Image: \'*\\OInfoP11.exe\'\n filter_oinfo:\n Image: \'*\\Common Files\\Microsoft Shared\\\\*\'\n selection_oleview:\n Image: \'*\\OleView.exe\'\n filter_oleview:\n Image:\n - \'*\\Microsoft Visual Studio*\'\n - \'*\\Microsoft SDK*\'\n - \'*\\Windows Kit*\'\n - \'*\\Windows Resource Kit\\\\*\'\n selection_rc:\n Image: \'*\\rc.exe\'\n filter_rc:\n Image:\n - \'*\\Microsoft Visual Studio*\'\n - \'*\\Microsoft SDK*\'\n - \'*\\Windows Kit*\'\n - \'*\\Windows Resource Kit\\\\*\'\n - \'*\\Microsoft.NET\\\\*\'\n condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame\n and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or\n ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc\n ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc\n ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not\n filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview\n and not filter_oleview ) or ( selection_rc and not filter_rc )\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8778,'Issue',486,15,'T1073'),(8779,'Issue',487,1,'Possible Applocker Bypass'),(8780,'Issue',487,2,'juju4'),(8781,'Issue',487,8,'https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\nhttps://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/'),(8782,'Issue',487,10,'low'),(8783,'Issue',487,13,'community'),(8784,'Issue',487,14,'windows'),(8786,'Issue',487,11,'d4a0bad42'),(8787,'Issue',487,12,'82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719'),(8788,'Issue',487,16,'win-proc'),(8789,'Issue',487,17,''),(8790,'Issue',487,7,''),(8791,'Issue',487,3,'Detects execution of executables that can be used to bypass Applocker whitelisting'),(8792,'Issue',487,4,''),(8793,'Issue',487,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nUsing installutil to add features for .NET applications (primarly would occur in developer environments)'),(8794,'Issue',487,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\msdt.exe* OR *\\\\installutil.exe* OR *\\\\regsvcs.exe* OR *\\\\regasm.exe* OR *\\\\msbuild.exe* OR *\\\\ieexec.exe*))\nindex: so-*\nname: Possible Applocker Bypass\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8795,'Issue',487,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\ndescription: Detects execution of executables that can be used to bypass Applocker\n whitelisting\nstatus: experimental\nreferences:\n- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt\n- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1118\n- attack.t1121\n- attack.t1127\n- attack.t1170\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - \\msdt.exe\n - \\installutil.exe\n - \\regsvcs.exe\n - \\regasm.exe\n - \\msbuild.exe\n - \\ieexec.exe\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\n- Using installutil to add features for .NET applications (primarly would occur in\n developer environments)\nlevel: low\n\n
\n}}'),(8796,'Issue',487,15,'T1118'),(8797,'Issue',487,15,'T1121'),(8798,'Issue',487,15,'T1127'),(8799,'Issue',487,15,'T1170'),(8800,'Issue',488,1,'Detection of Possible Rotten Potato'),(8801,'Issue',488,2,'Teymur Kheirkhabarov'),(8802,'Issue',488,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'),(8803,'Issue',488,10,'high'),(8804,'Issue',488,13,'community'),(8805,'Issue',488,14,'windows'),(8807,'Issue',488,11,'c3d4efb18'),(8808,'Issue',488,12,'6c5808ee-85a2-4e56-8137-72e5876a5096'),(8809,'Issue',488,16,'win-proc'),(8810,'Issue',488,17,''),(8811,'Issue',488,7,''),(8812,'Issue',488,3,'Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges'),(8813,'Issue',488,4,''),(8814,'Issue',488,5,'_False Positives_\nUnknown'),(8815,'Issue',488,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (ParentUser:(\"NT\\ AUTHORITY\\\\NETWORK\\ SERVICE\" OR \"NT\\ AUTHORITY\\\\LOCAL\\ SERVICE\") AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\") AND (NOT (process.executable.keyword:*\\\\rundll32.exe AND process.command_line.keyword:*DavSetCookie*)))\nindex: so-*\nname: Detection of Possible Rotten Potato\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8816,'Issue',488,9,'{{collapse(View Sigma)\n\n\ntitle: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents\n with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentUser:\n - NT AUTHORITY\\NETWORK SERVICE\n - NT AUTHORITY\\LOCAL SERVICE\n User: NT AUTHORITY\\SYSTEM\n rundllexception:\n Image|endswith: \\rundll32.exe\n CommandLine|contains: DavSetCookie\n condition: selection and not rundllexception\nfalsepositives:\n- Unknown\nlevel: high\nenrichment:\n- EN_0001_cache_sysmon_event_id_1_info\n- EN_0002_enrich_sysmon_event_id_1_with_parent_info\n\n
\n}}'),(8817,'Issue',488,15,'T1134'),(8818,'Issue',489,1,'Powershell AMSI Bypass via .NET Reflection'),(8819,'Issue',489,2,'Markus Neis'),(8820,'Issue',489,8,'https://twitter.com/mattifestation/status/735261176745988096\nhttps://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120'),(8821,'Issue',489,10,'high'),(8822,'Issue',489,13,'community'),(8823,'Issue',489,14,'windows'),(8825,'Issue',489,11,'b5bdb996a'),(8826,'Issue',489,12,'30edb182-aa75-42c0-b0a9-e998bb29067c'),(8827,'Issue',489,16,'win-proc'),(8828,'Issue',489,17,''),(8829,'Issue',489,7,''),(8830,'Issue',489,3,'Detects Request to amsiInitFailed that can be used to disable AMSI Scanning'),(8831,'Issue',489,4,''),(8832,'Issue',489,5,'_False Positives_\nPotential Admin Activity'),(8833,'Issue',489,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*System.Management.Automation.AmsiUtils*) AND process.command_line.keyword:(*amsiInitFailed*))\nindex: so-*\nname: Powershell AMSI Bypass via .NET Reflection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8834,'Issue',489,9,'{{collapse(View Sigma)\n\n\ntitle: Powershell AMSI Bypass via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nstatus: experimental\ndescription: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning\nreferences:\n- https://twitter.com/mattifestation/status/735261176745988096\n- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1086\nauthor: Markus Neis\ndate: 2018/08/17\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'*System.Management.Automation.AmsiUtils*\'\n selection2:\n CommandLine:\n - \'*amsiInitFailed*\'\n condition: selection1 and selection2\nfalsepositives:\n- Potential Admin Activity\nlevel: high\n\n
\n}}'),(8835,'Issue',489,15,'T1086'),(8836,'Issue',490,1,'Audio Capture via PowerShell'),(8837,'Issue',490,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(8838,'Issue',490,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html'),(8839,'Issue',490,10,'medium'),(8840,'Issue',490,13,'community'),(8841,'Issue',490,14,'windows'),(8843,'Issue',490,11,'7f4dc80d2'),(8844,'Issue',490,12,'932fb0d8-692b-4b0f-a26e-5643a50fe7d6'),(8845,'Issue',490,16,'win-proc'),(8846,'Issue',490,17,''),(8847,'Issue',490,7,''),(8848,'Issue',490,3,'Detects audio capture via PowerShell Cmdlet'),(8849,'Issue',490,4,''),(8850,'Issue',490,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(8851,'Issue',490,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*WindowsAudioDevice\\-Powershell\\-Cmdlet*)\nindex: so-*\nname: Audio Capture via PowerShell\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8852,'Issue',490,9,'{{collapse(View Sigma)\n\n\ntitle: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\ndescription: Detects audio capture via PowerShell Cmdlet\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\ntags:\n- attack.collection\n- attack.t1123\ndetection:\n selection:\n CommandLine|contains: WindowsAudioDevice-Powershell-Cmdlet\n condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\n\n
\n}}'),(8853,'Issue',490,15,'T1123'),(8854,'Issue',491,1,'PowerShell Base64 Encoded Shellcode'),(8855,'Issue',491,2,'Florian Roth'),(8856,'Issue',491,8,'https://twitter.com/cyb3rops/status/1063072865992523776'),(8857,'Issue',491,10,'critical'),(8858,'Issue',491,13,'community'),(8859,'Issue',491,14,'windows'),(8861,'Issue',491,11,'5d3447e7d'),(8862,'Issue',491,12,'2d117e49-e626-4c7c-bd1f-c3c0147774c8'),(8863,'Issue',491,16,'win-proc'),(8864,'Issue',491,17,''),(8865,'Issue',491,7,''),(8866,'Issue',491,3,'Detects Base64 encoded Shellcode'),(8867,'Issue',491,4,''),(8868,'Issue',491,5,'_False Positives_\nUnknown'),(8869,'Issue',491,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*AAAAYInlM* AND process.command_line.keyword:(*OiCAAAAYInlM* OR *OiJAAAAYInlM*))\nindex: so-*\nname: PowerShell Base64 Encoded Shellcode\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8870,'Issue',491,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\ndescription: Detects Base64 encoded Shellcode\nstatus: experimental\nreferences:\n- https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth\ndate: 2018/11/17\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine: \'*AAAAYInlM*\'\n selection2:\n CommandLine:\n - \'*OiCAAAAYInlM*\'\n - \'*OiJAAAAYInlM*\'\n condition: selection1 and selection2\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(8871,'Issue',491,15,'T1036'),(8872,'Issue',492,1,'Suspicious Bitsadmin Job via PowerShell'),(8873,'Issue',492,2,'Endgame, JHasenbusch (ported to sigma for oscd.community)'),(8874,'Issue',492,8,'https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md'),(8875,'Issue',492,10,'medium'),(8876,'Issue',492,13,'community'),(8877,'Issue',492,14,'windows'),(8879,'Issue',492,11,'8676c64ae'),(8880,'Issue',492,12,'f67dbfce-93bc-440d-86ad-a95ae8858c90'),(8881,'Issue',492,16,'win-proc'),(8882,'Issue',492,17,''),(8883,'Issue',492,7,''),(8884,'Issue',492,3,'Detect download by BITS jobs via PowerShell'),(8885,'Issue',492,4,''),(8886,'Issue',492,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(8887,'Issue',492,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Start\\-BitsTransfer*)\nindex: so-*\nname: Suspicious Bitsadmin Job via PowerShell\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8888,'Issue',492,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: experimental\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\powershell.exe\n CommandLine|contains: Start-BitsTransfer\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: medium\n\n
\n}}'),(8889,'Issue',492,15,'T1197'),(8890,'Issue',493,1,'Detection of PowerShell Execution via DLL'),(8891,'Issue',493,2,'Markus Neis'),(8892,'Issue',493,8,'https://github.com/p3nt4/PowerShdll/blob/master/README.md'),(8893,'Issue',493,10,'high'),(8894,'Issue',493,13,'community'),(8895,'Issue',493,14,'windows'),(8897,'Issue',493,11,'35da2d6b7'),(8898,'Issue',493,12,'6812a10b-60ea-420c-832f-dfcc33b646ba'),(8899,'Issue',493,16,'win-proc'),(8900,'Issue',493,17,''),(8901,'Issue',493,7,''),(8902,'Issue',493,3,'Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll'),(8903,'Issue',493,4,''),(8904,'Issue',493,5,'_False Positives_\nUnknown'),(8905,'Issue',493,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:(*\\\\rundll32.exe) OR process.pe.description.keyword:(*Windows\\-Hostprozess\\ \\(Rundll32\\)*)) AND process.command_line.keyword:(*Default.GetString* OR *FromBase64String*))\nindex: so-*\nname: Detection of PowerShell Execution via DLL\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8906,'Issue',493,9,'{{collapse(View Sigma)\n\n\ntitle: Detection of PowerShell Execution via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: experimental\ndescription: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll\nreferences:\n- https://github.com/p3nt4/PowerShdll/blob/master/README.md\ntags:\n- attack.execution\n- attack.t1086\n- car.2014-04-003\nauthor: Markus Neis\ndate: 2018/08/25\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\rundll32.exe\'\n selection2:\n Description:\n - \'*Windows-Hostprozess (Rundll32)*\'\n selection3:\n CommandLine:\n - \'*Default.GetString*\'\n - \'*FromBase64String*\'\n condition: (selection1 or selection2) and selection3\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(8907,'Issue',493,15,'T1086'),(8908,'Issue',494,1,'PowerShell Downgrade Attack'),(8909,'Issue',494,2,'Harish Segar (rule)'),(8910,'Issue',494,8,'http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/'),(8911,'Issue',494,10,'medium'),(8912,'Issue',494,13,'community'),(8913,'Issue',494,14,'windows'),(8915,'Issue',494,11,'7dd8ab307'),(8916,'Issue',494,12,'b3512211-c67e-4707-bedc-66efc7848863'),(8917,'Issue',494,16,'win-proc'),(8918,'Issue',494,17,''),(8919,'Issue',494,7,''),(8920,'Issue',494,3,'Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0'),(8921,'Issue',494,4,''),(8922,'Issue',494,5,'_False Positives_\nPenetration Test\nUnknown'),(8923,'Issue',494,6,'{{collapse(View ElastAlert Config)\n\n\n\n
\n}}'),(8924,'Issue',494,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n - id: 6331d09b-4785-4c13-980f-f96661356249\n type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n - Penetration Test\n - Unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: \n - \' -version 2 \'\n - \' -versio 2 \'\n - \' -versi 2 \'\n - \' -vers 2 \'\n - \' -ver 2 \'\n - \' -ve 2 \' \n Image|endswith: \'\\powershell.exe\'\n condition: selection\n\n
\n}}'),(8925,'Issue',494,15,'T1086'),(8926,'Issue',495,1,'PowerShell Download from URL'),(8927,'Issue',495,2,'Florian Roth'),(8928,'Issue',495,8,'none'),(8929,'Issue',495,10,'medium'),(8930,'Issue',495,13,'community'),(8931,'Issue',495,14,'windows'),(8933,'Issue',495,11,'0058be94d'),(8934,'Issue',495,12,'3b6ab547-8ec2-4991-b9d2-2b06702a48d7'),(8935,'Issue',495,16,'win-proc'),(8936,'Issue',495,17,''),(8937,'Issue',495,7,''),(8938,'Issue',495,3,'Detects a Powershell process that contains download commands in its command line string'),(8939,'Issue',495,4,''),(8940,'Issue',495,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(8941,'Issue',495,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*new\\-object\\ system.net.webclient\\).downloadstring\\(* OR *new\\-object\\ system.net.webclient\\).downloadfile\\(* OR *new\\-object\\ net.webclient\\).downloadstring\\(* OR *new\\-object\\ net.webclient\\).downloadfile\\(*))\nindex: so-*\nname: PowerShell Download from URL\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8942,'Issue',495,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Download from URL\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nstatus: experimental\ndescription: Detects a Powershell process that contains download commands in its command\n line string\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.t1086\n- attack.execution\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\powershell.exe\'\n CommandLine:\n - \'*new-object system.net.webclient).downloadstring(*\'\n - \'*new-object system.net.webclient).downloadfile(*\'\n - \'*new-object net.webclient).downloadstring(*\'\n - \'*new-object net.webclient).downloadfile(*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(8943,'Issue',495,15,'T1086'),(8944,'Issue',496,1,'FromBase64String Command Line'),(8945,'Issue',496,2,'Florian Roth'),(8946,'Issue',496,8,'https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639'),(8947,'Issue',496,10,'high'),(8948,'Issue',496,13,'community'),(8949,'Issue',496,14,'windows'),(8951,'Issue',496,11,'9f0eefc93'),(8952,'Issue',496,12,'e32d4572-9826-4738-b651-95fa63747e8a'),(8953,'Issue',496,16,'win-proc'),(8954,'Issue',496,17,''),(8955,'Issue',496,7,''),(8956,'Issue',496,3,'Detects suspicious FromBase64String expressions in command line arguments'),(8957,'Issue',496,4,''),(8958,'Issue',496,5,'_False Positives_\nAdministrative script libraries'),(8959,'Issue',496,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\:\\:FromBase64String\\(*)\nindex: so-*\nname: FromBase64String Command Line\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8960,'Issue',496,9,'{{collapse(View Sigma)\n\n\ntitle: FromBase64String Command Line\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: experimental\ndescription: Detects suspicious FromBase64String expressions in command line arguments\nreferences:\n- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth\ndate: 2020/01/29\ntags:\n- attack.t1027\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: ::FromBase64String(\n condition: selection\nfalsepositives:\n- Administrative script libraries\nlevel: high\n\n
\n}}'),(8961,'Issue',496,15,'T1027'),(8962,'Issue',497,1,'Suspicious PowerShell Parameter Substring'),(8963,'Issue',497,2,'Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)'),(8964,'Issue',497,8,'http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier'),(8965,'Issue',497,10,'high'),(8966,'Issue',497,13,'community'),(8967,'Issue',497,14,'windows'),(8969,'Issue',497,11,'5e2eb5a76'),(8970,'Issue',497,12,'36210e0d-5b19-485d-a087-c096088885f0'),(8971,'Issue',497,16,'win-proc'),(8972,'Issue',497,17,''),(8973,'Issue',497,7,''),(8974,'Issue',497,3,'Detects suspicious PowerShell invocation with a parameter substring'),(8975,'Issue',497,4,''),(8976,'Issue',497,5,'_False Positives_\nPenetration tests'),(8977,'Issue',497,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\Powershell.exe) AND process.command_line:(\"\\ \\-windowstyle\\ h\\ \" OR \"\\ \\-windowstyl\\ h\" OR \"\\ \\-windowsty\\ h\" OR \"\\ \\-windowst\\ h\" OR \"\\ \\-windows\\ h\" OR \"\\ \\-windo\\ h\" OR \"\\ \\-wind\\ h\" OR \"\\ \\-win\\ h\" OR \"\\ \\-wi\\ h\" OR \"\\ \\-win\\ h\\ \" OR \"\\ \\-win\\ hi\\ \" OR \"\\ \\-win\\ hid\\ \" OR \"\\ \\-win\\ hidd\\ \" OR \"\\ \\-win\\ hidde\\ \" OR \"\\ \\-NoPr\\ \" OR \"\\ \\-NoPro\\ \" OR \"\\ \\-NoProf\\ \" OR \"\\ \\-NoProfi\\ \" OR \"\\ \\-NoProfil\\ \" OR \"\\ \\-nonin\\ \" OR \"\\ \\-nonint\\ \" OR \"\\ \\-noninte\\ \" OR \"\\ \\-noninter\\ \" OR \"\\ \\-nonintera\\ \" OR \"\\ \\-noninterac\\ \" OR \"\\ \\-noninteract\\ \" OR \"\\ \\-noninteracti\\ \" OR \"\\ \\-noninteractiv\\ \" OR \"\\ \\-ec\\ \" OR \"\\ \\-encodedComman\\ \" OR \"\\ \\-encodedComma\\ \" OR \"\\ \\-encodedComm\\ \" OR \"\\ \\-encodedCom\\ \" OR \"\\ \\-encodedCo\\ \" OR \"\\ \\-encodedC\\ \" OR \"\\ \\-encoded\\ \" OR \"\\ \\-encode\\ \" OR \"\\ \\-encod\\ \" OR \"\\ \\-enco\\ \" OR \"\\ \\-en\\ \"))\nindex: so-*\nname: Suspicious PowerShell Parameter Substring\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8978,'Issue',497,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: experimental\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\Powershell.exe\'\n CommandLine:\n - \' -windowstyle h \'\n - \' -windowstyl h\'\n - \' -windowsty h\'\n - \' -windowst h\'\n - \' -windows h\'\n - \' -windo h\'\n - \' -wind h\'\n - \' -win h\'\n - \' -wi h\'\n - \' -win h \'\n - \' -win hi \'\n - \' -win hid \'\n - \' -win hidd \'\n - \' -win hidde \'\n - \' -NoPr \'\n - \' -NoPro \'\n - \' -NoProf \'\n - \' -NoProfi \'\n - \' -NoProfil \'\n - \' -nonin \'\n - \' -nonint \'\n - \' -noninte \'\n - \' -noninter \'\n - \' -nonintera \'\n - \' -noninterac \'\n - \' -noninteract \'\n - \' -noninteracti \'\n - \' -noninteractiv \'\n - \' -ec \'\n - \' -encodedComman \'\n - \' -encodedComma \'\n - \' -encodedComm \'\n - \' -encodedCom \'\n - \' -encodedCo \'\n - \' -encodedC \'\n - \' -encoded \'\n - \' -encode \'\n - \' -encod \'\n - \' -enco \'\n - \' -en \'\n condition: selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(8979,'Issue',497,15,'T1086'),(8980,'Issue',498,1,'Suspicious XOR Encoded PowerShell Command Line'),(8981,'Issue',498,2,'Sami Ruohonen'),(8982,'Issue',498,8,'none'),(8983,'Issue',498,10,'medium'),(8984,'Issue',498,13,'community'),(8985,'Issue',498,14,'windows'),(8987,'Issue',498,11,'4d93efac2'),(8988,'Issue',498,12,'bb780e0c-16cf-4383-8383-1e5471db6cf9'),(8989,'Issue',498,16,'win-proc'),(8990,'Issue',498,17,''),(8991,'Issue',498,7,''),(8992,'Issue',498,3,'Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.'),(8993,'Issue',498,4,''),(8994,'Issue',498,5,'_False Positives_\nunknown'),(8995,'Issue',498,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-bxor*))\nindex: so-*\nname: Suspicious XOR Encoded PowerShell Command Line\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(8996,'Issue',498,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious XOR Encoded PowerShell Command Line\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\ndescription: Detects suspicious powershell process which includes bxor command, alternatvide\n obfuscation method to b64 encoded commands.\nstatus: experimental\nauthor: Sami Ruohonen\ndate: 2018/09/05\ntags:\n- attack.execution\n- attack.t1086\ndetection:\n selection:\n CommandLine:\n - \'* -bxor*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\n\n
\n}}'),(8997,'Issue',498,15,'T1086'),(8998,'Issue',499,1,'Default PowerSploit and Empire Schtasks Persistence'),(8999,'Issue',499,2,'Markus Neis, @Karneades'),(9000,'Issue',499,8,'https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py'),(9001,'Issue',499,10,'high'),(9002,'Issue',499,13,'community'),(9003,'Issue',499,14,'windows'),(9005,'Issue',499,11,'52c48c3b3'),(9006,'Issue',499,12,'56c217c3-2de2-479b-990f-5c109ba8458f'),(9007,'Issue',499,16,'win-proc'),(9008,'Issue',499,17,''),(9009,'Issue',499,7,''),(9010,'Issue',499,3,'Detects the creation of a schtask via PowerSploit or Empire Default Configuration.'),(9011,'Issue',499,4,''),(9012,'Issue',499,5,'_False Positives_\nFalse positives are possible, depends on organisation and processes'),(9013,'Issue',499,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\powershell.exe) AND process.command_line.keyword:(*schtasks*\\/Create*\\/SC\\ *ONLOGON*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *DAILY*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *ONIDLE*\\/TN\\ *Updater*\\/TR\\ *powershell* OR *schtasks*\\/Create*\\/SC\\ *Updater*\\/TN\\ *Updater*\\/TR\\ *powershell*))\nindex: so-*\nname: Default PowerSploit and Empire Schtasks Persistence\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9014,'Issue',499,9,'{{collapse(View Sigma)\n\n\ntitle: Default PowerSploit and Empire Schtasks Persistence\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: experimental\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py\n- https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018/03/06\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentImage:\n - \'*\\powershell.exe\'\n CommandLine:\n - \'*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*\'\n - \'*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*\'\n - \'*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*\'\n - \'*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*\'\n condition: selection\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.t1086\n- attack.s0111\n- attack.g0022\n- attack.g0060\n- car.2013-08-001\nfalsepositives:\n- False positives are possible, depends on organisation and processes\nlevel: high\n\n
\n}}'),(9015,'Issue',499,15,'T1053'),(9016,'Issue',499,15,'T1086'),(9017,'Issue',500,1,'Windows Processes Suspicious Parent Directory'),(9018,'Issue',500,2,'vburov'),(9019,'Issue',500,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://attack.mitre.org/techniques/T1036/'),(9020,'Issue',500,10,'low'),(9021,'Issue',500,13,'community'),(9022,'Issue',500,14,'windows'),(9024,'Issue',500,11,'c9688cc7f'),(9025,'Issue',500,12,'96036718-71cc-4027-a538-d1587e0006a7'),(9026,'Issue',500,16,'win-proc'),(9027,'Issue',500,17,''),(9028,'Issue',500,7,''),(9029,'Issue',500,3,'Detect suspicious parent processes of well-known Windows processes'),(9030,'Issue',500,4,''),(9031,'Issue',500,5,'_False Positives_\nSome security products seem to spawn these'),(9032,'Issue',500,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:(*\\\\svchost.exe OR *\\\\taskhost.exe OR *\\\\lsm.exe OR *\\\\lsass.exe OR *\\\\services.exe OR *\\\\lsaiso.exe OR *\\\\csrss.exe OR *\\\\wininit.exe OR *\\\\winlogon.exe) AND (NOT (process.parent.executable.keyword:(*\\\\System32\\\\* OR *\\\\SysWOW64\\\\* OR *\\\\SavService.exe OR *\\\\Windows\\ Defender\\\\*\\\\MsMpEng.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Windows Processes Suspicious Parent Directory\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9033,'Issue',500,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: experimental\ndescription: Detect suspicious parent processes of well-known Windows processes\nauthor: vburov\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\n- https://attack.mitre.org/techniques/T1036/\ndate: 2019/02/23\nmodified: 2019/08/20\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\svchost.exe\'\n - \'*\\taskhost.exe\'\n - \'*\\lsm.exe\'\n - \'*\\lsass.exe\'\n - \'*\\services.exe\'\n - \'*\\lsaiso.exe\'\n - \'*\\csrss.exe\'\n - \'*\\wininit.exe\'\n - \'*\\winlogon.exe\'\n filter:\n ParentImage:\n - \'*\\System32\\\\*\'\n - \'*\\SysWOW64\\\\*\'\n - \'*\\SavService.exe\'\n - \'*\\Windows Defender\\\\*\\MsMpEng.exe\'\n filter_null:\n ParentImage:\n condition: selection and not filter and not filter_null\nfalsepositives:\n- Some security products seem to spawn these\nlevel: low\n\n
\n}}'),(9034,'Issue',500,15,'T1036'),(9035,'Issue',501,1,'Bitsadmin Download'),(9036,'Issue',501,2,'Michael Haag'),(9037,'Issue',501,8,'https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://isc.sans.edu/diary/22264'),(9038,'Issue',501,10,'medium'),(9039,'Issue',501,13,'community'),(9040,'Issue',501,14,'windows'),(9042,'Issue',501,11,'0859ceb13'),(9043,'Issue',501,12,'d059842b-6b9d-4ed1-b5c3-5b89143c6ede'),(9044,'Issue',501,16,'win-proc'),(9045,'Issue',501,17,''),(9046,'Issue',501,7,''),(9047,'Issue',501,3,'Detects usage of bitsadmin downloading a file'),(9048,'Issue',501,4,''),(9049,'Issue',501,5,'_False Positives_\nSome legitimate apps use this, but limited.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9050,'Issue',501,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\bitsadmin.exe) AND process.command_line.keyword:(*\\ \\/transfer\\ *)) OR process.command_line.keyword:(*copy\\ bitsadmin.exe*)))\nindex: so-*\nname: Bitsadmin Download\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9051,'Issue',501,9,'{{collapse(View Sigma)\n\n\ntitle: Bitsadmin Download\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: experimental\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n- https://isc.sans.edu/diary/22264\ntags:\n- attack.defense_evasion\n- attack.persistence\n- attack.t1197\n- attack.s0190\ndate: 2017/03/09\nmodified: 2019/12/06\nauthor: Michael Haag\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image:\n - \'*\\bitsadmin.exe\'\n CommandLine:\n - \'* /transfer *\'\n selection2:\n CommandLine:\n - \'*copy bitsadmin.exe*\'\n condition: selection1 or selection2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Some legitimate apps use this, but limited.\nlevel: medium\n\n
\n}}'),(9052,'Issue',501,15,'T1197'),(9053,'Issue',502,1,'Process Dump via Rundll32 and Comsvcs.dll'),(9054,'Issue',502,2,'Florian Roth'),(9055,'Issue',502,8,'https://twitter.com/shantanukhande/status/1229348874298388484'),(9056,'Issue',502,10,'high'),(9057,'Issue',502,13,'community'),(9058,'Issue',502,14,'windows'),(9060,'Issue',502,11,'f4af737c0'),(9061,'Issue',502,12,'646ea171-dded-4578-8a4d-65e9822892e3'),(9062,'Issue',502,16,'win-proc'),(9063,'Issue',502,17,''),(9064,'Issue',502,7,''),(9065,'Issue',502,3,'Detects a process memory dump performed via ordinal function 24 in comsvcs.dll'),(9066,'Issue',502,4,''),(9067,'Issue',502,5,'_False Positives_\nUnlikely, because no one should dump the process memory in that way'),(9068,'Issue',502,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*comsvcs.dll,#24* OR *comsvcs.dll,MiniDump*))\nindex: so-*\nname: Process Dump via Rundll32 and Comsvcs.dll\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9069,'Issue',502,9,'{{collapse(View Sigma)\n\n\ntitle: Process Dump via Rundll32 and Comsvcs.dll\nid: 646ea171-dded-4578-8a4d-65e9822892e3\ndescription: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll\nstatus: experimental\nreferences:\n- https://twitter.com/shantanukhande/status/1229348874298388484\nauthor: Florian Roth\ndate: 2020/02/18\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - comsvcs.dll,#24\n - comsvcs.dll,MiniDump\n condition: selection\nfalsepositives:\n- Unlikely, because no one should dump the process memory in that way\nlevel: high\n\n
\n}}'),(9070,'Issue',502,15,'T1036'),(9071,'Issue',502,15,'T1003'),(9072,'Issue',503,1,'PsExec Service Start'),(9073,'Issue',503,2,'Florian Roth'),(9074,'Issue',503,8,'none'),(9075,'Issue',503,10,'low'),(9076,'Issue',503,13,'community'),(9077,'Issue',503,14,'windows'),(9079,'Issue',503,11,'15de28714'),(9080,'Issue',503,12,'3ede524d-21cc-472d-a3ce-d21b568d8db7'),(9081,'Issue',503,16,'win-proc'),(9082,'Issue',503,17,''),(9083,'Issue',503,7,''),(9084,'Issue',503,3,'Detects a PsExec service start'),(9085,'Issue',503,4,''),(9086,'Issue',503,5,'_False Positives_\nAdministrative activity'),(9087,'Issue',503,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND ProcessCommandLine:\"C\\:\\\\Windows\\\\PSEXESVC.exe\")\nindex: so-*\nname: PsExec Service Start\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9088,'Issue',503,9,'{{collapse(View Sigma)\n\n\ntitle: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\ndescription: Detects a PsExec service start\nauthor: Florian Roth\ndate: 2018/03/13\nmodified: 2012/12/11\ntags:\n- attack.execution\n- attack.t1035\n- attack.s0029\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ProcessCommandLine: C:\\Windows\\PSEXESVC.exe\n condition: selection\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(9089,'Issue',503,15,'T1035'),(9090,'Issue',504,1,'Query Registry'),(9091,'Issue',504,2,'Timur Zinniatullin, oscd.community'),(9092,'Issue',504,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml'),(9093,'Issue',504,10,'low'),(9094,'Issue',504,13,'community'),(9095,'Issue',504,14,'windows'),(9097,'Issue',504,11,'05ee88dcb'),(9098,'Issue',504,12,'970007b7-ce32-49d0-a4a4-fbef016950bd'),(9099,'Issue',504,16,'win-proc'),(9100,'Issue',504,17,''),(9101,'Issue',504,7,''),(9102,'Issue',504,3,'Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.'),(9103,'Issue',504,4,''),(9104,'Issue',504,5,'_False Positives_\n Unknown\n\n_Interesting Log Fields_\nImage\nCommandLine\nUser\nLogonGuid\nHashes\nParentProcessGuid\nParentCommandLine'),(9105,'Issue',504,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:(*query* OR *save* OR *export*) AND process.command_line.keyword:(*currentVersion\\\\windows* OR *currentVersion\\\\runServicesOnce* OR *currentVersion\\\\runServices* OR *winlogon\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\runOnce* OR *currentVersion\\\\runOnceEx* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))\nindex: so-*\nname: Query Registry\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9106,'Issue',504,9,'{{collapse(View Sigma)\n\n\ntitle: Query Registry\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: experimental\ndescription: Adversaries may interact with the Windows Registry to gather information\n about the system, configuration, and installed software.\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \\reg.exe\n CommandLine|contains:\n - query\n - save\n - export\n selection_2:\n CommandLine|contains:\n - currentVersion\\windows\n - currentVersion\\runServicesOnce\n - currentVersion\\runServices\n - winlogon\\\n - currentVersion\\shellServiceObjectDelayLoad\n - currentVersion\\runOnce\n - currentVersion\\runOnceEx\n - currentVersion\\run\n - currentVersion\\policies\\explorer\\run\n - currentcontrolset\\services\n condition: selection_1 and selection_2\nfields:\n- Image\n- CommandLine\n- User\n- LogonGuid\n- Hashes\n- ParentProcessGuid\n- ParentCommandLine\nlevel: low\ntags:\n- attack.discovery\n- attack.t1012\n- attack.t1007\n\n
\n}}'),(9107,'Issue',504,15,'T1012'),(9108,'Issue',504,15,'T1007'),(9109,'Issue',505,1,'MSTSC Shadowing'),(9110,'Issue',505,2,'Florian Roth'),(9111,'Issue',505,8,'https://twitter.com/kmkz_security/status/1220694202301976576\nhttps://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet'),(9112,'Issue',505,10,'high'),(9113,'Issue',505,13,'community'),(9114,'Issue',505,14,'windows'),(9115,'Issue',505,15,''),(9116,'Issue',505,11,'8c3dc3ef9'),(9117,'Issue',505,12,'6ba5a05f-b095-4f0a-8654-b825f4f16334'),(9118,'Issue',505,16,'win-proc'),(9119,'Issue',505,17,''),(9120,'Issue',505,7,''),(9121,'Issue',505,3,'Detects RDP session hijacking by using MSTSC shadowing'),(9122,'Issue',505,4,''),(9123,'Issue',505,5,'_False Positives_\nUnknown'),(9124,'Issue',505,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*noconsentprompt* AND process.command_line.keyword:*shadow\\:*)\nindex: so-*\nname: MSTSC Shadowing\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9125,'Issue',505,9,'{{collapse(View Sigma)\n\n\ntitle: MSTSC Shadowing\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nstatus: experimental\nauthor: Florian Roth\ndate: 2020/01/24\nreferences:\n- https://twitter.com/kmkz_security/status/1220694202301976576\n- https://github.com/kmkz/Pentesting/blob/master/Post-Exploitation-Cheat-Sheet\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - noconsentprompt\n - \'shadow:\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9126,'Issue',506,1,'Remote PowerShell Session'),(9127,'Issue',506,2,'Roberto Rodriguez @Cyb3rWard0g'),(9128,'Issue',506,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md'),(9129,'Issue',506,10,'medium'),(9130,'Issue',506,13,'community'),(9131,'Issue',506,14,'windows'),(9133,'Issue',506,11,'fe42832a8'),(9134,'Issue',506,12,'734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8'),(9135,'Issue',506,16,'win-proc'),(9136,'Issue',506,17,''),(9137,'Issue',506,7,''),(9138,'Issue',506,3,'Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session)'),(9139,'Issue',506,4,''),(9140,'Issue',506,5,'_False Positives_\nLegitimate usage of remote Powershell, e.g. for monitoring purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9141,'Issue',506,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\wsmprovhost.exe OR process.parent.executable.keyword:*\\\\wsmprovhost.exe))\nindex: so-*\nname: Remote PowerShell Session\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9142,'Issue',506,9,'{{collapse(View Sigma)\n\n\ntitle: Remote PowerShell Session\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost as a\n parent or child process (sign of an active ps remote session)\nstatus: experimental\ndate: 2019/09/12\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\wsmprovhost.exe\n - ParentImage|endswith: \\wsmprovhost.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate usage of remote Powershell, e.g. for monitoring purposes\nlevel: medium\n\n
\n}}'),(9143,'Issue',506,15,'T1086'),(9144,'Issue',507,1,'Discovery of a System Time'),(9145,'Issue',507,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9146,'Issue',507,8,'https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md'),(9147,'Issue',507,10,'low'),(9148,'Issue',507,13,'community'),(9149,'Issue',507,14,'windows'),(9151,'Issue',507,11,'9639546cc'),(9152,'Issue',507,12,'b243b280-65fe-48df-ba07-6ddea7646427'),(9153,'Issue',507,16,'win-proc'),(9154,'Issue',507,17,''),(9155,'Issue',507,7,''),(9156,'Issue',507,3,'Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.'),(9157,'Issue',507,4,''),(9158,'Issue',507,5,'_False Positives_\nLegitimate use of the system utilities to discover system time for legitimate reason'),(9159,'Issue',507,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*time*) OR (process.executable.keyword:*\\\\w32tm.exe AND process.command_line.keyword:*tz*) OR (process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Date*)))\nindex: so-*\nname: Discovery of a System Time\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9160,'Issue',507,9,'{{collapse(View Sigma)\n\n\ntitle: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\ndescription: Identifies use of various commands to query a systems time. This technique\n may be used before executing a scheduled task or to discover the time zone of a\n target system.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md\ntags:\n- attack.discovery\n- attack.t1124\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: time\n - Image|endswith: \\w32tm.exe\n CommandLine|contains: tz\n - Image|endswith: \\powershell.exe\n CommandLine|contains: Get-Date\n condition: selection\nfalsepositives:\n- Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n\n
\n}}'),(9161,'Issue',507,15,'T1124'),(9162,'Issue',508,1,'Renamed Binary'),(9163,'Issue',508,2,'Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)'),(9164,'Issue',508,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9165,'Issue',508,10,'medium'),(9166,'Issue',508,13,'community'),(9167,'Issue',508,14,'windows'),(9169,'Issue',508,11,'b585cbf22'),(9170,'Issue',508,12,'36480ae1-a1cb-4eaa-a0d6-29801d7e9142'),(9171,'Issue',508,16,'win-proc'),(9172,'Issue',508,17,''),(9173,'Issue',508,7,''),(9174,'Issue',508,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9175,'Issue',508,4,''),(9176,'Issue',508,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9177,'Issue',508,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"cmd.exe\" OR \"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\" OR \"7z.exe\" OR \"winrar.exe\" OR \"wevtutil.exe\" OR \"net.exe\" OR \"net1.exe\") AND (NOT (process.executable.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe OR *\\\\7z.exe OR *\\\\winrar.exe OR *\\\\wevtutil.exe OR *\\\\net.exe OR *\\\\net1.exe))))\nindex: so-*\nname: Renamed Binary\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9178,'Issue',508,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n - https://attack.mitre.org/techniques/T1036/\n - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n - attack.t1036\n - attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - \'cmd.exe\'\n - \'powershell.exe\'\n - \'powershell_ise.exe\'\n - \'psexec.exe\'\n - \'psexec.c\' # old versions of psexec (2016 seen)\n - \'cscript.exe\'\n - \'wscript.exe\'\n - \'mshta.exe\'\n - \'regsvr32.exe\'\n - \'wmic.exe\'\n - \'certutil.exe\'\n - \'rundll32.exe\'\n - \'cmstp.exe\'\n - \'msiexec.exe\'\n - \'7z.exe\'\n - \'winrar.exe\'\n - \'wevtutil.exe\'\n - \'net.exe\'\n - \'net1.exe\'\n - \'netsh.exe\'\n filter:\n Image|endswith:\n - \'\\cmd.exe\'\n - \'\\powershell.exe\'\n - \'\\powershell_ise.exe\'\n - \'\\psexec.exe\'\n - \'\\psexec64.exe\'\n - \'\\cscript.exe\'\n - \'\\wscript.exe\'\n - \'\\mshta.exe\'\n - \'\\regsvr32.exe\'\n - \'\\wmic.exe\'\n - \'\\certutil.exe\'\n - \'\\rundll32.exe\'\n - \'\\cmstp.exe\'\n - \'\\msiexec.exe\'\n - \'\\7z.exe\'\n - \'\\winrar.exe\'\n - \'\\wevtutil.exe\'\n - \'\\net.exe\'\n - \'\\net1.exe\'\n - \'\\netsh.exe\'\n condition: selection and not filter\nfalsepositives:\n - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(9179,'Issue',508,15,'T1036'),(9180,'Issue',509,1,'Highly Relevant Renamed Binary'),(9181,'Issue',509,2,'Matthew Green - @mgreen27, Florian Roth'),(9182,'Issue',509,8,'https://attack.mitre.org/techniques/T1036/\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html'),(9183,'Issue',509,10,'high'),(9184,'Issue',509,13,'community'),(9185,'Issue',509,14,'windows'),(9187,'Issue',509,11,'11b349716'),(9188,'Issue',509,12,'0ba1da6d-b6ce-4366-828c-18826c9de23e'),(9189,'Issue',509,16,'win-proc'),(9190,'Issue',509,17,''),(9191,'Issue',509,7,''),(9192,'Issue',509,3,'Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.'),(9193,'Issue',509,4,''),(9194,'Issue',509,5,'_False Positives_\nCustom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist'),(9195,'Issue',509,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND OriginalFileName:(\"powershell.exe\" OR \"powershell_ise.exe\" OR \"psexec.exe\" OR \"psexec.c\" OR \"cscript.exe\" OR \"wscript.exe\" OR \"mshta.exe\" OR \"regsvr32.exe\" OR \"wmic.exe\" OR \"certutil.exe\" OR \"rundll32.exe\" OR \"cmstp.exe\" OR \"msiexec.exe\") AND (NOT (process.executable.keyword:(*\\\\powershell.exe OR *\\\\powershell_ise.exe OR *\\\\psexec.exe OR *\\\\psexec64.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\mshta.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\certutil.exe OR *\\\\rundll32.exe OR *\\\\cmstp.exe OR *\\\\msiexec.exe))))\nindex: so-*\nname: Highly Relevant Renamed Binary\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9196,'Issue',509,9,'{{collapse(View Sigma)\n\n\ntitle: Highly Relevant Renamed Binary\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Florian Roth\ndate: 2019/06/15\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - powershell.exe\n - powershell_ise.exe\n - psexec.exe\n - psexec.c\n - cscript.exe\n - wscript.exe\n - mshta.exe\n - regsvr32.exe\n - wmic.exe\n - certutil.exe\n - rundll32.exe\n - cmstp.exe\n - msiexec.exe\n filter:\n Image:\n - \'*\\powershell.exe\'\n - \'*\\powershell_ise.exe\'\n - \'*\\psexec.exe\'\n - \'*\\psexec64.exe\'\n - \'*\\cscript.exe\'\n - \'*\\wscript.exe\'\n - \'*\\mshta.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\wmic.exe\'\n - \'*\\certutil.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\cmstp.exe\'\n - \'*\\msiexec.exe\'\n condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n this is easy to spot and add to whitelist\nlevel: high\n\n
\n}}'),(9197,'Issue',509,15,'T1036'),(9198,'Issue',510,1,'Execution of Renamed PaExec'),(9199,'Issue',510,2,'Jason Lynch'),(9200,'Issue',510,8,'sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf'),(9201,'Issue',510,10,'medium'),(9202,'Issue',510,13,'community'),(9203,'Issue',510,14,'windows'),(9205,'Issue',510,11,'53a0f9acd'),(9206,'Issue',510,12,'7b0666ad-3e38-4e3d-9bab-78b06de85f7b'),(9207,'Issue',510,16,'win-proc'),(9208,'Issue',510,17,''),(9209,'Issue',510,7,''),(9210,'Issue',510,3,'Detects execution of renamed paexec via imphash and executable product string'),(9211,'Issue',510,4,''),(9212,'Issue',510,5,'_False Positives_\nUnknown imphashes'),(9213,'Issue',510,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.pe.product.keyword:(*PAExec*) AND event_data.Imphash:(\"11D40A7B7876288F919AB819CC2D9802\" OR \"6444f8a34e99b8f7d9647de66aabe516\" OR \"dfd6aa3f7b2b1035b76b718f1ddc689f\" OR \"1a6cca4d5460b1710a12dea39e4a592c\")) AND (NOT (process.executable.keyword:*paexec*)))\nindex: so-*\nname: Execution of Renamed PaExec\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9214,'Issue',510,9,'{{collapse(View Sigma)\n\n\ntitle: Execution of Renamed PaExec\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: experimental\ndescription: Detects execution of renamed paexec via imphash and executable product\n string\nreferences:\n- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\ntags:\n- attack.defense_evasion\n- attack.t1036\n- FIN7\n- car.2013-05-009\ndate: 2019/04/17\nauthor: Jason Lynch\nfalsepositives:\n- Unknown imphashes\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Product:\n - \'*PAExec*\'\n selection2:\n Imphash:\n - 11D40A7B7876288F919AB819CC2D9802\n - 6444f8a34e99b8f7d9647de66aabe516\n - dfd6aa3f7b2b1035b76b718f1ddc689f\n - 1a6cca4d5460b1710a12dea39e4a592c\n filter1:\n Image: \'*paexec*\'\n condition: (selection1 and selection2) and not filter1\n\n
\n}}'),(9215,'Issue',510,15,'T1036'),(9216,'Issue',511,1,'Run PowerShell Script from ADS'),(9217,'Issue',511,2,'Sergey Soldatov, Kaspersky Lab, oscd.community'),(9218,'Issue',511,8,'https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1'),(9219,'Issue',511,10,'high'),(9220,'Issue',511,13,'community'),(9221,'Issue',511,14,'windows'),(9223,'Issue',511,11,'3297ebd01'),(9224,'Issue',511,12,'45a594aa-1fbd-4972-a809-ff5a99dd81b8'),(9225,'Issue',511,16,'win-proc'),(9226,'Issue',511,17,''),(9227,'Issue',511,7,''),(9228,'Issue',511,3,'Detects PowerShell script execution from Alternate Data Stream (ADS)'),(9229,'Issue',511,4,''),(9230,'Issue',511,5,'_False Positives_\nUnknown'),(9231,'Issue',511,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\powershell.exe AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*Get\\-Content* AND process.command_line.keyword:*\\-Stream*)\nindex: so-*\nname: Run PowerShell Script from ADS\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9232,'Issue',511,9,'{{collapse(View Sigma)\n\n\ntitle: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: experimental\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n- https://github.com/p0shkatz/Get-ADS/blob/master/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019/10/30\ntags:\n- attack.defense_evasion\n- attack.t1096\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\powershell.exe\n Image|endswith: \\powershell.exe\n CommandLine|contains|all:\n - Get-Content\n - -Stream\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9233,'Issue',511,15,'T1096'),(9234,'Issue',512,1,'Possible Shim Database Persistence via sdbinst.exe'),(9235,'Issue',512,2,'Markus Neis'),(9236,'Issue',512,8,'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'),(9237,'Issue',512,10,'high'),(9238,'Issue',512,13,'community'),(9239,'Issue',512,14,'windows'),(9241,'Issue',512,11,'1f62648d2'),(9242,'Issue',512,12,'517490a7-115a-48c6-8862-1a481504d5a8'),(9243,'Issue',512,16,'win-proc'),(9244,'Issue',512,17,''),(9245,'Issue',512,7,''),(9246,'Issue',512,3,'Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.'),(9247,'Issue',512,4,''),(9248,'Issue',512,5,'_False Positives_\nUnknown'),(9249,'Issue',512,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sdbinst.exe) AND process.command_line.keyword:(*.sdb*))\nindex: so-*\nname: Possible Shim Database Persistence via sdbinst.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9250,'Issue',512,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Shim Database Persistence via sdbinst.exe\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nstatus: experimental\ndescription: Detects installation of a new shim using sdbinst.exe. A shim can be used\n to load malicious DLLs into applications.\nreferences:\n- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\ntags:\n- attack.persistence\n- attack.t1138\nauthor: Markus Neis\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\sdbinst.exe\'\n CommandLine:\n - \'*.sdb*\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9251,'Issue',512,15,'T1138'),(9252,'Issue',513,1,'Service Execution'),(9253,'Issue',513,2,'Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community'),(9254,'Issue',513,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml'),(9255,'Issue',513,10,'low'),(9256,'Issue',513,13,'community'),(9257,'Issue',513,14,'windows'),(9259,'Issue',513,11,'0313836b2'),(9260,'Issue',513,12,'2a072a96-a086-49fa-bcb5-15cc5a619093'),(9261,'Issue',513,16,'win-proc'),(9262,'Issue',513,17,''),(9263,'Issue',513,7,''),(9264,'Issue',513,3,'Detects manual service execution (start) via system utilities'),(9265,'Issue',513,4,''),(9266,'Issue',513,5,'_False Positives_\nLegitimate administrator or user executes a service for legitimate reason'),(9267,'Issue',513,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*\\ start\\ *)\nindex: so-*\nname: Service Execution\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9268,'Issue',513,9,'{{collapse(View Sigma)\n\n\ntitle: Service Execution\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: experimental\ndescription: Detects manual service execution (start) via system utilities\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: \' start \'\n condition: selection\nfalsepositives:\n- Legitimate administrator or user executes a service for legitimate reason\nlevel: low\ntags:\n- attack.execution\n- attack.t1035\n\n
\n}}'),(9269,'Issue',513,15,'T1035'),(9270,'Issue',514,1,'Stop Windows Service'),(9271,'Issue',514,2,'Jakob Weinzettl, oscd.community'),(9272,'Issue',514,8,'none'),(9273,'Issue',514,10,'low'),(9274,'Issue',514,13,'community'),(9275,'Issue',514,14,'windows'),(9277,'Issue',514,11,'f5cf59506'),(9278,'Issue',514,12,'eb87818d-db5d-49cc-a987-d5da331fbd90'),(9279,'Issue',514,16,'win-proc'),(9280,'Issue',514,17,''),(9281,'Issue',514,7,''),(9282,'Issue',514,3,'Detects a windows service to be stopped'),(9283,'Issue',514,4,''),(9284,'Issue',514,5,'_False Positives_\nAdministrator shutting down the service due to upgrade or removal purposes\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(9285,'Issue',514,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\sc.exe OR *\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:*stop*)\nindex: so-*\nname: Stop Windows Service\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9286,'Issue',514,9,'{{collapse(View Sigma)\n\n\ntitle: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\ndescription: Detects a windows service to be stopped\nstatus: experimental\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2019/11/08\ntags:\n- attack.impact\n- attack.t1489\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith:\n - \\sc.exe\n - \\net.exe\n - \\net1.exe\n CommandLine|contains: stop\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n\n
\n}}'),(9287,'Issue',514,15,'T1489'),(9288,'Issue',515,1,'Shadow Copies Access via Symlink'),(9289,'Issue',515,2,'Teymur Kheirkhabarov, oscd.community'),(9290,'Issue',515,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment'),(9291,'Issue',515,10,'medium'),(9292,'Issue',515,13,'community'),(9293,'Issue',515,14,'windows'),(9295,'Issue',515,11,'42af87c98'),(9296,'Issue',515,12,'40b19fa6-d835-400c-b301-41f3a2baacaf'),(9297,'Issue',515,16,'win-proc'),(9298,'Issue',515,17,''),(9299,'Issue',515,7,''),(9300,'Issue',515,3,'Shadow Copies storage symbolic link creation using operating systems utilities'),(9301,'Issue',515,4,''),(9302,'Issue',515,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9303,'Issue',515,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*mklink* AND process.command_line.keyword:*HarddiskVolumeShadowCopy*)\nindex: so-*\nname: Shadow Copies Access via Symlink\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9304,'Issue',515,9,'{{collapse(View Sigma)\n\n\ntitle: Shadow Copies Access via Symlink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\ndescription: Shadow Copies storage symbolic link creation using operating systems\n utilities\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - mklink\n - HarddiskVolumeShadowCopy\n condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9305,'Issue',515,15,'T1003'),(9306,'Issue',516,1,'Shadow Copies Creation Using Operating Systems Utilities'),(9307,'Issue',516,2,'Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9308,'Issue',516,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/'),(9309,'Issue',516,10,'medium'),(9310,'Issue',516,13,'community'),(9311,'Issue',516,14,'windows'),(9313,'Issue',516,11,'8093daa95'),(9314,'Issue',516,12,'b17ea6f7-6e90-447e-a799-e6c0a493d6ce'),(9315,'Issue',516,16,'win-proc'),(9316,'Issue',516,17,''),(9317,'Issue',516,7,''),(9318,'Issue',516,3,'Shadow Copies creation using operating systems utilities, possible credential access'),(9319,'Issue',516,4,''),(9320,'Issue',516,5,'_False Positives_\nLegitimate administrator working with shadow copies, access for backup purposes'),(9321,'Issue',516,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*create*)\nindex: so-*\nname: Shadow Copies Creation Using Operating Systems Utilities\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9322,'Issue',516,9,'{{collapse(View Sigma)\n\n\ntitle: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\ndescription: Shadow Copies creation using operating systems utilities, possible credential\n access\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName|endswith:\n - \\powershell.exe\n - \\wmic.exe\n - \\vssadmin.exe\n CommandLine|contains|all:\n - shadow\n - create\n condition: selection\nfalsepositives:\n- Legitimate administrator working with shadow copies, access for backup purposes\nstatus: experimental\nlevel: medium\n\n
\n}}'),(9323,'Issue',516,15,'T1003'),(9324,'Issue',517,1,'Shadow Copies Deletion Using Operating Systems Utilities'),(9325,'Issue',517,2,'Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community'),(9326,'Issue',517,8,'https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100'),(9327,'Issue',517,10,'critical'),(9328,'Issue',517,13,'community'),(9329,'Issue',517,14,'windows'),(9331,'Issue',517,11,'afac78337'),(9332,'Issue',517,12,'c947b146-0abc-4c87-9c64-b17e9d7274a2'),(9333,'Issue',517,16,'win-proc'),(9334,'Issue',517,17,''),(9335,'Issue',517,7,''),(9336,'Issue',517,3,'Shadow Copies deletion using operating systems utilities'),(9337,'Issue',517,4,''),(9338,'Issue',517,5,'_False Positives_\nLegitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9339,'Issue',517,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:(*\\\\powershell.exe OR *\\\\wmic.exe OR *\\\\vssadmin.exe) AND process.command_line.keyword:*shadow* AND process.command_line.keyword:*delete*)\nindex: so-*\nname: Shadow Copies Deletion Using Operating Systems Utilities\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9340,'Issue',517,9,'{{collapse(View Sigma)\n\n\ntitle: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/22\nreferences:\n- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n- https://blog.talosintelligence.com/2017/05/wannacry.html\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\ntags:\n- attack.defense_evasion\n- attack.impact\n- attack.t1070\n- attack.t1490\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName|endswith:\n - \\powershell.exe\n - \\wmic.exe\n - \\vssadmin.exe\n CommandLine|contains|all:\n - shadow\n - delete\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate Administrator deletes Shadow Copies using operating systems utilities\n for legitimate reason\nlevel: critical\n\n
\n}}'),(9341,'Issue',517,15,'T1070'),(9342,'Issue',517,15,'T1490'),(9343,'Issue',518,1,'Windows Shell Spawning Suspicious Program'),(9344,'Issue',518,2,'Florian Roth'),(9345,'Issue',518,8,'https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html'),(9346,'Issue',518,10,'high'),(9347,'Issue',518,13,'community'),(9348,'Issue',518,14,'windows'),(9350,'Issue',518,11,'cbf52c91d'),(9351,'Issue',518,12,'3a6586ad-127a-4d3b-a677-1e6eacdf8fde'),(9352,'Issue',518,16,'win-proc'),(9353,'Issue',518,17,''),(9354,'Issue',518,7,''),(9355,'Issue',518,3,'Detects a suspicious child process of a Windows shell'),(9356,'Issue',518,4,''),(9357,'Issue',518,5,'_False Positives_\nAdministrative scripts\nMicrosoft SCCM\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9358,'Issue',518,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\mshta.exe OR *\\\\powershell.exe OR *\\\\rundll32.exe OR *\\\\cscript.exe OR *\\\\wscript.exe OR *\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\schtasks.exe OR *\\\\nslookup.exe OR *\\\\certutil.exe OR *\\\\bitsadmin.exe OR *\\\\mshta.exe)) AND (NOT (process.working_directory\".keyword:*\\\\ccmcache\\\\*)))\nindex: so-*\nname: Windows Shell Spawning Suspicious Program\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9359,'Issue',518,9,'{{collapse(View Sigma)\n\n\ntitle: Windows Shell Spawning Suspicious Program\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: experimental\ndescription: Detects a suspicious child process of a Windows shell\nreferences:\n- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth\ndate: 2018/04/06\nmodified: 2019/02/05\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\mshta.exe\'\n - \'*\\powershell.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\cscript.exe\'\n - \'*\\wscript.exe\'\n - \'*\\wmiprvse.exe\'\n Image:\n - \'*\\schtasks.exe\'\n - \'*\\nslookup.exe\'\n - \'*\\certutil.exe\'\n - \'*\\bitsadmin.exe\'\n - \'*\\mshta.exe\'\n falsepositives:\n CurrentDirectory: \'*\\ccmcache\\\\*\'\n condition: selection and not falsepositives\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\n- Microsoft SCCM\nlevel: high\n\n
\n}}'),(9360,'Issue',518,15,'T1064'),(9361,'Issue',519,1,'Audio Capture via SoundRecorder'),(9362,'Issue',519,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(9363,'Issue',519,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html'),(9364,'Issue',519,10,'medium'),(9365,'Issue',519,13,'community'),(9366,'Issue',519,14,'windows'),(9368,'Issue',519,11,'cb34e0e58'),(9369,'Issue',519,12,'83865853-59aa-449e-9600-74b9d89a6d6e'),(9370,'Issue',519,16,'win-proc'),(9371,'Issue',519,17,''),(9372,'Issue',519,7,''),(9373,'Issue',519,3,'Detect attacker collecting audio via SoundRecorder application'),(9374,'Issue',519,4,''),(9375,'Issue',519,5,'_False Positives_\nLegitimate audio capture by legitimate user'),(9376,'Issue',519,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\SoundRecorder.exe AND process.command_line.keyword:*\\/FILE*)\nindex: so-*\nname: Audio Capture via SoundRecorder\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9377,'Issue',519,9,'{{collapse(View Sigma)\n\n\ntitle: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\ndescription: Detect attacker collecting audio via SoundRecorder application\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\ntags:\n- attack.collection\n- attack.t1123\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\SoundRecorder.exe\n CommandLine|contains: /FILE\n condition: selection\nfalsepositives:\n- Legitimate audio capture by legitimate user\nlevel: medium\n\n
\n}}'),(9378,'Issue',519,15,'T1123'),(9379,'Issue',520,1,'Possible SPN Enumeration'),(9380,'Issue',520,2,'Markus Neis, keepwatch'),(9381,'Issue',520,8,'https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation'),(9382,'Issue',520,10,'medium'),(9383,'Issue',520,13,'community'),(9384,'Issue',520,14,'windows'),(9386,'Issue',520,11,'f2f2e56bb'),(9387,'Issue',520,12,'1eeed653-dbc8-4187-ad0c-eeebb20e6599'),(9388,'Issue',520,16,'win-proc'),(9389,'Issue',520,17,''),(9390,'Issue',520,7,''),(9391,'Issue',520,3,'Detects Service Principal Name Enumeration used for Kerberoasting'),(9392,'Issue',520,4,''),(9393,'Issue',520,5,'_False Positives_\nAdministrator Activity'),(9394,'Issue',520,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\setspn.exe OR process.pe.description.keyword:*Query\\ or\\ reset\\ the\\ computer*\\ SPN\\ attribute*) AND process.command_line.keyword:*\\-q*)\nindex: so-*\nname: Possible SPN Enumeration\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9395,'Issue',520,9,'{{collapse(View Sigma)\n\n\ntitle: Possible SPN Enumeration\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\ndescription: Detects Service Principal Name Enumeration used for Kerberoasting\nstatus: experimental\nreferences:\n- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nauthor: Markus Neis, keepwatch\ndate: 2018/11/14\ntags:\n- attack.credential_access\n- attack.t1208\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_image:\n Image: \'*\\setspn.exe\'\n selection_desc:\n Description: \'*Query or reset the computer* SPN attribute*\'\n cmd:\n CommandLine: \'*-q*\'\n condition: (selection_image or selection_desc) and cmd\nfalsepositives:\n- Administrator Activity\nlevel: medium\n\n
\n}}'),(9396,'Issue',520,15,'T1208'),(9397,'Issue',521,1,'Possible Ransomware or Unauthorized MBR Modifications'),(9398,'Issue',521,2,'@neu5ron'),(9399,'Issue',521,8,'https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set'),(9400,'Issue',521,10,'medium'),(9401,'Issue',521,13,'community'),(9402,'Issue',521,14,'windows'),(9404,'Issue',521,11,'09cf8bf91'),(9405,'Issue',521,12,'c9fbe8e9-119d-40a6-9b59-dd58a5d84429'),(9406,'Issue',521,16,'win-proc'),(9407,'Issue',521,17,''),(9408,'Issue',521,7,''),(9409,'Issue',521,3,'Detects, possibly, malicious unauthorized usage of bcdedit.exe'),(9410,'Issue',521,4,''),(9411,'Issue',521,5,'_False Positives_\n Unknown'),(9412,'Issue',521,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.NewProcessName.keyword:*\\\\bcdedit.exe AND ProcessCommandLine.keyword:(*delete* OR *deletevalue* OR *import*))\nindex: so-*\nname: Possible Ransomware or Unauthorized MBR Modifications\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9413,'Issue',521,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Ransomware or Unauthorized MBR Modifications\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: experimental\ndescription: Detects, possibly, malicious unauthorized usage of bcdedit.exe\nreferences:\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nauthor: \'@neu5ron\'\ndate: 2019/02/07\ntags:\n- attack.defense_evasion\n- attack.t1070\n- attack.persistence\n- attack.t1067\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n NewProcessName: \'*\\bcdedit.exe\'\n ProcessCommandLine:\n - \'*delete*\'\n - \'*deletevalue*\'\n - \'*import*\'\n condition: selection\nlevel: medium\n\n
\n}}'),(9414,'Issue',521,15,'T1070'),(9415,'Issue',521,15,'T1067'),(9416,'Issue',522,1,'Application Whitelisting Bypass via Bginfo'),(9417,'Issue',522,2,'Beyu Denis, oscd.community'),(9418,'Issue',522,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/'),(9419,'Issue',522,10,'medium'),(9420,'Issue',522,13,'community'),(9421,'Issue',522,14,'windows'),(9423,'Issue',522,11,'6fd11c107'),(9424,'Issue',522,12,'aaf46cdc-934e-4284-b329-34aa701e3771'),(9425,'Issue',522,16,'win-proc'),(9426,'Issue',522,17,''),(9427,'Issue',522,7,''),(9428,'Issue',522,3,'Execute VBscript code that is referenced within the *.bgi file.'),(9429,'Issue',522,4,''),(9430,'Issue',522,5,'_False Positives_\nUnknown'),(9431,'Issue',522,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\bginfo.exe AND process.command_line.keyword:*\\/popup* AND process.command_line.keyword:*\\/nolicprompt*)\nindex: so-*\nname: Application Whitelisting Bypass via Bginfo\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9432,'Issue',522,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via Bginfo\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nstatus: experimental\ndescription: Execute VBscript code that is referenced within the *.bgi file.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml\n- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\bginfo.exe\n CommandLine|contains|all:\n - /popup\n - /nolicprompt\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(9433,'Issue',522,15,'T1218'),(9434,'Issue',523,1,'Suspicious Calculator Usage'),(9435,'Issue',523,2,'Florian Roth'),(9436,'Issue',523,8,'https://twitter.com/ItsReallyNick/status/1094080242686312448'),(9437,'Issue',523,10,'high'),(9438,'Issue',523,13,'community'),(9439,'Issue',523,14,'windows'),(9441,'Issue',523,11,'7ea9554ba'),(9442,'Issue',523,12,'737e618a-a410-49b5-bec3-9e55ff7fbc15'),(9443,'Issue',523,16,'win-proc'),(9444,'Issue',523,17,''),(9445,'Issue',523,7,''),(9446,'Issue',523,3,'Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion'),(9447,'Issue',523,4,''),(9448,'Issue',523,5,'_False Positives_\nUnknown'),(9449,'Issue',523,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*\\\\calc.exe\\ * OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\calc.exe AND (NOT (process.executable.keyword:*\\\\Windows\\\\Sys*)))))\nindex: so-*\nname: Suspicious Calculator Usage\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9450,'Issue',523,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\ndescription: Detects suspicious use of calc.exe with command line parameters or in\n a suspicious directory, which is likely caused by some PoC or detection evasion\nstatus: experimental\nreferences:\n- https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth\ndate: 2019/02/09\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine: \'*\\calc.exe *\'\n selection2:\n Image: \'*\\calc.exe\'\n filter2:\n Image: \'*\\Windows\\Sys*\'\n condition: selection1 or ( selection2 and not filter2 )\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9451,'Issue',523,15,'T1036'),(9452,'Issue',524,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner'),(9453,'Issue',524,2,'Beyu Denis, oscd.community'),(9454,'Issue',524,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\nhttp://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html'),(9455,'Issue',524,10,'medium'),(9456,'Issue',524,13,'community'),(9457,'Issue',524,14,'windows'),(9459,'Issue',524,11,'ef8ab8f1c'),(9460,'Issue',524,12,'b5c7395f-e501-4a08-94d4-57fe7a9da9d2'),(9461,'Issue',524,16,'win-proc'),(9462,'Issue',524,17,''),(9463,'Issue',524,7,''),(9464,'Issue',524,3,'Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.'),(9465,'Issue',524,4,''),(9466,'Issue',524,5,'_False Positives_\nLegitimate use of debugging tools'),(9467,'Issue',524,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cdb.exe AND process.command_line.keyword:*\\-cf*)\nindex: so-*\nname: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9468,'Issue',524,9,'{{collapse(View Sigma)\n\n\ntitle: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: experimental\ndescription: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml\n- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\cdb.exe\n CommandLine|contains: -cf\n condition: selection\nfalsepositives:\n- Legitimate use of debugging tools\n\n
\n}}'),(9469,'Issue',524,15,'T1218'),(9470,'Issue',525,1,'Suspicious Certutil Command'),(9471,'Issue',525,2,'Florian Roth, juju4, keepwatch'),(9472,'Issue',525,8,'https://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/subTee/status/888102593838362624\nhttps://twitter.com/subTee/status/888071631528235010\nhttps://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/'),(9473,'Issue',525,10,'high'),(9474,'Issue',525,13,'community'),(9475,'Issue',525,14,'windows'),(9477,'Issue',525,11,'67ceb029c'),(9478,'Issue',525,12,'e011a729-98a6-4139-b5c4-bf6f6dd8239a'),(9479,'Issue',525,16,'win-proc'),(9480,'Issue',525,17,''),(9481,'Issue',525,7,''),(9482,'Issue',525,3,'Detects a suspicious Microsoft certutil execution with sub commands like \'decode\' sub command, which is sometimes used to decode malicious code with the built-in certutil utility'),(9483,'Issue',525,4,''),(9484,'Issue',525,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9485,'Issue',525,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-decode\\ * OR *\\ \\/decode\\ * OR *\\ \\-decodehex\\ * OR *\\ \\/decodehex\\ * OR *\\ \\-urlcache\\ * OR *\\ \\/urlcache\\ * OR *\\ \\-verifyctl\\ * OR *\\ \\/verifyctl\\ * OR *\\ \\-encode\\ * OR *\\ \\/encode\\ * OR *certutil*\\ \\-URL* OR *certutil*\\ \\/URL* OR *certutil*\\ \\-ping* OR *certutil*\\ \\/ping*))\nindex: so-*\nname: Suspicious Certutil Command\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9486,'Issue',525,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Certutil Command\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: experimental\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like\n \'decode\' sub command, which is sometimes used to decode malicious code with the\n built-in certutil utility\nauthor: Florian Roth, juju4, keepwatch\nmodified: 2019/01/22\ndate: 2019/01/16\nreferences:\n- https://twitter.com/JohnLaTwC/status/835149808817991680\n- https://twitter.com/subTee/status/888102593838362624\n- https://twitter.com/subTee/status/888071631528235010\n- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://twitter.com/egre55/status/1087685529016193025\n- https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -decode *\'\n - \'* /decode *\'\n - \'* -decodehex *\'\n - \'* /decodehex *\'\n - \'* -urlcache *\'\n - \'* /urlcache *\'\n - \'* -verifyctl *\'\n - \'* /verifyctl *\'\n - \'* -encode *\'\n - \'* /encode *\'\n - \'*certutil* -URL*\'\n - \'*certutil* /URL*\'\n - \'*certutil* -ping*\'\n - \'*certutil* /ping*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1105\n- attack.s0189\n- attack.g0007\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: high\n\n
\n}}'),(9487,'Issue',525,15,'T1140'),(9488,'Issue',525,15,'T1105'),(9489,'Issue',526,1,'Certutil Encode'),(9490,'Issue',526,2,'Florian Roth'),(9491,'Issue',526,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'),(9492,'Issue',526,10,'medium'),(9493,'Issue',526,13,'community'),(9494,'Issue',526,14,'windows'),(9495,'Issue',526,15,''),(9496,'Issue',526,11,'8b115c8b1'),(9497,'Issue',526,12,'e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a'),(9498,'Issue',526,16,'win-proc'),(9499,'Issue',526,17,''),(9500,'Issue',526,7,''),(9501,'Issue',526,3,'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration'),(9502,'Issue',526,4,''),(9503,'Issue',526,5,'_False Positives_\nunknown'),(9504,'Issue',526,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(certutil\\ \\-f\\ \\-encode\\ * OR certutil.exe\\ \\-f\\ \\-encode\\ * OR certutil\\ \\-encode\\ \\-f\\ * OR certutil.exe\\ \\-encode\\ \\-f\\ *))\nindex: so-*\nname: Certutil Encode\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9505,'Issue',526,9,'{{collapse(View Sigma)\n\n\ntitle: Certutil Encode\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: experimental\ndescription: Detects suspicious a certutil command that used to encode files, which\n is sometimes used for data exfiltration\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth\ndate: 2019/02/24\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - certutil -f -encode *\n - certutil.exe -f -encode *\n - certutil -encode -f *\n - certutil.exe -encode -f *\n condition: selection\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9506,'Issue',527,1,'Suspicious Commandline Escape'),(9507,'Issue',527,2,'juju4'),(9508,'Issue',527,8,'https://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\nhttp://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/'),(9509,'Issue',527,10,'low'),(9510,'Issue',527,13,'community'),(9511,'Issue',527,14,'windows'),(9513,'Issue',527,11,'2267c2557'),(9514,'Issue',527,12,'f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd'),(9515,'Issue',527,16,'win-proc'),(9516,'Issue',527,17,''),(9517,'Issue',527,7,''),(9518,'Issue',527,3,'Detects suspicious process that use escape characters'),(9519,'Issue',527,4,''),(9520,'Issue',527,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9521,'Issue',527,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*h\\^t\\^t\\^p* OR *h\\\"t\\\"t\\\"p*))\nindex: so-*\nname: Suspicious Commandline Escape\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9522,'Issue',527,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Commandline Escape\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\ndescription: Detects suspicious process that use escape characters\nstatus: experimental\nreferences:\n- https://twitter.com/vysecurity/status/885545634958385153\n- https://twitter.com/Hexacorn/status/885553465417756673\n- https://twitter.com/Hexacorn/status/885570278637678592\n- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html\n- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018/12/11\nmodified: 2020/03/14\ntags:\n- attack.defense_evasion\n- attack.t1140\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*h^t^t^p*\'\n - \'*h\"t\"t\"p*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: low\n\n
\n}}'),(9523,'Issue',527,15,'T1140'),(9524,'Issue',528,1,'Command Line Execution with Suspicious URL and AppData Strings'),(9525,'Issue',528,2,'Florian Roth'),(9526,'Issue',528,8,'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'),(9527,'Issue',528,10,'medium'),(9528,'Issue',528,13,'community'),(9529,'Issue',528,14,'windows'),(9531,'Issue',528,11,'6f1a08e1b'),(9532,'Issue',528,12,'1ac8666b-046f-4201-8aba-1951aaec03a3'),(9533,'Issue',528,16,'win-proc'),(9534,'Issue',528,17,''),(9535,'Issue',528,7,''),(9536,'Issue',528,3,'Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)'),(9537,'Issue',528,4,''),(9538,'Issue',528,5,'_False Positives_\nHigh\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9539,'Issue',528,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(cmd.exe\\ \\/c\\ *http\\:\\/\\/*%AppData% OR cmd.exe\\ \\/c\\ *https\\:\\/\\/*%AppData%))\nindex: so-*\nname: Command Line Execution with Suspicious URL and AppData Strings\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9540,'Issue',528,9,'{{collapse(View Sigma)\n\n\ntitle: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: experimental\ndescription: Detects a suspicious command line execution that includes an URL and\n AppData string in the command line parameters as used by several droppers (js/vbs\n > powershell)\nreferences:\n- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1059\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - cmd.exe /c *http://*%AppData%\n - cmd.exe /c *https://*%AppData%\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- High\nlevel: medium\n\n
\n}}'),(9541,'Issue',528,15,'T1059'),(9542,'Issue',529,1,'Suspicious Code Page Switch'),(9543,'Issue',529,2,'Florian Roth'),(9544,'Issue',529,8,'https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://twitter.com/cglyer/status/1183756892952248325'),(9545,'Issue',529,10,'medium'),(9546,'Issue',529,13,'community'),(9547,'Issue',529,14,'windows'),(9548,'Issue',529,15,''),(9549,'Issue',529,11,'29f880f96'),(9550,'Issue',529,12,'c7942406-33dd-4377-a564-0f62db0593a3'),(9551,'Issue',529,16,'win-proc'),(9552,'Issue',529,17,''),(9553,'Issue',529,7,''),(9554,'Issue',529,3,'Detects a code page switch in command line or batch scripts to a rare language'),(9555,'Issue',529,4,''),(9556,'Issue',529,5,'_False Positives_\nAdministrative activity (adjust code pages according to your organisation\'s region)\n\n_Interesting Log Fields_\nParentCommandLine'),(9557,'Issue',529,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(chcp*\\ 936 OR chcp*\\ 1258))\nindex: so-*\nname: Suspicious Code Page Switch\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9558,'Issue',529,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Code Page Switch\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: experimental\ndescription: Detects a code page switch in command line or batch scripts to a rare\n language\nauthor: Florian Roth\ndate: 2019/10/14\nreferences:\n- https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n- https://twitter.com/cglyer/status/1183756892952248325\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - chcp* 936\n - chcp* 1258\n condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Administrative activity (adjust code pages according to your organisation\'s region)\nlevel: medium\n\n
\n}}'),(9559,'Issue',530,1,'Reconnaissance Activity with Net Command'),(9560,'Issue',530,2,'Florian Roth, Markus Neis'),(9561,'Issue',530,8,'https://twitter.com/haroonmeer/status/939099379834658817\nhttps://twitter.com/c_APT_ure/status/939475433711722497\nhttps://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html'),(9562,'Issue',530,10,'medium'),(9563,'Issue',530,13,'community'),(9564,'Issue',530,14,'windows'),(9566,'Issue',530,11,'c51af1088'),(9567,'Issue',530,12,'2887e914-ce96-435f-8105-593937e90757'),(9568,'Issue',530,16,'win-proc'),(9569,'Issue',530,17,''),(9570,'Issue',530,7,''),(9571,'Issue',530,3,'Detects a set of commands often used in recon stages by different attack groups'),(9572,'Issue',530,4,''),(9573,'Issue',530,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9574,'Issue',530,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(tasklist OR net\\ time OR systeminfo OR whoami OR nbtstat OR net\\ start OR *\\\\net1\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\net1\\ user\\ \\/domain OR *\\\\net1\\ group\\ \\/domain OR *\\\\net1\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain OR *\\\\net1\\ group\\ \\\"Exchange\\ Trusted\\ Subsystem\\\"\\ \\/domain OR *\\\\net1\\ accounts\\ \\/domain OR *\\\\net1\\ user\\ net\\ localgroup\\ administrators OR netstat\\ \\-an))\nindex: so-*\nmax_threshold: 4\nmetric_agg_key: _id\nmetric_agg_type: cardinality\nname: Reconnaissance Activity with Net Command\npriority: 3\nquery_key: process.command_line.keyword\nrealert:\n minutes: 0\ntype: metric_aggregation\n
\n}}'),(9575,'Issue',530,9,'{{collapse(View Sigma)\n\n\ntitle: Reconnaissance Activity with Net Command\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: experimental\ndescription: Detects a set of commands often used in recon stages by different attack\n groups\nreferences:\n- https://twitter.com/haroonmeer/status/939099379834658817\n- https://twitter.com/c_APT_ure/status/939475433711722497\n- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth, Markus Neis\ndate: 2018/08/22\nmodified: 2018/12/11\ntags:\n- attack.discovery\n- attack.t1087\n- attack.t1082\n- car.2016-03-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - tasklist\n - net time\n - systeminfo\n - whoami\n - nbtstat\n - net start\n - \'*\\net1 start\'\n - qprocess\n - nslookup\n - hostname.exe\n - \'*\\net1 user /domain\'\n - \'*\\net1 group /domain\'\n - \'*\\net1 group \"domain admins\" /domain\'\n - \'*\\net1 group \"Exchange Trusted Subsystem\" /domain\'\n - \'*\\net1 accounts /domain\'\n - \'*\\net1 user net localgroup administrators\'\n - netstat -an\n timeframe: 15s\n condition: selection | count() by CommandLine > 4\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(9576,'Issue',530,15,'T1087'),(9577,'Issue',530,15,'T1082'),(9578,'Issue',531,1,'Suspicious Compression Tool Parameters'),(9579,'Issue',531,2,'Florian Roth, Samir Bousseaden'),(9580,'Issue',531,8,'https://twitter.com/SBousseaden/status/1184067445612535811'),(9581,'Issue',531,10,'high'),(9582,'Issue',531,13,'community'),(9583,'Issue',531,14,'windows'),(9585,'Issue',531,11,'ca20cc397'),(9586,'Issue',531,12,'27a72a60-7e5e-47b1-9d17-909c9abafdcd'),(9587,'Issue',531,16,'win-proc'),(9588,'Issue',531,17,''),(9589,'Issue',531,7,''),(9590,'Issue',531,3,'Detects suspicious command line arguments of common data compression tools'),(9591,'Issue',531,4,''),(9592,'Issue',531,5,'_False Positives_\nunknown'),(9593,'Issue',531,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (OriginalFileName.keyword:(7z*.exe OR *rar.exe OR *Command*Line*RAR*) AND process.command_line.keyword:(*\\ \\-p* OR *\\ \\-ta* OR *\\ \\-tb* OR *\\ \\-sdel* OR *\\ \\-dw* OR *\\ \\-hp*)) AND (NOT (process.parent.executable.keyword:C\\:\\\\Program*)))\nindex: so-*\nname: Suspicious Compression Tool Parameters\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9594,'Issue',531,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: experimental\ndescription: Detects suspicious command line arguments of common data compression\n tools\nreferences:\n- https://twitter.com/SBousseaden/status/1184067445612535811\ntags:\n- attack.exfiltration\n- attack.t1020\n- attack.t1002\nauthor: Florian Roth, Samir Bousseaden\ndate: 2019/10/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - 7z*.exe\n - \'*rar.exe\'\n - \'*Command*Line*RAR*\'\n CommandLine:\n - \'* -p*\'\n - \'* -ta*\'\n - \'* -tb*\'\n - \'* -sdel*\'\n - \'* -dw*\'\n - \'* -hp*\'\n falsepositive:\n ParentImage: C:\\Program*\n condition: selection and not falsepositive\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(9595,'Issue',531,15,'T1020'),(9596,'Issue',531,15,'T1002'),(9597,'Issue',532,1,'Process Dump via Comsvcs DLL'),(9598,'Issue',532,2,'Modexp (idea)'),(9599,'Issue',532,8,'https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://twitter.com/SBousseaden/status/1167417096374050817'),(9600,'Issue',532,10,'medium'),(9601,'Issue',532,13,'community'),(9602,'Issue',532,14,'windows'),(9604,'Issue',532,11,'01665fd2b'),(9605,'Issue',532,12,'09e6d5c0-05b8-4ff8-9eeb-043046ec774c'),(9606,'Issue',532,16,'win-proc'),(9607,'Issue',532,17,''),(9608,'Issue',532,7,''),(9609,'Issue',532,3,'Detects process memory dump via comsvcs.dll and rundll32'),(9610,'Issue',532,4,''),(9611,'Issue',532,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9612,'Issue',532,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\rundll32.exe OR OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line.keyword:(*comsvcs*MiniDump*full* OR *comsvcs*MiniDumpW*full*))\nindex: so-*\nname: Process Dump via Comsvcs DLL\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9613,'Issue',532,9,'{{collapse(View Sigma)\n\n\ntitle: Process Dump via Comsvcs DLL\nid: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\nstatus: experimental\ndescription: Detects process memory dump via comsvcs.dll and rundll32\nreferences:\n- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n- https://twitter.com/SBousseaden/status/1167417096374050817\nauthor: Modexp (idea)\ndate: 2019/09/02\nlogsource:\n category: process_creation\n product: windows\ndetection:\n rundll_image:\n Image: \'*\\rundll32.exe\'\n rundll_ofn:\n OriginalFileName: RUNDLL32.EXE\n selection:\n CommandLine:\n - \'*comsvcs*MiniDump*full*\'\n - \'*comsvcs*MiniDumpW*full*\'\n condition: (rundll_image or rundll_ofn) and selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.credential_access\n- attack.t1003\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(9614,'Issue',532,15,'T1003'),(9615,'Issue',533,1,'Suspicious Control Panel DLL Load'),(9616,'Issue',533,2,'Florian Roth'),(9617,'Issue',533,8,'https://twitter.com/rikvduijn/status/853251879320662017'),(9618,'Issue',533,10,'high'),(9619,'Issue',533,13,'community'),(9620,'Issue',533,14,'windows'),(9622,'Issue',533,11,'7b06179ac'),(9623,'Issue',533,12,'d7eb979b-c2b5-4a6f-a3a7-c87ce6763819'),(9624,'Issue',533,16,'win-proc'),(9625,'Issue',533,17,''),(9626,'Issue',533,7,''),(9627,'Issue',533,3,'Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits'),(9628,'Issue',533,4,''),(9629,'Issue',533,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9630,'Issue',533,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\System32\\\\control.exe AND process.command_line.keyword:*\\\\rundll32.exe\\ *) AND (NOT (process.command_line.keyword:*Shell32.dll*)))\nindex: so-*\nname: Suspicious Control Panel DLL Load\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9631,'Issue',533,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: experimental\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation\n Group and Exploit Kits\nauthor: Florian Roth\ndate: 2017/04/15\nreferences:\n- https://twitter.com/rikvduijn/status/853251879320662017\ntags:\n- attack.defense_evasion\n- attack.t1073\n- attack.t1085\n- car.2013-10-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\System32\\control.exe\'\n CommandLine: \'*\\rundll32.exe *\'\n filter:\n CommandLine: \'*Shell32.dll*\'\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9632,'Issue',533,15,'T1073'),(9633,'Issue',533,15,'T1085'),(9634,'Issue',534,1,'Copy from Admin Share'),(9635,'Issue',534,2,'Florian Roth'),(9636,'Issue',534,8,'https://twitter.com/SBousseaden/status/1211636381086339073'),(9637,'Issue',534,10,'high'),(9638,'Issue',534,13,'community'),(9639,'Issue',534,14,'windows'),(9641,'Issue',534,11,'ec9ee9ed7'),(9642,'Issue',534,12,'855bc8b5-2ae8-402e-a9ed-b889e6df1900'),(9643,'Issue',534,16,'win-proc'),(9644,'Issue',534,17,''),(9645,'Issue',534,7,''),(9646,'Issue',534,3,'Detects a suspicious copy command from a remote C$ or ADMIN$ share'),(9647,'Issue',534,4,''),(9648,'Issue',534,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9649,'Issue',534,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*copy\\ *\\\\c$* OR *copy\\ *\\\\ADMIN$*))\nindex: so-*\nname: Copy from Admin Share\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9650,'Issue',534,9,'{{collapse(View Sigma)\n\n\ntitle: Copy from Admin Share\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: experimental\ndescription: Detects a suspicious copy command from a remote C$ or ADMIN$ share\nreferences:\n- https://twitter.com/SBousseaden/status/1211636381086339073\nauthor: Florian Roth\ndate: 2019/12/30\ntags:\n- attack.lateral_movement\n- attack.t1077\n- attack.t1105\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - copy *\\c$\n - copy *\\ADMIN$\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: high\n\n
\n}}'),(9651,'Issue',534,15,'T1077'),(9652,'Issue',534,15,'T1105'),(9653,'Issue',535,1,'Suspicious Parent of Csc.exe'),(9654,'Issue',535,2,'Florian Roth'),(9655,'Issue',535,8,'https://twitter.com/SBousseaden/status/1094924091256176641'),(9656,'Issue',535,10,'high'),(9657,'Issue',535,13,'community'),(9658,'Issue',535,14,'windows'),(9660,'Issue',535,11,'2a0ef0717'),(9661,'Issue',535,12,'b730a276-6b63-41b8-bcf8-55930c8fc6ee'),(9662,'Issue',535,16,'win-proc'),(9663,'Issue',535,17,''),(9664,'Issue',535,7,''),(9665,'Issue',535,3,'Detects a suspicious parent of csc.exe, which could by a sign of payload delivery'),(9666,'Issue',535,4,''),(9667,'Issue',535,5,'_False Positives_\nUnkown'),(9668,'Issue',535,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csc.exe* AND process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\mshta.exe))\nindex: so-*\nname: Suspicious Parent of Csc.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9669,'Issue',535,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Parent of Csc.exe\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\ndescription: Detects a suspicious parent of csc.exe, which could by a sign of payload\n delivery\nstatus: experimental\nreferences:\n- https://twitter.com/SBousseaden/status/1094924091256176641\nauthor: Florian Roth\ndate: 2019/02/11\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\csc.exe*\'\n ParentImage:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n - \'*\\mshta.exe\'\n condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(9670,'Issue',535,15,'T1036'),(9671,'Issue',536,1,'Suspicious Csc.exe Source File Folder'),(9672,'Issue',536,2,'Florian Roth'),(9673,'Issue',536,8,'https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://twitter.com/gN3mes1s/status/1206874118282448897'),(9674,'Issue',536,10,'high'),(9675,'Issue',536,13,'community'),(9676,'Issue',536,14,'windows'),(9678,'Issue',536,11,'7da368a8e'),(9679,'Issue',536,12,'dcaa3f04-70c3-427a-80b4-b870d73c94c4'),(9680,'Issue',536,16,'win-proc'),(9681,'Issue',536,17,''),(9682,'Issue',536,7,''),(9683,'Issue',536,3,'Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)'),(9684,'Issue',536,4,''),(9685,'Issue',536,5,'_False Positives_\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gabriele_pippi/status/1206907900268072962'),(9686,'Issue',536,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\csc.exe AND process.command_line.keyword:(*\\\\AppData\\\\* OR *\\\\Windows\\\\Temp\\\\*)) AND (NOT (process.parent.executable.keyword:(C\\:\\\\Program\\ Files* OR *\\\\sdiagnhost.exe OR *\\\\w3wp.exe))))\nindex: so-*\nname: Suspicious Csc.exe Source File Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9687,'Issue',536,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Csc.exe Source File Folder\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\ndescription: Detects a suspicious execution of csc.exe, which uses a source in a suspicious\n folder (e.g. AppData)\nstatus: experimental\nreferences:\n- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n- https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Florian Roth\ndate: 2019/08/24\nmodified: 2019/12/17\ntags:\n- attack.defense_evasion\n- attack.t1500\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\csc.exe\'\n CommandLine:\n - \'*\\AppData\\\\*\'\n - \'*\\Windows\\Temp\\\\*\'\n filter:\n ParentImage:\n - C:\\Program Files*\n - \'*\\sdiagnhost.exe\'\n - \'*\\w3wp.exe\'\n condition: selection and not filter\nfalsepositives:\n- https://twitter.com/gN3mes1s/status/1206874118282448897\n- https://twitter.com/gabriele_pippi/status/1206907900268072962\nlevel: high\n\n
\n}}'),(9688,'Issue',536,15,'T1500'),(9689,'Issue',537,1,'Curl Start Combination'),(9690,'Issue',537,2,'Sreeman'),(9691,'Issue',537,8,'https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983'),(9692,'Issue',537,10,'medium'),(9693,'Issue',537,13,'community'),(9694,'Issue',537,14,'windows'),(9696,'Issue',537,11,'cba091473'),(9697,'Issue',537,12,'21dd6d38-2b18-4453-9404-a0fe4a0cc288'),(9698,'Issue',537,16,'win-proc'),(9699,'Issue',537,17,''),(9700,'Issue',537,7,''),(9701,'Issue',537,3,'Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.'),(9702,'Issue',537,4,''),(9703,'Issue',537,5,'_False Positives_\nAdministrative scripts (installers)\n\n_Interesting Log Fields_\nParentImage\nCommandLine'),(9704,'Issue',537,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*curl*\\ start\\ *)\nindex: so-*\nname: Curl Start Combination\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9705,'Issue',537,9,'{{collapse(View Sigma)\n\n\ntitle: Curl Start Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: experimental\ndescription: Adversaries can use curl to download payloads remotely and execute them.\n Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nauthor: Sreeman\ndate: 2020/01/13\ntags:\n- attack.execution\n- attack.t1218\nlogsource:\n category: process_creation\n product: windows\ndetection:\n condition: selection\n selection:\n CommandLine|contains: \'curl* start \'\nfalsepositives:\n- Administrative scripts (installers)\nfields:\n- ParentImage\n- CommandLine\nlevel: medium\n\n
\n}}'),(9706,'Issue',537,15,'T1218'),(9707,'Issue',538,1,'ZOHO Dctask64 Process Injection'),(9708,'Issue',538,2,'Florian Roth'),(9709,'Issue',538,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(9710,'Issue',538,10,'high'),(9711,'Issue',538,13,'community'),(9712,'Issue',538,14,'windows'),(9714,'Issue',538,11,'fe9f76fc8'),(9715,'Issue',538,12,'6345b048-8441-43a7-9bed-541133633d7a'),(9716,'Issue',538,16,'win-proc'),(9717,'Issue',538,17,''),(9718,'Issue',538,7,''),(9719,'Issue',538,3,'Detects suspicious process injection using ZOHO\'s dctask64.exe'),(9720,'Issue',538,4,''),(9721,'Issue',538,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(9722,'Issue',538,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\dctask64.exe) AND (NOT (process.command_line.keyword:(*DesktopCentral_Agent\\\\agent*))))\nindex: so-*\nname: ZOHO Dctask64 Process Injection\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9723,'Issue',538,9,'{{collapse(View Sigma)\n\n\ntitle: ZOHO Dctask64 Process Injection\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: experimental\ndescription: Detects suspicious process injection using ZOHO\'s dctask64.exe\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\dctask64.exe\n filter:\n CommandLine|contains:\n - DesktopCentral_Agent\\agent\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(9724,'Issue',538,15,'T1055'),(9725,'Issue',539,1,'Devtoolslauncher.exe Executes Specified Binary'),(9726,'Issue',539,2,'Beyu Denis, oscd.community (rule), @_felamos (idea)'),(9727,'Issue',539,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\nhttps://twitter.com/_felamos/status/1179811992841797632'),(9728,'Issue',539,10,'critical'),(9729,'Issue',539,13,'community'),(9730,'Issue',539,14,'windows'),(9732,'Issue',539,11,'8beb4a23d'),(9733,'Issue',539,12,'cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6'),(9734,'Issue',539,16,'win-proc'),(9735,'Issue',539,17,''),(9736,'Issue',539,7,''),(9737,'Issue',539,3,'The Devtoolslauncher.exe executes other binary'),(9738,'Issue',539,4,''),(9739,'Issue',539,5,'_False Positives_\nLegitimate use of devtoolslauncher.exe by legitimate user'),(9740,'Issue',539,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\devtoolslauncher.exe AND process.command_line.keyword:*LaunchForDeploy*)\nindex: so-*\nname: Devtoolslauncher.exe Executes Specified Binary\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9741,'Issue',539,9,'{{collapse(View Sigma)\n\n\ntitle: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: experimental\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml\n- https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: critical\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\devtoolslauncher.exe\n CommandLine|contains: LaunchForDeploy\n condition: selection\nfalsepositives:\n- Legitimate use of devtoolslauncher.exe by legitimate user\n\n
\n}}'),(9742,'Issue',539,15,'T1218'),(9743,'Issue',540,1,'Direct Autorun Keys Modification'),(9744,'Issue',540,2,'Victor Sergeev, Daniil Yugoslavskiy, oscd.community'),(9745,'Issue',540,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml'),(9746,'Issue',540,10,'medium'),(9747,'Issue',540,13,'community'),(9748,'Issue',540,14,'windows'),(9750,'Issue',540,11,'8eab5e98e'),(9751,'Issue',540,12,'24357373-078f-44ed-9ac4-6d334a668a11'),(9752,'Issue',540,16,'win-proc'),(9753,'Issue',540,17,''),(9754,'Issue',540,7,''),(9755,'Issue',540,3,'Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.'),(9756,'Issue',540,4,''),(9757,'Issue',540,5,'_False Positives_\nLegitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\nLegitimate administrator sets up autorun keys for legitimate reason\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9758,'Issue',540,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\reg.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:(*\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell* OR *\\\\software\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows* OR *\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\\ Shell\\ Folders* OR *\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell*))\nindex: so-*\nname: Direct Autorun Keys Modification\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9759,'Issue',540,9,'{{collapse(View Sigma)\n\n\ntitle: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\ndescription: Detects direct modification of autostart extensibility point (ASEP) in\n registry using reg.exe.\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml\ntags:\n- attack.persistence\n- attack.t1060\ndate: 2019/10/25\nmodified: 2019/11/10\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \'*\\reg.exe\'\n CommandLine|contains: add\n selection_2:\n CommandLine|contains:\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Run\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n - \\software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\n - \\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\n - \\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n - \\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell\n condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate software automatically (mostly, during installation) sets up autorun\n keys for legitimate reason\n- Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n\n
\n}}'),(9760,'Issue',540,15,'T1060'),(9761,'Issue',541,1,'Application Whitelisting Bypass via Dnx.exe'),(9762,'Issue',541,2,'Beyu Denis, oscd.community'),(9763,'Issue',541,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/'),(9764,'Issue',541,10,'medium'),(9765,'Issue',541,13,'community'),(9766,'Issue',541,14,'windows'),(9768,'Issue',541,11,'4f84e2c15'),(9769,'Issue',541,12,'81ebd28b-9607-4478-bf06-974ed9d53ed7'),(9770,'Issue',541,16,'win-proc'),(9771,'Issue',541,17,''),(9772,'Issue',541,7,''),(9773,'Issue',541,3,'Execute C# code located in the consoleapp folder'),(9774,'Issue',541,4,''),(9775,'Issue',541,5,'_False Positives_\nLegitimate use of dnx.exe by legitimate user'),(9776,'Issue',541,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dnx.exe)\nindex: so-*\nname: Application Whitelisting Bypass via Dnx.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9777,'Issue',541,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via Dnx.exe\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: experimental\ndescription: Execute C# code located in the consoleapp folder\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml\n- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\dnx.exe\n condition: selection\nfalsepositives:\n- Legitimate use of dnx.exe by legitimate user\n\n
\n}}'),(9778,'Issue',541,15,'T1218'),(9779,'Issue',542,1,'Suspicious Double Extension'),(9780,'Issue',542,2,'Florian Roth (rule), @blu3_team (idea)'),(9781,'Issue',542,8,'https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://twitter.com/blackorbird/status/1140519090961825792'),(9782,'Issue',542,10,'critical'),(9783,'Issue',542,13,'community'),(9784,'Issue',542,14,'windows'),(9786,'Issue',542,11,'17b387ea8'),(9787,'Issue',542,12,'1cdd9a09-06c9-4769-99ff-626e2b3991b8'),(9788,'Issue',542,16,'win-proc'),(9789,'Issue',542,17,''),(9790,'Issue',542,7,''),(9791,'Issue',542,3,'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns'),(9792,'Issue',542,4,''),(9793,'Issue',542,5,'_False Positives_\nUnknown'),(9794,'Issue',542,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*.doc.exe OR *.docx.exe OR *.xls.exe OR *.xlsx.exe OR *.ppt.exe OR *.pptx.exe OR *.rtf.exe OR *.pdf.exe OR *.txt.exe OR *\\ \\ \\ \\ \\ \\ .exe OR *______.exe))\nindex: so-*\nname: Suspicious Double Extension\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9795,'Issue',542,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Double Extension\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\ndescription: Detects suspicious use of an .exe extension after a non-executable file\n extension like .pdf.exe, a set of spaces or underlines to cloak the executable file\n in spear phishing campaigns\nreferences:\n- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n- https://twitter.com/blackorbird/status/1140519090961825792\nauthor: Florian Roth (rule), @blu3_team (idea)\ndate: 2019/06/26\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*.doc.exe\'\n - \'*.docx.exe\'\n - \'*.xls.exe\'\n - \'*.xlsx.exe\'\n - \'*.ppt.exe\'\n - \'*.pptx.exe\'\n - \'*.rtf.exe\'\n - \'*.pdf.exe\'\n - \'*.txt.exe\'\n - \'* .exe\'\n - \'*______.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(9796,'Issue',542,15,'T1193'),(9797,'Issue',543,1,'Application Whitelisting Bypass via Dxcap.exe'),(9798,'Issue',543,2,'Beyu Denis, oscd.community'),(9799,'Issue',543,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\nhttps://twitter.com/harr0ey/status/992008180904419328'),(9800,'Issue',543,10,'medium'),(9801,'Issue',543,13,'community'),(9802,'Issue',543,14,'windows'),(9804,'Issue',543,11,'21213eb67'),(9805,'Issue',543,12,'60f16a96-db70-42eb-8f76-16763e333590'),(9806,'Issue',543,16,'win-proc'),(9807,'Issue',543,17,''),(9808,'Issue',543,7,''),(9809,'Issue',543,3,'Detects execution of of Dxcap.exe'),(9810,'Issue',543,4,''),(9811,'Issue',543,5,'_False Positives_\nLegitimate execution of dxcap.exe by legitimate user'),(9812,'Issue',543,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\dxcap.exe AND process.command_line.keyword:*\\-c* AND process.command_line.keyword:*.exe*)\nindex: so-*\nname: Application Whitelisting Bypass via Dxcap.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9813,'Issue',543,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via Dxcap.exe\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: experimental\ndescription: Detects execution of of Dxcap.exe\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml\n- https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\dxcap.exe\n CommandLine|contains|all:\n - -c\n - .exe\n condition: selection\nfalsepositives:\n- Legitimate execution of dxcap.exe by legitimate user\n\n
\n}}'),(9814,'Issue',543,15,'T1218'),(9815,'Issue',544,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil'),(9816,'Issue',544,2,'Ecco, Daniil Yugoslavskiy, oscd.community'),(9817,'Issue',544,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html'),(9818,'Issue',544,10,'high'),(9819,'Issue',544,13,'community'),(9820,'Issue',544,14,'windows'),(9822,'Issue',544,11,'63dddab3d'),(9823,'Issue',544,12,'cc36992a-4671-4f21-a91d-6c2b72a2edf5'),(9824,'Issue',544,16,'win-proc'),(9825,'Issue',544,17,''),(9826,'Issue',544,7,''),(9827,'Issue',544,3,'Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9828,'Issue',544,4,''),(9829,'Issue',544,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9830,'Issue',544,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (((process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:(*Clear\\-EventLog* OR *Remove\\-EventLog* OR *Limit\\-EventLog*)) OR (process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\ ClearEventLog\\ *)) OR (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\wevtutil.exe AND process.command_line.keyword:(*clear\\-log* OR *\\ cl\\ * OR *set\\-log* OR *\\ sl\\ *))))\nindex: so-*\nname: Suspicious Eventlog Clear or Configuration Using Wevtutil\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9831,'Issue',544,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Eventlog Clear or Configuration Using Wevtutil\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\ndescription: Detects clearing or configuration of eventlogs uwing wevtutil, powershell\n and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others)\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\ndate: 2019/09/26\nmodified: 2019/11/11\ntags:\n- attack.defense_evasion\n- attack.t1070\n- car.2016-04-002\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_wevtutil_binary:\n Image|endswith: \\wevtutil.exe\n selection_wevtutil_command:\n CommandLine|contains:\n - clear-log\n - \' cl \'\n - set-log\n - \' sl \'\n selection_other_ps:\n Image|endswith: \\powershell.exe\n CommandLine|contains:\n - Clear-EventLog\n - Remove-EventLog\n - Limit-EventLog\n selection_other_wmic:\n Image|endswith: \\wmic.exe\n CommandLine|contains: \' ClearEventLog \'\n condition: 1 of selection_other_* or (selection_wevtutil_binary and selection_wevtutil_command)\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9832,'Issue',544,15,'T1070'),(9833,'Issue',545,1,'Executables Started in Suspicious Folder'),(9834,'Issue',545,2,'Florian Roth'),(9835,'Issue',545,8,'https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md'),(9836,'Issue',545,10,'high'),(9837,'Issue',545,13,'community'),(9838,'Issue',545,14,'windows'),(9840,'Issue',545,11,'a3054aa4c'),(9841,'Issue',545,12,'7a38aa19-86a9-4af7-ac51-6bfe4e59f254'),(9842,'Issue',545,16,'win-proc'),(9843,'Issue',545,17,''),(9844,'Issue',545,7,''),(9845,'Issue',545,3,'Detects process starts of binaries from a suspicious folder'),(9846,'Issue',545,4,''),(9847,'Issue',545,5,'_False Positives_\nUnknown'),(9848,'Issue',545,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(C\\:\\\\PerfLogs\\\\* OR C\\:\\\\$Recycle.bin\\\\* OR C\\:\\\\Intel\\\\Logs\\\\* OR C\\:\\\\Users\\\\Default\\\\* OR C\\:\\\\Users\\\\Public\\\\* OR C\\:\\\\Users\\\\NetworkService\\\\* OR C\\:\\\\Windows\\\\Fonts\\\\* OR C\\:\\\\Windows\\\\Debug\\\\* OR C\\:\\\\Windows\\\\Media\\\\* OR C\\:\\\\Windows\\\\Help\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\repair\\\\* OR C\\:\\\\Windows\\\\security\\\\* OR *\\\\RSA\\\\MachineKeys\\\\* OR C\\:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\System32\\\\Tasks\\\\*))\nindex: so-*\nname: Executables Started in Suspicious Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9849,'Issue',545,9,'{{collapse(View Sigma)\n\n\ntitle: Executables Started in Suspicious Folder\nid: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254\nstatus: experimental\ndescription: Detects process starts of binaries from a suspicious folder\nauthor: Florian Roth\ndate: 2017/10/14\nmodified: 2019/02/21\nreferences:\n- https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt\n- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n- https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - C:\\PerfLogs\\\\*\n - C:\\$Recycle.bin\\\\*\n - C:\\Intel\\Logs\\\\*\n - C:\\Users\\Default\\\\*\n - C:\\Users\\Public\\\\*\n - C:\\Users\\NetworkService\\\\*\n - C:\\Windows\\Fonts\\\\*\n - C:\\Windows\\Debug\\\\*\n - C:\\Windows\\Media\\\\*\n - C:\\Windows\\Help\\\\*\n - C:\\Windows\\addins\\\\*\n - C:\\Windows\\repair\\\\*\n - C:\\Windows\\security\\\\*\n - \'*\\RSA\\MachineKeys\\\\*\'\n - C:\\Windows\\system32\\config\\systemprofile\\\\*\n - C:\\Windows\\Tasks\\\\*\n - C:\\Windows\\System32\\Tasks\\\\*\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9850,'Issue',545,15,'T1036'),(9851,'Issue',546,1,'Execution in Non-Executable Folder'),(9852,'Issue',546,2,'Florian Roth'),(9853,'Issue',546,8,'none'),(9854,'Issue',546,10,'high'),(9855,'Issue',546,13,'community'),(9856,'Issue',546,14,'windows'),(9858,'Issue',546,11,'a7b3dd43a'),(9859,'Issue',546,12,'3dfd06d2-eaf4-4532-9555-68aca59f57c4'),(9860,'Issue',546,16,'win-proc'),(9861,'Issue',546,17,''),(9862,'Issue',546,7,''),(9863,'Issue',546,3,'Detects a suspicious exection from an uncommon folder'),(9864,'Issue',546,4,''),(9865,'Issue',546,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9866,'Issue',546,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\All\\ Users\\\\* OR *\\\\Users\\\\Default\\\\* OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\config\\\\systemprofile\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\*))\nindex: so-*\nname: Execution in Non-Executable Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9867,'Issue',546,9,'{{collapse(View Sigma)\n\n\ntitle: Execution in Non-Executable Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: experimental\ndescription: Detects a suspicious exection from an uncommon folder\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\$Recycle.bin\'\n - \'*\\Users\\All Users\\\\*\'\n - \'*\\Users\\Default\\\\*\'\n - \'*\\Users\\Public\\\\*\'\n - C:\\Perflogs\\\\*\n - \'*\\config\\systemprofile\\\\*\'\n - \'*\\Windows\\Fonts\\\\*\'\n - \'*\\Windows\\IME\\\\*\'\n - \'*\\Windows\\addins\\\\*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9868,'Issue',546,15,'T1036'),(9869,'Issue',547,1,'Execution in Webserver Root Folder'),(9870,'Issue',547,2,'Florian Roth'),(9871,'Issue',547,8,'none'),(9872,'Issue',547,10,'medium'),(9873,'Issue',547,13,'community'),(9874,'Issue',547,14,'windows'),(9876,'Issue',547,11,'3e95069d6'),(9877,'Issue',547,12,'35efb964-e6a5-47ad-bbcd-19661854018d'),(9878,'Issue',547,16,'win-proc'),(9879,'Issue',547,17,''),(9880,'Issue',547,7,''),(9881,'Issue',547,3,'Detects a suspicious program execution in a web service root folder (filter out false positives)'),(9882,'Issue',547,4,''),(9883,'Issue',547,5,'_False Positives_\nVarious applications\nTools that include ping or nslookup command invocations\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(9884,'Issue',547,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wwwroot\\\\* OR *\\\\wmpub\\\\* OR *\\\\htdocs\\\\*) AND (NOT (process.executable.keyword:(*bin\\\\* OR *\\\\Tools\\\\* OR *\\\\SMSComponent\\\\*) AND process.parent.executable.keyword:(*\\\\services.exe))))\nindex: so-*\nname: Execution in Webserver Root Folder\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9885,'Issue',547,9,'{{collapse(View Sigma)\n\n\ntitle: Execution in Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: experimental\ndescription: Detects a suspicious program execution in a web service root folder (filter\n out false positives)\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wwwroot\\\\*\'\n - \'*\\wmpub\\\\*\'\n - \'*\\htdocs\\\\*\'\n filter:\n Image:\n - \'*bin\\\\*\'\n - \'*\\Tools\\\\*\'\n - \'*\\SMSComponent\\\\*\'\n ParentImage:\n - \'*\\services.exe\'\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Various applications\n- Tools that include ping or nslookup command invocations\nlevel: medium\n\n
\n}}'),(9886,'Issue',547,15,'T1100'),(9887,'Issue',548,1,'Firewall Disabled via Netsh'),(9888,'Issue',548,2,'Fatih Sirin'),(9889,'Issue',548,8,'https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/'),(9890,'Issue',548,10,'medium'),(9891,'Issue',548,13,'community'),(9892,'Issue',548,14,'windows'),(9893,'Issue',548,15,''),(9894,'Issue',548,11,'525bbf871'),(9895,'Issue',548,12,'57c4bf16-227f-4394-8ec7-1b745ee061c3'),(9896,'Issue',548,16,'win-proc'),(9897,'Issue',548,17,''),(9898,'Issue',548,7,''),(9899,'Issue',548,3,'Detects netsh commands that turns off the Windows firewall'),(9900,'Issue',548,4,''),(9901,'Issue',548,5,'_False Positives_\nLegitimate administration'),(9902,'Issue',548,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ firewall\\ set\\ opmode\\ mode\\=disable OR netsh\\ advfirewall\\ set\\ *\\ state\\ off))\nindex: so-*\nname: Firewall Disabled via Netsh\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9903,'Issue',548,9,'{{collapse(View Sigma)\n\n\ntitle: Firewall Disabled via Netsh\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n- https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n- https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\ndate: 2019/11/01\nstatus: experimental\nauthor: Fatih Sirin\ntags:\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh firewall set opmode mode=disable\n - netsh advfirewall set * state off\n condition: selection\nfalsepositives:\n- Legitimate administration\nlevel: medium\n\n
\n}}'),(9904,'Issue',549,1,'Fsutil Suspicious Invocation'),(9905,'Issue',549,2,'Ecco, E.M. Anhaus, oscd.community'),(9906,'Issue',549,8,'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html'),(9907,'Issue',549,10,'high'),(9908,'Issue',549,13,'community'),(9909,'Issue',549,14,'windows'),(9911,'Issue',549,11,'b3585220b'),(9912,'Issue',549,12,'add64136-62e5-48ea-807e-88638d02df1e'),(9913,'Issue',549,16,'win-proc'),(9914,'Issue',549,17,''),(9915,'Issue',549,7,''),(9916,'Issue',549,3,'Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)'),(9917,'Issue',549,4,''),(9918,'Issue',549,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(9919,'Issue',549,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\fsutil.exe OR OriginalFileName:\"fsutil.exe\") AND process.command_line.keyword:(*deletejournal* OR *createjournal*))\nindex: so-*\nname: Fsutil Suspicious Invocation\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9920,'Issue',549,9,'{{collapse(View Sigma)\n\n\ntitle: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\ndescription: Detects suspicious parameters of fsutil (deleting USN journal, configuring\n it with small size..). Might be used by ransomwares during the attack (seen by NotPetya\n and others)\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019/09/26\nmodified: 2019/11/11\nlevel: high\nreferences:\n- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\ntags:\n- attack.defense_evasion\n- attack.t1070\nlogsource:\n category: process_creation\n product: windows\ndetection:\n binary_1:\n Image|endswith: \\fsutil.exe\n binary_2:\n OriginalFileName: fsutil.exe\n selection:\n CommandLine|contains:\n - deletejournal\n - createjournal\n condition: (1 of binary_*) and selection\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\n\n
\n}}'),(9921,'Issue',549,15,'T1070'),(9922,'Issue',550,1,'Suspicious GUP Usage'),(9923,'Issue',550,2,'Florian Roth'),(9924,'Issue',550,8,'https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html'),(9925,'Issue',550,10,'high'),(9926,'Issue',550,13,'community'),(9927,'Issue',550,14,'windows'),(9929,'Issue',550,11,'64acf349c'),(9930,'Issue',550,12,'0a4f6091-223b-41f6-8743-f322ec84930b'),(9931,'Issue',550,16,'win-proc'),(9932,'Issue',550,17,''),(9933,'Issue',550,7,''),(9934,'Issue',550,3,'Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks'),(9935,'Issue',550,4,''),(9936,'Issue',550,5,'_False Positives_\nExecution of tools named GUP.exe and located in folders different than Notepad++\\updater'),(9937,'Issue',550,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\GUP.exe AND (NOT (process.executable.keyword:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\\\Notepad\\+\\+\\\\updater\\\\gup.exe OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Notepad\\+\\+\\\\updater\\\\gup.exe))))\nindex: so-*\nname: Suspicious GUP Usage\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9938,'Issue',550,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\ndescription: Detects execution of the Notepad++ updater in a suspicious directory,\n which is often used in DLL side-loading attacks\nstatus: experimental\nreferences:\n- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\ntags:\n- attack.defense_evasion\n- attack.t1073\nauthor: Florian Roth\ndate: 2019/02/06\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\GUP.exe\'\n filter:\n Image:\n - C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe\n - C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe\n - C:\\Program Files\\Notepad++\\updater\\gup.exe\n - C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe\n condition: selection and not filter\nfalsepositives:\n- Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n\n
\n}}'),(9939,'Issue',550,15,'T1073'),(9940,'Issue',551,1,'IIS Native-Code Module Command Line Installation'),(9941,'Issue',551,2,'Florian Roth'),(9942,'Issue',551,8,'https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/'),(9943,'Issue',551,10,'medium'),(9944,'Issue',551,13,'community'),(9945,'Issue',551,14,'windows'),(9947,'Issue',551,11,'181436e25'),(9948,'Issue',551,12,'9465ddf4-f9e4-4ebd-8d98-702df3a93239'),(9949,'Issue',551,16,'win-proc'),(9950,'Issue',551,17,''),(9951,'Issue',551,7,''),(9952,'Issue',551,3,'Detects suspicious IIS native-code module installations via command line'),(9953,'Issue',551,4,''),(9954,'Issue',551,5,'_False Positives_\nUnknown as it may vary from organisation to arganisation how admins use to install IIS modules'),(9955,'Issue',551,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\APPCMD.EXE\\ install\\ module\\ \\/name\\:*))\nindex: so-*\nname: IIS Native-Code Module Command Line Installation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9956,'Issue',551,9,'{{collapse(View Sigma)\n\n\ntitle: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\ndescription: Detects suspicious IIS native-code module installations via command line\nstatus: experimental\nreferences:\n- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nauthor: Florian Roth\ndate: 2012/12/11\ntags:\n- attack.persistence\n- attack.t1100\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\APPCMD.EXE install module /name:*\'\n condition: selection\nfalsepositives:\n- Unknown as it may vary from organisation to arganisation how admins use to install\n IIS modules\nlevel: medium\n\n
\n}}'),(9957,'Issue',551,15,'T1100'),(9958,'Issue',552,1,'Suspicious MsiExec Directory'),(9959,'Issue',552,2,'Florian Roth'),(9960,'Issue',552,8,'https://twitter.com/200_okay_/status/1194765831911215104'),(9961,'Issue',552,10,'high'),(9962,'Issue',552,13,'community'),(9963,'Issue',552,14,'windows'),(9965,'Issue',552,11,'37c63b72b'),(9966,'Issue',552,12,'e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144'),(9967,'Issue',552,16,'win-proc'),(9968,'Issue',552,17,''),(9969,'Issue',552,7,''),(9970,'Issue',552,3,'Detects suspicious msiexec process starts in an uncommon directory'),(9971,'Issue',552,4,''),(9972,'Issue',552,5,'_False Positives_\nUnknown'),(9973,'Issue',552,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\msiexec.exe AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\*))))\nindex: so-*\nname: Suspicious MsiExec Directory\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9974,'Issue',552,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious MsiExec Directory\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: experimental\ndescription: Detects suspicious msiexec process starts in an uncommon directory\nreferences:\n- https://twitter.com/200_okay_/status/1194765831911215104\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/11/14\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\msiexec.exe\'\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\WinSxS\\\\*\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(9975,'Issue',552,15,'T1036'),(9976,'Issue',553,1,'MsiExec Web Install'),(9977,'Issue',553,2,'Florian Roth'),(9978,'Issue',553,8,'https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/'),(9979,'Issue',553,10,'medium'),(9980,'Issue',553,13,'community'),(9981,'Issue',553,14,'windows'),(9982,'Issue',553,15,''),(9983,'Issue',553,11,'2175aa08b'),(9984,'Issue',553,12,'f7b5f842-a6af-4da5-9e95-e32478f3cd2f'),(9985,'Issue',553,16,'win-proc'),(9986,'Issue',553,17,''),(9987,'Issue',553,7,''),(9988,'Issue',553,3,'Detects suspicious msiexec process starts with web addreses as parameter'),(9989,'Issue',553,4,''),(9990,'Issue',553,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(9991,'Issue',553,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ msiexec*\\:\\/\\/*))\nindex: so-*\nname: MsiExec Web Install\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(9992,'Issue',553,9,'{{collapse(View Sigma)\n\n\ntitle: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nstatus: experimental\ndescription: Detects suspicious msiexec process starts with web addreses as parameter\nreferences:\n- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\ntags:\n- attack.defense_evasion\nauthor: Florian Roth\ndate: 2018/02/09\nmodified: 2012/12/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* msiexec*://*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(9993,'Issue',554,1,'Malicious Payload Download via Office Binaries'),(9994,'Issue',554,2,'Beyu Denis, oscd.community'),(9995,'Issue',554,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nReegun J (OCBC Bank)'),(9996,'Issue',554,10,'high'),(9997,'Issue',554,13,'community'),(9998,'Issue',554,14,'windows'),(10000,'Issue',554,11,'8099ea1df'),(10001,'Issue',554,12,'0c79148b-118e-472b-bdb7-9b57b444cc19'),(10002,'Issue',554,16,'win-proc'),(10003,'Issue',554,17,''),(10004,'Issue',554,7,''),(10005,'Issue',554,3,'Downloads payload from remote server'),(10006,'Issue',554,4,''),(10007,'Issue',554,5,'_False Positives_\nUnknown'),(10008,'Issue',554,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\powerpnt.exe OR *\\\\winword.exe OR *\\\\excel.exe) AND process.command_line.keyword:*http*)\nindex: so-*\nname: Malicious Payload Download via Office Binaries\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10009,'Issue',554,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious Payload Download via Office Binaries\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: experimental\ndescription: Downloads payload from remote server\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml\n- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\n- Reegun J (OCBC Bank)\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2019/11/04\ntags:\n- attack.command_and_control\n- attack.t1105\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith:\n - \\powerpnt.exe\n - \\winword.exe\n - \\excel.exe\n CommandLine|contains: http\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10010,'Issue',554,15,'T1105'),(10011,'Issue',555,1,'Net.exe Execution'),(10012,'Issue',555,2,'Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)'),(10013,'Issue',555,8,'https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html'),(10014,'Issue',555,10,'low'),(10015,'Issue',555,13,'community'),(10016,'Issue',555,14,'windows'),(10018,'Issue',555,11,'8e384336b'),(10019,'Issue',555,12,'183e7ea8-ac4b-4c23-9aec-b3dac4e401ac'),(10020,'Issue',555,16,'win-proc'),(10021,'Issue',555,17,''),(10022,'Issue',555,7,''),(10023,'Issue',555,3,'Detects execution of Net.exe, whether suspicious or benign.'),(10024,'Issue',555,4,''),(10025,'Issue',555,5,'_False Positives_\nWill need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10026,'Issue',555,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\net.exe OR *\\\\net1.exe) AND process.command_line.keyword:(*\\ group* OR *\\ localgroup* OR *\\ user* OR *\\ view* OR *\\ share OR *\\ accounts* OR *\\ use* OR *\\ stop\\ *))\nindex: so-*\nname: Net.exe Execution\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10027,'Issue',555,9,'{{collapse(View Sigma)\n\n\ntitle: Net.exe Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: experimental\ndescription: Detects execution of Net.exe, whether suspicious or benign.\nreferences:\n- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n- https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n- https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n- https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community\n (improvements)\ndate: 2019/01/16\ntags:\n- attack.s0039\n- attack.t1027\n- attack.t1049\n- attack.t1077\n- attack.t1135\n- attack.lateral_movement\n- attack.discovery\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\net.exe\'\n - \'*\\net1.exe\'\n cmdline:\n CommandLine:\n - \'* group*\'\n - \'* localgroup*\'\n - \'* user*\'\n - \'* view*\'\n - \'* share\'\n - \'* accounts*\'\n - \'* use*\'\n - \'* stop *\'\n condition: selection and cmdline\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine\n following the search for easy hunting by computer/CommandLine.\nlevel: low\n\n
\n}}'),(10028,'Issue',555,15,'T1027'),(10029,'Issue',555,15,'T1049'),(10030,'Issue',555,15,'T1077'),(10031,'Issue',555,15,'T1135'),(10032,'Issue',556,1,'Suspicious Netsh DLL Persistence'),(10033,'Issue',556,2,'Victor Sergeev, oscd.community'),(10034,'Issue',556,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md'),(10035,'Issue',556,10,'high'),(10036,'Issue',556,13,'community'),(10037,'Issue',556,14,'windows'),(10039,'Issue',556,11,'bc3cec555'),(10040,'Issue',556,12,'56321594-9087-49d9-bf10-524fe8479452'),(10041,'Issue',556,16,'win-proc'),(10042,'Issue',556,17,''),(10043,'Issue',556,7,''),(10044,'Issue',556,3,'Detects persitence via netsh helper'),(10045,'Issue',556,4,''),(10046,'Issue',556,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine\nParentCommandLine'),(10047,'Issue',556,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\netsh.exe AND process.command_line.keyword:*add* AND process.command_line.keyword:*helper*)\nindex: so-*\nname: Suspicious Netsh DLL Persistence\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10048,'Issue',556,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n - attack.persistence\n - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n category: process_creation\n product: windows \ndetection:\n selection:\n Image|endswith: \'\\netsh.exe\'\n CommandLine|contains|all:\n - \'add\'\n - \'helper\'\n condition: selection\nfields:\n - ComputerName\n - User\n - CommandLine\n - ParentCommandLine\nfalsepositives:\n - Unknown\nlevel: high\n\n
\n}}'),(10049,'Issue',556,15,'T1128'),(10050,'Issue',557,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)'),(10051,'Issue',557,2,'Thomas Patzke'),(10052,'Issue',557,8,'https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm'),(10053,'Issue',557,10,'high'),(10054,'Issue',557,13,'community'),(10055,'Issue',557,14,'windows'),(10057,'Issue',557,11,'49e9852da'),(10058,'Issue',557,12,'2afafd61-6aae-4df4-baed-139fa1f4c345'),(10059,'Issue',557,16,'win-proc'),(10060,'Issue',557,17,''),(10061,'Issue',557,7,''),(10062,'Issue',557,3,'Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)'),(10063,'Issue',557,4,''),(10064,'Issue',557,5,'_False Positives_\nNTDS maintenance'),(10065,'Issue',557,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\ntdsutil*)\nindex: so-*\nname: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10066,'Issue',557,9,'{{collapse(View Sigma)\n\n\ntitle: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks\n against the NTDS database (NTDS.DIT)\nstatus: experimental\nreferences:\n- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019/01/16\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\ntdsutil*\'\n condition: selection\nfalsepositives:\n- NTDS maintenance\nlevel: high\n\n
\n}}'),(10067,'Issue',557,15,'T1003'),(10068,'Issue',558,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe'),(10069,'Issue',558,2,'Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community'),(10070,'Issue',558,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\nhttps://twitter.com/Hexacorn/status/1187143326673330176'),(10071,'Issue',558,10,'medium'),(10072,'Issue',558,13,'community'),(10073,'Issue',558,14,'windows'),(10075,'Issue',558,11,'0c974e293'),(10076,'Issue',558,12,'65d2be45-8600-4042-b4c0-577a1ff8a60e'),(10077,'Issue',558,16,'win-proc'),(10078,'Issue',558,17,''),(10079,'Issue',558,7,''),(10080,'Issue',558,3,'Detects defence evasion attempt via odbcconf.exe execution to load DLL'),(10081,'Issue',558,4,''),(10082,'Issue',558,5,'_False Positives_\nLegitimate use of odbcconf.exe by legitimate user'),(10083,'Issue',558,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\odbcconf.exe AND process.command_line.keyword:(*\\-f* OR *regsvr*)) OR (process.parent.executable.keyword:*\\\\odbcconf.exe AND process.executable.keyword:*\\\\rundll32.exe)))\nindex: so-*\nname: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10084,'Issue',558,9,'{{collapse(View Sigma)\n\n\ntitle: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nstatus: experimental\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml\n- https://twitter.com/Hexacorn/status/1187143326673330176\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2019/11/07\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \\odbcconf.exe\n CommandLine|contains:\n - -f\n - regsvr\n selection_2:\n ParentImage|endswith: \\odbcconf.exe\n Image|endswith: \\rundll32.exe\n condition: selection_1 or selection_2\nlevel: medium\nfalsepositives:\n- Legitimate use of odbcconf.exe by legitimate user\n\n
\n}}'),(10085,'Issue',558,15,'T1218'),(10086,'Issue',559,1,'OpenWith.exe Executes Specified Binary'),(10087,'Issue',559,2,'Beyu Denis, oscd.community (rule), @harr0ey (idea)'),(10088,'Issue',559,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://twitter.com/harr0ey/status/991670870384021504'),(10089,'Issue',559,10,'high'),(10090,'Issue',559,13,'community'),(10091,'Issue',559,14,'windows'),(10093,'Issue',559,11,'1e6152842'),(10094,'Issue',559,12,'cec8e918-30f7-4e2d-9bfa-a59cc97ae60f'),(10095,'Issue',559,16,'win-proc'),(10096,'Issue',559,17,''),(10097,'Issue',559,7,''),(10098,'Issue',559,3,'The OpenWith.exe executes other binary'),(10099,'Issue',559,4,''),(10100,'Issue',559,5,'_False Positives_\nLegitimate use of OpenWith.exe by legitimate user'),(10101,'Issue',559,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\OpenWith.exe AND process.command_line.keyword:*\\/c*)\nindex: so-*\nname: OpenWith.exe Executes Specified Binary\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10102,'Issue',559,9,'{{collapse(View Sigma)\n\n\ntitle: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: experimental\ndescription: The OpenWith.exe executes other binary\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml\n- https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1218\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\OpenWith.exe\n CommandLine|contains: /c\n condition: selection\nfalsepositives:\n- Legitimate use of OpenWith.exe by legitimate user\n\n
\n}}'),(10103,'Issue',559,15,'T1218'),(10104,'Issue',560,1,'Suspicious Execution from Outlook'),(10105,'Issue',560,2,'Markus Neis'),(10106,'Issue',560,8,'https://github.com/sensepost/ruler\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html'),(10107,'Issue',560,10,'high'),(10108,'Issue',560,13,'community'),(10109,'Issue',560,14,'windows'),(10111,'Issue',560,11,'294e47aa7'),(10112,'Issue',560,12,'e212d415-0e93-435f-9e1a-f29005bb4723'),(10113,'Issue',560,16,'win-proc'),(10114,'Issue',560,17,''),(10115,'Issue',560,7,''),(10116,'Issue',560,3,'Detects EnableUnsafeClientMailRules used for Script Execution from Outlook'),(10117,'Issue',560,4,''),(10118,'Issue',560,5,'_False Positives_\nunknown'),(10119,'Issue',560,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.command_line.keyword:*EnableUnsafeClientMailRules* OR (process.parent.executable.keyword:*\\\\outlook.exe AND process.command_line.keyword:\\\\\\\\*\\\\*.exe)))\nindex: so-*\nname: Suspicious Execution from Outlook\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10120,'Issue',560,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Execution from Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nstatus: experimental\ndescription: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook\nreferences:\n- https://github.com/sensepost/ruler\n- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\ntags:\n- attack.execution\n- attack.t1059\n- attack.t1202\nauthor: Markus Neis\ndate: 2018/12/27\nlogsource:\n category: process_creation\n product: windows\ndetection:\n clientMailRules:\n CommandLine: \'*EnableUnsafeClientMailRules*\'\n outlookExec:\n ParentImage: \'*\\outlook.exe\'\n CommandLine: \\\\\\\\*\\\\*.exe\n condition: clientMailRules or outlookExec\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10121,'Issue',560,15,'T1059'),(10122,'Issue',560,15,'T1202'),(10123,'Issue',561,1,'Execution in Outlook Temp Folder'),(10124,'Issue',561,2,'Florian Roth'),(10125,'Issue',561,8,'none'),(10126,'Issue',561,10,'high'),(10127,'Issue',561,13,'community'),(10128,'Issue',561,14,'windows'),(10130,'Issue',561,11,'1162b3913'),(10131,'Issue',561,12,'a018fdc3-46a3-44e5-9afb-2cd4af1d4b39'),(10132,'Issue',561,16,'win-proc'),(10133,'Issue',561,17,''),(10134,'Issue',561,7,''),(10135,'Issue',561,3,'Detects a suspicious program execution in Outlook temp folder'),(10136,'Issue',561,4,''),(10137,'Issue',561,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10138,'Issue',561,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Temporary\\ Internet\\ Files\\\\Content.Outlook\\\\*)\nindex: so-*\nname: Execution in Outlook Temp Folder\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10139,'Issue',561,9,'{{collapse(View Sigma)\n\n\ntitle: Execution in Outlook Temp Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: experimental\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth\ndate: 2019/10/01\ntags:\n- attack.initial_access\n- attack.t1193\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\Temporary Internet Files\\Content.Outlook\\\\*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10140,'Issue',561,15,'T1193'),(10141,'Issue',562,1,'Ping Hex IP'),(10142,'Issue',562,2,'Florian Roth'),(10143,'Issue',562,8,'https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\nhttps://twitter.com/vysecurity/status/977198418354491392'),(10144,'Issue',562,10,'high'),(10145,'Issue',562,13,'community'),(10146,'Issue',562,14,'windows'),(10148,'Issue',562,11,'478a5066b'),(10149,'Issue',562,12,'1a0d4aba-7668-4365-9ce4-6d79ab088dfd'),(10150,'Issue',562,16,'win-proc'),(10151,'Issue',562,17,''),(10152,'Issue',562,7,''),(10153,'Issue',562,3,'Detects a ping command that uses a hex encoded IP address'),(10154,'Issue',562,4,''),(10155,'Issue',562,5,'_False Positives_\nUnlikely, because no sane admin pings IP addresses in a hexadecimal form\n\n_Interesting Log Fields_\nParentCommandLine'),(10156,'Issue',562,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\ping.exe\\ 0x* OR *\\\\ping\\ 0x*))\nindex: so-*\nname: Ping Hex IP\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10157,'Issue',562,9,'{{collapse(View Sigma)\n\n\ntitle: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n- https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna\n- https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth\ndate: 2018/03/23\ntags:\n- attack.defense_evasion\n- attack.t1140\n- attack.t1027\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\ping.exe 0x*\'\n - \'*\\ping 0x*\'\n condition: selection\nfields:\n- ParentCommandLine\nfalsepositives:\n- Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n\n
\n}}'),(10158,'Issue',562,15,'T1140'),(10159,'Issue',562,15,'T1027'),(10160,'Issue',563,1,'Empire PowerShell Launch Parameters'),(10161,'Issue',563,2,'Florian Roth'),(10162,'Issue',563,8,'https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64'),(10163,'Issue',563,10,'critical'),(10164,'Issue',563,13,'community'),(10165,'Issue',563,14,'windows'),(10167,'Issue',563,11,'182824220'),(10168,'Issue',563,12,'79f4ede3-402e-41c8-bc3e-ebbf5f162581'),(10169,'Issue',563,16,'win-proc'),(10170,'Issue',563,17,''),(10171,'Issue',563,7,''),(10172,'Issue',563,3,'Detects suspicious powershell command line parameters used in Empire'),(10173,'Issue',563,4,''),(10174,'Issue',563,5,'_False Positives_\n Unknown'),(10175,'Issue',563,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-sta\\ \\-NonI\\ \\-W\\ Hidden\\ \\-Enc\\ * OR *\\ \\-noP\\ \\-sta\\ \\-w\\ 1\\ \\-enc\\ * OR *\\ \\-NoP\\ \\-NonI\\ \\-W\\ Hidden\\ \\-enc\\ *))\nindex: so-*\nname: Empire PowerShell Launch Parameters\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10176,'Issue',563,9,'{{collapse(View Sigma)\n\n\ntitle: Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\ndescription: Detects suspicious powershell command line parameters used in Empire\nstatus: experimental\nreferences:\n- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth\ndate: 2019/04/20\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -NoP -sta -NonI -W Hidden -Enc *\'\n - \'* -noP -sta -w 1 -enc *\'\n - \'* -NoP -NonI -W Hidden -enc *\'\n condition: selection\nlevel: critical\n\n
\n}}'),(10177,'Issue',563,15,'T1086'),(10178,'Issue',564,1,'Empire PowerShell UAC Bypass'),(10179,'Issue',564,2,'Ecco'),(10180,'Issue',564,8,'https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64'),(10181,'Issue',564,10,'critical'),(10182,'Issue',564,13,'community'),(10183,'Issue',564,14,'windows'),(10185,'Issue',564,11,'517422778'),(10186,'Issue',564,12,'3268b746-88d8-4cd3-bffc-30077d02c787'),(10187,'Issue',564,16,'win-proc'),(10188,'Issue',564,17,''),(10189,'Issue',564,7,''),(10190,'Issue',564,3,'Detects some Empire PowerShell UAC bypass methods'),(10191,'Issue',564,4,''),(10192,'Issue',564,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10193,'Issue',564,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-NoP\\ \\-NonI\\ \\-w\\ Hidden\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\)* OR *\\ \\-NoP\\ \\-NonI\\ \\-c\\ $x\\=$\\(\\(gp\\ HKCU\\:Software\\\\Microsoft\\\\Windows\\ Update\\).Update\\);*))\nindex: so-*\nname: Empire PowerShell UAC Bypass\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10194,'Issue',564,9,'{{collapse(View Sigma)\n\n\ntitle: Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: experimental\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019/08/30\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*\'\n - \'* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.defense_evasion\n- attack.privilege_escalation\n- attack.t1088\n- car.2019-04-001\nfalsepositives:\n- unknown\nlevel: critical\n\n
\n}}'),(10195,'Issue',564,15,'T1088'),(10196,'Issue',565,1,'Suspicious Encoded PowerShell Command Line'),(10197,'Issue',565,2,'Florian Roth, Markus Neis'),(10198,'Issue',565,8,'https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e'),(10199,'Issue',565,10,'high'),(10200,'Issue',565,13,'community'),(10201,'Issue',565,14,'windows'),(10203,'Issue',565,11,'9528c3459'),(10204,'Issue',565,12,'ca2092a1-c273-4878-9b4b-0d60115bf5ea'),(10205,'Issue',565,16,'win-proc'),(10206,'Issue',565,17,''),(10207,'Issue',565,7,''),(10208,'Issue',565,3,'Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)'),(10209,'Issue',565,4,''),(10210,'Issue',565,5,'_False Positives_\n Unknown'),(10211,'Issue',565,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-e\\ JAB* OR *\\ \\-e\\ \\ JAB* OR *\\ \\-e\\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ JAB* OR *\\ \\-e\\ \\ \\ \\ \\ \\ JAB* OR *\\ \\-en\\ JAB* OR *\\ \\-enc\\ JAB* OR *\\ \\-enc*\\ JAB* OR *\\ \\-w\\ hidden\\ \\-e*\\ JAB* OR *\\ BA\\^J\\ e\\- OR *\\ \\-e\\ SUVYI* OR *\\ \\-e\\ aWV4I* OR *\\ \\-e\\ SQBFAFgA* OR *\\ \\-e\\ aQBlAHgA* OR *\\ \\-enc\\ SUVYI* OR *\\ \\-enc\\ aWV4I* OR *\\ \\-enc\\ SQBFAFgA* OR *\\ \\-enc\\ aQBlAHgA*) AND (NOT (process.command_line.keyword:*\\ \\-ExecutionPolicy\\ remotesigned\\ *)))\nindex: so-*\nname: Suspicious Encoded PowerShell Command Line\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10212,'Issue',565,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\ndescription: Detects suspicious powershell process starts with base64 encoded commands\n (e.g. Emotet)\nstatus: experimental\nreferences:\n- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth, Markus Neis\ndate: 2018/09/03\nmodified: 2019/12/16\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -e JAB*\'\n - \'* -en JAB*\'\n - \'* -enc JAB*\'\n - \'* -enc* JAB*\'\n - \'* -w hidden -e* JAB*\'\n - \'* BA^J e-\'\n - \'* -e SUVYI*\'\n - \'* -e aWV4I*\'\n - \'* -e SQBFAFgA*\'\n - \'* -e aQBlAHgA*\'\n - \'* -enc SUVYI*\'\n - \'* -enc aWV4I*\'\n - \'* -enc SQBFAFgA*\'\n - \'* -enc aQBlAHgA*\'\n falsepositive1:\n CommandLine: \'* -ExecutionPolicy remotesigned *\'\n condition: selection and not falsepositive1\nlevel: high\n\n
\n}}'),(10213,'Issue',565,15,'T1086'),(10214,'Issue',566,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines'),(10215,'Issue',566,2,'John Lambert (rule)'),(10216,'Issue',566,8,'http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/'),(10217,'Issue',566,10,'high'),(10218,'Issue',566,13,'community'),(10219,'Issue',566,14,'windows'),(10221,'Issue',566,11,'7ae9f0c0e'),(10222,'Issue',566,12,'f26c6093-6f14-4b12-800f-0fcb46f5ffd0'),(10223,'Issue',566,16,'win-proc'),(10224,'Issue',566,17,''),(10225,'Issue',566,7,''),(10226,'Issue',566,3,'Detects base64 encoded strings used in hidden malicious PowerShell command lines'),(10227,'Issue',566,4,''),(10228,'Issue',566,5,'_False Positives_\nPenetration tests'),(10229,'Issue',566,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\powershell.exe AND process.command_line.keyword:*\\ hidden\\ * AND process.command_line.keyword:(*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA* OR *aXRzYWRtaW4gL3RyYW5zZmVy* OR *IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA* OR *JpdHNhZG1pbiAvdHJhbnNmZX* OR *YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg* OR *Yml0c2FkbWluIC90cmFuc2Zlc* OR *AGMAaAB1AG4AawBfAHMAaQB6AGUA* OR *JABjAGgAdQBuAGsAXwBzAGkAegBlA* OR *JGNodW5rX3Npem* OR *QAYwBoAHUAbgBrAF8AcwBpAHoAZQ* OR *RjaHVua19zaXpl* OR *Y2h1bmtfc2l6Z* OR *AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A* OR *kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg* OR *lPLkNvbXByZXNzaW9u* OR *SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA* OR *SU8uQ29tcHJlc3Npb2* OR *Ty5Db21wcmVzc2lvb* OR *AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ* OR *kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA* OR *lPLk1lbW9yeVN0cmVhb* OR *SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A* OR *SU8uTWVtb3J5U3RyZWFt* OR *Ty5NZW1vcnlTdHJlYW* OR *4ARwBlAHQAQwBoAHUAbgBrA* OR *5HZXRDaHVua* OR *AEcAZQB0AEMAaAB1AG4Aaw* OR *LgBHAGUAdABDAGgAdQBuAGsA* OR *LkdldENodW5r* OR *R2V0Q2h1bm* OR *AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A* OR *QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA* OR *RIUkVBRF9JTkZPNj* OR *SFJFQURfSU5GTzY0* OR *VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA* OR *VEhSRUFEX0lORk82N* OR *AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA* OR *cmVhdGVSZW1vdGVUaHJlYW* OR *MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA* OR *NyZWF0ZVJlbW90ZVRocmVhZ* OR *Q3JlYXRlUmVtb3RlVGhyZWFk* OR *QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA* OR *0AZQBtAG0AbwB2AGUA* OR *1lbW1vdm* OR *AGUAbQBtAG8AdgBlA* OR *bQBlAG0AbQBvAHYAZQ* OR *bWVtbW92Z* OR *ZW1tb3Zl*))\nindex: so-*\nname: Malicious Base64 Encoded PowerShell Keywords in Command Lines\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10230,'Issue',566,9,'{{collapse(View Sigma)\n\n\ntitle: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: experimental\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command\n lines\nreferences:\n- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\ntags:\n- attack.execution\n- attack.t1086\nauthor: John Lambert (rule)\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n encoded:\n Image: \'*\\powershell.exe\'\n CommandLine: \'* hidden *\'\n selection:\n CommandLine:\n - \'*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*\'\n - \'*aXRzYWRtaW4gL3RyYW5zZmVy*\'\n - \'*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*\'\n - \'*JpdHNhZG1pbiAvdHJhbnNmZX*\'\n - \'*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*\'\n - \'*Yml0c2FkbWluIC90cmFuc2Zlc*\'\n - \'*AGMAaAB1AG4AawBfAHMAaQB6AGUA*\'\n - \'*JABjAGgAdQBuAGsAXwBzAGkAegBlA*\'\n - \'*JGNodW5rX3Npem*\'\n - \'*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*\'\n - \'*RjaHVua19zaXpl*\'\n - \'*Y2h1bmtfc2l6Z*\'\n - \'*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*\'\n - \'*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*\'\n - \'*lPLkNvbXByZXNzaW9u*\'\n - \'*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*\'\n - \'*SU8uQ29tcHJlc3Npb2*\'\n - \'*Ty5Db21wcmVzc2lvb*\'\n - \'*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*\'\n - \'*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*\'\n - \'*lPLk1lbW9yeVN0cmVhb*\'\n - \'*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*\'\n - \'*SU8uTWVtb3J5U3RyZWFt*\'\n - \'*Ty5NZW1vcnlTdHJlYW*\'\n - \'*4ARwBlAHQAQwBoAHUAbgBrA*\'\n - \'*5HZXRDaHVua*\'\n - \'*AEcAZQB0AEMAaAB1AG4Aaw*\'\n - \'*LgBHAGUAdABDAGgAdQBuAGsA*\'\n - \'*LkdldENodW5r*\'\n - \'*R2V0Q2h1bm*\'\n - \'*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*\'\n - \'*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*\'\n - \'*RIUkVBRF9JTkZPNj*\'\n - \'*SFJFQURfSU5GTzY0*\'\n - \'*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*\'\n - \'*VEhSRUFEX0lORk82N*\'\n - \'*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*\'\n - \'*cmVhdGVSZW1vdGVUaHJlYW*\'\n - \'*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*\'\n - \'*NyZWF0ZVJlbW90ZVRocmVhZ*\'\n - \'*Q3JlYXRlUmVtb3RlVGhyZWFk*\'\n - \'*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*\'\n - \'*0AZQBtAG0AbwB2AGUA*\'\n - \'*1lbW1vdm*\'\n - \'*AGUAbQBtAG8AdgBlA*\'\n - \'*bQBlAG0AbQBvAHYAZQ*\'\n - \'*bWVtbW92Z*\'\n - \'*ZW1tb3Zl*\'\n condition: encoded and selection\nfalsepositives:\n- Penetration tests\nlevel: high\n\n
\n}}'),(10231,'Issue',566,15,'T1086'),(10232,'Issue',567,1,'Suspicious PowerShell Invocation Based on Parent Process'),(10233,'Issue',567,2,'Florian Roth'),(10234,'Issue',567,8,'https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/'),(10235,'Issue',567,10,'medium'),(10236,'Issue',567,13,'community'),(10237,'Issue',567,14,'windows'),(10239,'Issue',567,11,'770115f6d'),(10240,'Issue',567,12,'95eadcb2-92e4-4ed1-9031-92547773a6db'),(10241,'Issue',567,16,'win-proc'),(10242,'Issue',567,17,''),(10243,'Issue',567,7,''),(10244,'Issue',567,3,'Detects suspicious powershell invocations from interpreters or unusual programs'),(10245,'Issue',567,4,''),(10246,'Issue',567,5,'_False Positives_\nMicrosoft Operations Manager (MOM)\nOther scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10247,'Issue',567,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.executable.keyword:(*\\\\powershell.exe)) AND (NOT (process.working_directory\".keyword:*\\\\Health\\ Service\\ State\\\\*)))\nindex: so-*\nname: Suspicious PowerShell Invocation Based on Parent Process\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10248,'Issue',567,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious PowerShell Invocation Based on Parent Process\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: experimental\ndescription: Detects suspicious powershell invocations from interpreters or unusual\n programs\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n Image:\n - \'*\\powershell.exe\'\n falsepositive:\n CurrentDirectory: \'*\\Health Service State\\\\*\'\n condition: selection and not falsepositive\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Microsoft Operations Manager (MOM)\n- Other scripts\nlevel: medium\n\n
\n}}'),(10249,'Issue',567,15,'T1086'),(10250,'Issue',568,1,'Suspicious Use of Procdump'),(10251,'Issue',568,2,'Florian Roth'),(10252,'Issue',568,8,'Internal Research'),(10253,'Issue',568,10,'high'),(10254,'Issue',568,13,'community'),(10255,'Issue',568,14,'windows'),(10257,'Issue',568,11,'5a6ba744a'),(10258,'Issue',568,12,'5afee48e-67dd-4e03-a783-f74259dcf998'),(10259,'Issue',568,16,'win-proc'),(10260,'Issue',568,17,''),(10261,'Issue',568,7,''),(10262,'Issue',568,3,'Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we\'re also able to catch cases in which the attacker has renamed the procdump executable.'),(10263,'Issue',568,4,''),(10264,'Issue',568,5,'_False Positives_\nUnlikely, because no one should dump an lsass process memory\nAnother tool that uses the command line switches of Procdump'),(10265,'Issue',568,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\-ma\\ *) AND process.command_line.keyword:(*\\ lsass*)) OR process.command_line.keyword:(*\\ \\-ma\\ ls*)))\nindex: so-*\nname: Suspicious Use of Procdump\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10266,'Issue',568,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Use of Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\ndescription: Detects suspicious uses of the SysInternals Procdump utility by using\n a special command line parameter in combination with the lsass.exe process. This\n way we\'re also able to catch cases in which the attacker has renamed the procdump\n executable.\nstatus: experimental\nreferences:\n- Internal Research\nauthor: Florian Roth\ndate: 2018/10/30\nmodified: 2019/10/14\ntags:\n- attack.defense_evasion\n- attack.t1036\n- attack.credential_access\n- attack.t1003\n- car.2013-05-009\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n - \'* -ma *\'\n selection2:\n CommandLine:\n - \'* lsass*\'\n selection3:\n CommandLine:\n - \'* -ma ls*\'\n condition: ( selection1 and selection2 ) or selection3\nfalsepositives:\n- Unlikely, because no one should dump an lsass process memory\n- Another tool that uses the command line switches of Procdump\nlevel: high\n\n
\n}}'),(10267,'Issue',568,15,'T1036'),(10268,'Issue',568,15,'T1003'),(10269,'Issue',569,1,'Suspicious Process Creation'),(10270,'Issue',569,2,'Florian Roth, Daniil Yugoslavskiy, oscd.community (update)'),(10271,'Issue',569,8,'https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\nhttps://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://twitter.com/subTee/status/872244674609676288\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\nhttps://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\nhttps://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\nhttps://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\nhttps://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\nhttps://twitter.com/vector_sec/status/896049052642533376\nhttp://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf'),(10272,'Issue',569,10,'medium'),(10273,'Issue',569,13,'community'),(10274,'Issue',569,14,'windows'),(10275,'Issue',569,15,''),(10276,'Issue',569,11,'fb8d9b1f4'),(10277,'Issue',569,12,'5f0f47a5-cb16-4dbe-9e31-e8d976d73de3'),(10278,'Issue',569,16,'win-proc'),(10279,'Issue',569,17,''),(10280,'Issue',569,7,''),(10281,'Issue',569,3,'Detects suspicious process starts on Windows systems based on keywords'),(10282,'Issue',569,4,''),(10283,'Issue',569,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10284,'Issue',569,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ sekurlsa\\:* OR net\\ localgroup\\ administrators\\ *\\ \\/add OR net\\ group\\ \\\"Domain\\ Admins\\\"\\ *\\ \\/ADD\\ \\/DOMAIN OR certutil.exe\\ *\\-urlcache*\\ http* OR certutil.exe\\ *\\-urlcache*\\ ftp* OR netsh\\ advfirewall\\ firewall\\ *\\\\AppData\\\\* OR attrib\\ \\+S\\ \\+H\\ \\+R\\ *\\\\AppData\\\\* OR schtasks*\\ \\/create\\ *\\\\AppData\\\\* OR schtasks*\\ \\/sc\\ minute* OR *\\\\Regasm.exe\\ *\\\\AppData\\\\* OR *\\\\Regasm\\ *\\\\AppData\\\\* OR *\\\\bitsadmin*\\ \\/transfer* OR *\\\\certutil.exe\\ *\\ \\-decode\\ * OR *\\\\certutil.exe\\ *\\ \\-decodehex\\ * OR *\\\\certutil.exe\\ \\-ping\\ * OR icacls\\ *\\ \\/grant\\ Everyone\\:F\\ \\/T\\ \\/C\\ \\/Q OR *\\ wbadmin.exe\\ delete\\ catalog\\ \\-quiet* OR *\\\\wscript.exe\\ *.jse OR *\\\\wscript.exe\\ *.js OR *\\\\wscript.exe\\ *.vba OR *\\\\wscript.exe\\ *.vbe OR *\\\\cscript.exe\\ *.jse OR *\\\\cscript.exe\\ *.js OR *\\\\cscript.exe\\ *.vba OR *\\\\cscript.exe\\ *.vbe OR *\\\\fodhelper.exe OR *waitfor*\\/s* OR *waitfor*\\/si\\ persist* OR *remote*\\/s* OR *remote*\\/c* OR *remote*\\/q* OR *AddInProcess* OR *\\ \\/stext\\ * OR *\\ \\/scomma\\ * OR *\\ \\/stab\\ * OR *\\ \\/stabular\\ * OR *\\ \\/shtml\\ * OR *\\ \\/sverhtml\\ * OR *\\ \\/sxml\\ *))\nindex: so-*\nname: Suspicious Process Creation\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10285,'Issue',569,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Process Creation\nid: 5f0f47a5-cb16-4dbe-9e31-e8d976d73de3\ndescription: Detects suspicious process starts on Windows systems based on keywords\nstatus: experimental\nreferences:\n- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n- https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s\n- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n- https://twitter.com/subTee/status/872244674609676288\n- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples\n- https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html\n- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html\n- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat\n- https://twitter.com/vector_sec/status/896049052642533376\n- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf\nauthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update)\ndate: 2018/01/01\nmodified: 2019/11/01\ntags:\n- car.2013-07-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* sekurlsa:*\'\n - net localgroup administrators * /add\n - net group \"Domain Admins\" * /ADD /DOMAIN\n - certutil.exe *-urlcache* http*\n - certutil.exe *-urlcache* ftp*\n - netsh advfirewall firewall *\\AppData\\\\*\n - attrib +S +H +R *\\AppData\\\\*\n - schtasks* /create *\\AppData\\\\*\n - schtasks* /sc minute*\n - \'*\\Regasm.exe *\\AppData\\\\*\'\n - \'*\\Regasm *\\AppData\\\\*\'\n - \'*\\bitsadmin* /transfer*\'\n - \'*\\certutil.exe * -decode *\'\n - \'*\\certutil.exe * -decodehex *\'\n - \'*\\certutil.exe -ping *\'\n - icacls * /grant Everyone:F /T /C /Q\n - \'* wbadmin.exe delete catalog -quiet*\'\n - \'*\\wscript.exe *.jse\'\n - \'*\\wscript.exe *.js\'\n - \'*\\wscript.exe *.vba\'\n - \'*\\wscript.exe *.vbe\'\n - \'*\\cscript.exe *.jse\'\n - \'*\\cscript.exe *.js\'\n - \'*\\cscript.exe *.vba\'\n - \'*\\cscript.exe *.vbe\'\n - \'*\\fodhelper.exe\'\n - \'*waitfor*/s*\'\n - \'*waitfor*/si persist*\'\n - \'*remote*/s*\'\n - \'*remote*/c*\'\n - \'*remote*/q*\'\n - \'*AddInProcess*\'\n - \'* /stext *\'\n - \'* /scomma *\'\n - \'* /stab *\'\n - \'* /stabular *\'\n - \'* /shtml *\'\n - \'* /sverhtml *\'\n - \'* /sxml *\'\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10286,'Issue',570,1,'Suspicious Program Location Process Starts'),(10287,'Issue',570,2,'Florian Roth'),(10288,'Issue',570,8,'https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo'),(10289,'Issue',570,10,'high'),(10290,'Issue',570,13,'community'),(10291,'Issue',570,14,'windows'),(10293,'Issue',570,11,'8bd722168'),(10294,'Issue',570,12,'f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5'),(10295,'Issue',570,16,'win-proc'),(10296,'Issue',570,17,''),(10297,'Issue',570,7,''),(10298,'Issue',570,3,'Detects programs running in suspicious files system locations'),(10299,'Issue',570,4,''),(10300,'Issue',570,5,'_False Positives_\nunknown'),(10301,'Issue',570,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\$Recycle.bin OR *\\\\Users\\\\Public\\\\* OR C\\:\\\\Perflogs\\\\* OR *\\\\Windows\\\\Fonts\\\\* OR *\\\\Windows\\\\IME\\\\* OR *\\\\Windows\\\\addins\\\\* OR *\\\\Windows\\\\debug\\\\*))\nindex: so-*\nname: Suspicious Program Location Process Starts\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10302,'Issue',570,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Program Location Process Starts\nid: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5\nstatus: experimental\ndescription: Detects programs running in suspicious files system locations\nreferences:\n- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2019/01/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\$Recycle.bin\'\n - \'*\\Users\\Public\\\\*\'\n - C:\\Perflogs\\\\*\n - \'*\\Windows\\Fonts\\\\*\'\n - \'*\\Windows\\IME\\\\*\'\n - \'*\\Windows\\addins\\\\*\'\n - \'*\\Windows\\debug\\\\*\'\n condition: selection\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10303,'Issue',570,15,'T1036'),(10304,'Issue',571,1,'PowerShell Script Run in AppData'),(10305,'Issue',571,2,'Florian Roth'),(10306,'Issue',571,8,'https://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03'),(10307,'Issue',571,10,'medium'),(10308,'Issue',571,13,'community'),(10309,'Issue',571,14,'windows'),(10311,'Issue',571,11,'42ba455ec'),(10312,'Issue',571,12,'ac175779-025a-4f12-98b0-acdaeb77ea85'),(10313,'Issue',571,16,'win-proc'),(10314,'Issue',571,17,''),(10315,'Issue',571,7,''),(10316,'Issue',571,3,'Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder'),(10317,'Issue',571,4,''),(10318,'Issue',571,5,'_False Positives_\nAdministrative scripts'),(10319,'Issue',571,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*))\nindex: so-*\nname: PowerShell Script Run in AppData\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10320,'Issue',571,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: experimental\ndescription: Detects a suspicious command line execution that invokes PowerShell with\n reference to an AppData folder\nreferences:\n- https://twitter.com/JohnLaTwC/status/1082851155481288706\n- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\ntags:\n- attack.execution\n- attack.t1086\nauthor: Florian Roth\ndate: 2019/01/09\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'* /c powershell*\\AppData\\Local\\\\*\'\n - \'* /c powershell*\\AppData\\Roaming\\\\*\'\n condition: selection\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10321,'Issue',571,15,'T1086'),(10322,'Issue',572,1,'PowerShell DownloadFile'),(10323,'Issue',572,2,'Florian Roth'),(10324,'Issue',572,8,'https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html'),(10325,'Issue',572,10,'high'),(10326,'Issue',572,13,'community'),(10327,'Issue',572,14,'windows'),(10329,'Issue',572,11,'9c624cc24'),(10330,'Issue',572,12,'8f70ac5f-1f6f-4f8e-b454-db19561216c5'),(10331,'Issue',572,16,'win-proc'),(10332,'Issue',572,17,''),(10333,'Issue',572,7,''),(10334,'Issue',572,3,'Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line'),(10335,'Issue',572,4,''),(10336,'Issue',572,5,'_False Positives_\nUnknown'),(10337,'Issue',572,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*powershell* AND process.command_line.keyword:*.DownloadFile* AND process.command_line.keyword:*System.Net.WebClient*)\nindex: so-*\nname: PowerShell DownloadFile\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10338,'Issue',572,9,'{{collapse(View Sigma)\n\n\ntitle: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: experimental\ndescription: Detects the execution of powershell, a WebClient object creation and\n the invocation of DownloadFile in a single command line\nreferences:\n- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth\ndate: 2020/03/25\ntags:\n- attack.execution\n- attack.t1086\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains|all:\n - powershell\n - .DownloadFile\n - System.Net.WebClient\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10339,'Issue',572,15,'T1086'),(10340,'Issue',573,1,'Psr.exe Capture Screenshots'),(10341,'Issue',573,2,'Beyu Denis, oscd.community'),(10342,'Issue',573,8,'https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\nhttps://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf'),(10343,'Issue',573,10,'medium'),(10344,'Issue',573,13,'community'),(10345,'Issue',573,14,'windows'),(10347,'Issue',573,11,'5688f942b'),(10348,'Issue',573,12,'2158f96f-43c2-43cb-952a-ab4580f32382'),(10349,'Issue',573,16,'win-proc'),(10350,'Issue',573,17,''),(10351,'Issue',573,7,''),(10352,'Issue',573,3,'The psr.exe captures desktop screenshots and saves them on the local machine'),(10353,'Issue',573,4,''),(10354,'Issue',573,5,'_False Positives_\nUnknown'),(10355,'Issue',573,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Psr.exe AND process.command_line.keyword:*\\/start*)\nindex: so-*\nname: Psr.exe Capture Screenshots\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10356,'Issue',573,9,'{{collapse(View Sigma)\n\n\ntitle: Psr.exe Capture Screenshots\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: experimental\ndescription: The psr.exe captures desktop screenshots and saves them on the local\n machine\nreferences:\n- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml\n- https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/12\nmodified: 2019/11/04\ntags:\n- attack.persistence\n- attack.t1218\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\Psr.exe\n CommandLine|contains: /start\n condition: selection\nfalsepositives:\n- Unknown\n\n
\n}}'),(10357,'Issue',573,15,'T1218'),(10358,'Issue',574,1,'Suspicious RASdial Activity'),(10359,'Issue',574,2,'juju4'),(10360,'Issue',574,8,'https://twitter.com/subTee/status/891298217907830785'),(10361,'Issue',574,10,'medium'),(10362,'Issue',574,13,'community'),(10363,'Issue',574,14,'windows'),(10365,'Issue',574,11,'5b5babf55'),(10366,'Issue',574,12,'6bba49bf-7f8c-47d6-a1bb-6b4dece4640e'),(10367,'Issue',574,16,'win-proc'),(10368,'Issue',574,17,''),(10369,'Issue',574,7,''),(10370,'Issue',574,3,'Detects suspicious process related to rasdial.exe'),(10371,'Issue',574,4,''),(10372,'Issue',574,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10373,'Issue',574,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"rasdial\"))\nindex: so-*\nname: Suspicious RASdial Activity\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10374,'Issue',574,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\ndescription: Detects suspicious process related to rasdial.exe\nstatus: experimental\nreferences:\n- https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - rasdial\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10375,'Issue',574,15,'T1064'),(10376,'Issue',575,1,'Suspicious Reconnaissance Activity'),(10377,'Issue',575,2,'Florian Roth'),(10378,'Issue',575,8,'none'),(10379,'Issue',575,10,'medium'),(10380,'Issue',575,13,'community'),(10381,'Issue',575,14,'windows'),(10383,'Issue',575,11,'b1f48d3a8'),(10384,'Issue',575,12,'d95de845-b83c-4a9a-8a6a-4fc802ebf6c0'),(10385,'Issue',575,16,'win-proc'),(10386,'Issue',575,17,''),(10387,'Issue',575,7,''),(10388,'Issue',575,3,'Detects suspicious command line activity on Windows systems'),(10389,'Issue',575,4,''),(10390,'Issue',575,5,'_False Positives_\nInventory tool runs\nPenetration tests\nAdministrative activity\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10391,'Issue',575,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line:(\"net\\ group\\ \\\"domain\\ admins\\\"\\ \\/domain\" OR \"net\\ localgroup\\ administrators\"))\nindex: so-*\nname: Suspicious Reconnaissance Activity\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10392,'Issue',575,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Reconnaissance Activity\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: experimental\ndescription: Detects suspicious command line activity on Windows systems\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1087\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - net group \"domain admins\" /domain\n - net localgroup administrators\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Inventory tool runs\n- Penetration tests\n- Administrative activity\nanalysis:\n recommendation: Check if the user that executed the commands is suspicious (e.g.\n service accounts, LOCAL_SYSTEM)\nlevel: medium\n\n
\n}}'),(10393,'Issue',575,15,'T1087'),(10394,'Issue',576,1,'Regsvr32 Anomaly'),(10395,'Issue',576,2,'Florian Roth'),(10396,'Issue',576,8,'https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html'),(10397,'Issue',576,10,'high'),(10398,'Issue',576,13,'community'),(10399,'Issue',576,14,'windows'),(10401,'Issue',576,11,'e316d1d1d'),(10402,'Issue',576,12,'8e2b24c9-4add-46a0-b4bb-0057b4e6187d'),(10403,'Issue',576,16,'win-proc'),(10404,'Issue',576,17,''),(10405,'Issue',576,7,''),(10406,'Issue',576,3,'Detects various anomalies in relation to regsvr32.exe'),(10407,'Issue',576,4,''),(10408,'Issue',576,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10409,'Issue',576,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:*\\\\Temp\\\\*) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\powershell.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.parent.executable.keyword:*\\\\cmd.exe) OR (process.executable.keyword:*\\\\regsvr32.exe AND process.command_line.keyword:(*\\/i\\:http*\\ scrobj.dll OR *\\/i\\:ftp*\\ scrobj.dll)) OR (process.executable.keyword:*\\\\wscript.exe AND process.parent.executable.keyword:*\\\\regsvr32.exe) OR (process.executable.keyword:*\\\\EXCEL.EXE AND process.command_line.keyword:*..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe\\ *)))\nindex: so-*\nname: Regsvr32 Anomaly\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10410,'Issue',576,9,'{{collapse(View Sigma)\n\n\ntitle: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: experimental\ndescription: Detects various anomalies in relation to regsvr32.exe\nauthor: Florian Roth\ndate: 2019/01/16\nreferences:\n- https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\ntags:\n- attack.t1117\n- attack.defense_evasion\n- attack.execution\n- car.2019-04-002\n- car.2019-04-003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image: \'*\\regsvr32.exe\'\n CommandLine: \'*\\Temp\\\\*\'\n selection2:\n Image: \'*\\regsvr32.exe\'\n ParentImage: \'*\\powershell.exe\'\n selection3:\n Image: \'*\\regsvr32.exe\'\n ParentImage: \'*\\cmd.exe\'\n selection4:\n Image: \'*\\regsvr32.exe\'\n CommandLine:\n - \'*/i:http* scrobj.dll\'\n - \'*/i:ftp* scrobj.dll\'\n selection5:\n Image: \'*\\wscript.exe\'\n ParentImage: \'*\\regsvr32.exe\'\n selection6:\n Image: \'*\\EXCEL.EXE\'\n CommandLine: \'*..\\..\\..\\Windows\\System32\\regsvr32.exe *\'\n condition: 1 of them\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10411,'Issue',576,15,'T1117'),(10412,'Issue',577,1,'Renamed ZOHO Dctask64'),(10413,'Issue',577,2,'Florian Roth'),(10414,'Issue',577,8,'https://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/1222095371175911424'),(10415,'Issue',577,10,'high'),(10416,'Issue',577,13,'community'),(10417,'Issue',577,14,'windows'),(10419,'Issue',577,11,'393865805'),(10420,'Issue',577,12,'340a090b-c4e9-412e-bb36-b4b16fe96f9b'),(10421,'Issue',577,16,'win-proc'),(10422,'Issue',577,17,''),(10423,'Issue',577,7,''),(10424,'Issue',577,3,'Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation'),(10425,'Issue',577,4,''),(10426,'Issue',577,5,'_False Positives_\nUnknown yet\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine\nParentImage'),(10427,'Issue',577,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.Imphash:\"6834B1B94E49701D77CCB3C0895E1AFD\" AND (NOT (process.executable.keyword:*\\\\dctask64.exe)))\nindex: so-*\nname: Renamed ZOHO Dctask64\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10428,'Issue',577,9,'{{collapse(View Sigma)\n\n\ntitle: Renamed ZOHO Dctask64\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: experimental\ndescription: Detects a renamed dctask64.exe used for process injection, command execution,\n process creation with a signed binary by ZOHO Corporation\nreferences:\n- https://twitter.com/gN3mes1s/status/1222088214581825540\n- https://twitter.com/gN3mes1s/status/1222095963789111296\n- https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth\ndate: 2020/01/28\ntags:\n- attack.defense_evasion\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Imphash: 6834B1B94E49701D77CCB3C0895E1AFD\n filter:\n Image|endswith: \\dctask64.exe\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\n- ParentImage\nfalsepositives:\n- Unknown yet\nlevel: high\n\n
\n}}'),(10429,'Issue',577,15,'T1055'),(10430,'Issue',578,1,'Suspicious Process Start Locations'),(10431,'Issue',578,2,'juju4'),(10432,'Issue',578,8,'https://car.mitre.org/wiki/CAR-2013-05-002'),(10433,'Issue',578,10,'medium'),(10434,'Issue',578,13,'community'),(10435,'Issue',578,14,'windows'),(10437,'Issue',578,11,'a6272c5e4'),(10438,'Issue',578,12,'15b75071-74cc-47e0-b4c6-b43744a62a2b'),(10439,'Issue',578,16,'win-proc'),(10440,'Issue',578,17,''),(10441,'Issue',578,7,''),(10442,'Issue',578,3,'Detects suspicious process run from unusual locations'),(10443,'Issue',578,4,''),(10444,'Issue',578,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10445,'Issue',578,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\:\\\\RECYCLER\\\\* OR *\\:\\\\SystemVolumeInformation\\\\* OR C\\:\\\\Windows\\\\Tasks\\\\* OR C\\:\\\\Windows\\\\debug\\\\* OR C\\:\\\\Windows\\\\fonts\\\\* OR C\\:\\\\Windows\\\\help\\\\* OR C\\:\\\\Windows\\\\drivers\\\\* OR C\\:\\\\Windows\\\\addins\\\\* OR C\\:\\\\Windows\\\\cursors\\\\* OR C\\:\\\\Windows\\\\system32\\\\tasks\\\\*))\nindex: so-*\nname: Suspicious Process Start Locations\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10446,'Issue',578,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\ndescription: Detects suspicious process run from unusual locations\nstatus: experimental\nreferences:\n- https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4\ndate: 2019/01/16\ntags:\n- attack.defense_evasion\n- attack.t1036\n- car.2013-05-002\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*:\\RECYCLER\\\\*\'\n - \'*:\\SystemVolumeInformation\\\\*\'\n - C:\\\\Windows\\\\Tasks\\\\*\n - C:\\\\Windows\\\\debug\\\\*\n - C:\\\\Windows\\\\fonts\\\\*\n - C:\\\\Windows\\\\help\\\\*\n - C:\\\\Windows\\\\drivers\\\\*\n - C:\\\\Windows\\\\addins\\\\*\n - C:\\\\Windows\\\\cursors\\\\*\n - C:\\\\Windows\\\\system32\\tasks\\\\*\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10447,'Issue',578,15,'T1036'),(10448,'Issue',579,1,'Suspicious Rundll32 Activity'),(10449,'Issue',579,2,'juju4'),(10450,'Issue',579,8,'http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52'),(10451,'Issue',579,10,'medium'),(10452,'Issue',579,13,'community'),(10453,'Issue',579,14,'windows'),(10455,'Issue',579,11,'c359373f5'),(10456,'Issue',579,12,'e593cf51-88db-4ee1-b920-37e89012a3c9'),(10457,'Issue',579,16,'win-proc'),(10458,'Issue',579,17,''),(10459,'Issue',579,7,''),(10460,'Issue',579,3,'Detects suspicious process related to rundll32 based on arguments'),(10461,'Issue',579,4,''),(10462,'Issue',579,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10463,'Issue',579,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\rundll32.exe*\\ url.dll,*OpenURL\\ * OR *\\\\rundll32.exe*\\ url.dll,*OpenURLA\\ * OR *\\\\rundll32.exe*\\ url.dll,*FileProtocolHandler\\ * OR *\\\\rundll32.exe*\\ zipfldr.dll,*RouteTheCall\\ * OR *\\\\rundll32.exe*\\ Shell32.dll,*Control_RunDLL\\ * OR *\\\\rundll32.exe\\ javascript\\:* OR *\\ url.dll,*OpenURL\\ * OR *\\ url.dll,*OpenURLA\\ * OR *\\ url.dll,*FileProtocolHandler\\ * OR *\\ zipfldr.dll,*RouteTheCall\\ * OR *\\ Shell32.dll,*Control_RunDLL\\ * OR *\\ javascript\\:* OR *.RegisterXLL*))\nindex: so-*\nname: Suspicious Rundll32 Activity\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10464,'Issue',579,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\ndescription: Detects suspicious process related to rundll32 based on arguments\nstatus: experimental\nreferences:\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://twitter.com/Hexacorn/status/885258886428725250\n- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: juju4\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\rundll32.exe* url.dll,*OpenURL *\'\n - \'*\\rundll32.exe* url.dll,*OpenURLA *\'\n - \'*\\rundll32.exe* url.dll,*FileProtocolHandler *\'\n - \'*\\rundll32.exe* zipfldr.dll,*RouteTheCall *\'\n - \'*\\rundll32.exe* Shell32.dll,*Control_RunDLL *\'\n - \'*\\rundll32.exe javascript:*\'\n - \'* url.dll,*OpenURL *\'\n - \'* url.dll,*OpenURLA *\'\n - \'* url.dll,*FileProtocolHandler *\'\n - \'* zipfldr.dll,*RouteTheCall *\'\n - \'* Shell32.dll,*Control_RunDLL *\'\n - \'* javascript:*\'\n - \'*.RegisterXLL*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10465,'Issue',579,15,'T1085'),(10466,'Issue',580,1,'Suspicious Call by Ordinal'),(10467,'Issue',580,2,'Florian Roth'),(10468,'Issue',580,8,'https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://github.com/Neo23x0/DLLRunner\nhttps://twitter.com/cyb3rops/status/1186631731543236608'),(10469,'Issue',580,10,'high'),(10470,'Issue',580,13,'community'),(10471,'Issue',580,14,'windows'),(10473,'Issue',580,11,'b8fe700a1'),(10474,'Issue',580,12,'e79a9e79-eb72-4e78-a628-0e7e8f59e89c'),(10475,'Issue',580,16,'win-proc'),(10476,'Issue',580,17,''),(10477,'Issue',580,7,''),(10478,'Issue',580,3,'Detects suspicious calls of DLLs in rundll32.dll exports by ordinal'),(10479,'Issue',580,4,''),(10480,'Issue',580,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment\nWindows contol panel elements have been identified as source (mmc)'),(10481,'Issue',580,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\rundll32.exe\\ *,#*)\nindex: so-*\nname: Suspicious Call by Ordinal\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10482,'Issue',580,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Call by Ordinal\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\ndescription: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal\nstatus: experimental\nreferences:\n- https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://github.com/Neo23x0/DLLRunner\n- https://twitter.com/cyb3rops/status/1186631731543236608\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1085\nauthor: Florian Roth\ndate: 2019/10/22\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\rundll32.exe *,#*\'\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\n- Windows contol panel elements have been identified as source (mmc)\nlevel: high\n\n
\n}}'),(10483,'Issue',580,15,'T1085'),(10484,'Issue',581,1,'Scheduled Task Creation'),(10485,'Issue',581,2,'Florian Roth'),(10486,'Issue',581,8,'none'),(10487,'Issue',581,10,'low'),(10488,'Issue',581,13,'community'),(10489,'Issue',581,14,'windows'),(10491,'Issue',581,11,'337aa5b57'),(10492,'Issue',581,12,'92626ddd-662c-49e3-ac59-f6535f12d189'),(10493,'Issue',581,16,'win-proc'),(10494,'Issue',581,17,''),(10495,'Issue',581,7,''),(10496,'Issue',581,3,'Detects the creation of scheduled tasks in user session'),(10497,'Issue',581,4,''),(10498,'Issue',581,5,'_False Positives_\nAdministrative activity\nSoftware installation\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10499,'Issue',581,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\schtasks.exe AND process.command_line.keyword:*\\ \\/create\\ *) AND (NOT (event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Scheduled Task Creation\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10500,'Issue',581,9,'{{collapse(View Sigma)\n\n\ntitle: Scheduled Task Creation\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: experimental\ndescription: Detects the creation of scheduled tasks in user session\nauthor: Florian Roth\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\schtasks.exe\'\n CommandLine: \'* /create *\'\n filter:\n User: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.persistence\n- attack.privilege_escalation\n- attack.t1053\n- attack.s0111\n- car.2013-08-001\nfalsepositives:\n- Administrative activity\n- Software installation\nlevel: low\n\n
\n}}'),(10501,'Issue',581,15,'T1053'),(10502,'Issue',582,1,'WSF/JSE/JS/VBA/VBE File Execution'),(10503,'Issue',582,2,'Michael Haag'),(10504,'Issue',582,8,'none'),(10505,'Issue',582,10,'medium'),(10506,'Issue',582,13,'community'),(10507,'Issue',582,14,'windows'),(10509,'Issue',582,11,'6ed3e4c86'),(10510,'Issue',582,12,'1e33157c-53b1-41ad-bbcc-780b80b58288'),(10511,'Issue',582,16,'win-proc'),(10512,'Issue',582,17,''),(10513,'Issue',582,7,''),(10514,'Issue',582,3,'Detects suspicious file execution by wscript and cscript'),(10515,'Issue',582,4,''),(10516,'Issue',582,5,'_False Positives_\nWill need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10517,'Issue',582,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wscript.exe OR *\\\\cscript.exe) AND process.command_line.keyword:(*.jse OR *.vbe OR *.js OR *.vba))\nindex: so-*\nname: WSF/JSE/JS/VBA/VBE File Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10518,'Issue',582,9,'{{collapse(View Sigma)\n\n\ntitle: WSF/JSE/JS/VBA/VBE File Execution\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nstatus: experimental\ndescription: Detects suspicious file execution by wscript and cscript\nauthor: Michael Haag\ndate: 2019/01/16\ntags:\n- attack.execution\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wscript.exe\'\n - \'*\\cscript.exe\'\n CommandLine:\n - \'*.jse\'\n - \'*.vbe\'\n - \'*.js\'\n - \'*.vba\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Will need to be tuned. I recommend adding the user profile path in CommandLine if\n it is getting too noisy.\nlevel: medium\n\n
\n}}'),(10519,'Issue',582,15,'T1064'),(10520,'Issue',583,1,'Suspicious Service Path Modification'),(10521,'Issue',583,2,'Victor Sergeev, oscd.community'),(10522,'Issue',583,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml'),(10523,'Issue',583,10,'high'),(10524,'Issue',583,13,'community'),(10525,'Issue',583,14,'windows'),(10527,'Issue',583,11,'4809892f5'),(10528,'Issue',583,12,'138d3531-8793-4f50-a2cd-f291b2863d78'),(10529,'Issue',583,16,'win-proc'),(10530,'Issue',583,17,''),(10531,'Issue',583,7,''),(10532,'Issue',583,3,'Detects service path modification to powershell/cmd'),(10533,'Issue',583,4,''),(10534,'Issue',583,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10535,'Issue',583,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND process.command_line.keyword:*config* AND process.command_line.keyword:*binpath* AND process.command_line.keyword:(*powershell* OR *cmd*))\nindex: so-*\nname: Suspicious Service Path Modification\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10536,'Issue',583,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\ndescription: Detects service path modification to powershell/cmd\nstatus: experimental\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml\ntags:\n- attack.persistence\n- attack.t1031\ndate: 2019/10/21\nmodified: 2019/11/10\nauthor: Victor Sergeev, oscd.community\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_1:\n Image|endswith: \\sc.exe\n CommandLine|contains|all:\n - config\n - binpath\n selection_2:\n CommandLine|contains:\n - powershell\n - cmd\n condition: selection_1 and selection_2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10537,'Issue',583,15,'T1031'),(10538,'Issue',584,1,'Squirrel Lolbin'),(10539,'Issue',584,2,'Karneades / Markus Neis'),(10540,'Issue',584,8,'http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\nhttp://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/'),(10541,'Issue',584,10,'high'),(10542,'Issue',584,13,'community'),(10543,'Issue',584,14,'windows'),(10544,'Issue',584,15,''),(10545,'Issue',584,11,'820e704e9'),(10546,'Issue',584,12,'fa4b21c9-0057-4493-b289-2556416ae4d7'),(10547,'Issue',584,16,'win-proc'),(10548,'Issue',584,17,''),(10549,'Issue',584,7,''),(10550,'Issue',584,3,'Detects Possible Squirrel Packages Manager as Lolbin'),(10551,'Issue',584,4,''),(10552,'Issue',584,5,'_False Positives_\n1Clipboard\nBeaker Browser\nCaret\nCollectie\nDiscord\nFigma\nFlow\nGhost\nGitHub Desktop\nGitKraken\nHyper\nInsomnia\nJIBO\nKap\nKitematic\nNow Desktop\nPostman\nPostmanCanary\nRambox\nSimplenote\nSkype\nSlack\nSourceTree\nStride\nSvgsus\nWebTorrent\nWhatsApp\nWordPress.com\natom\ngitkraken\nslack\nteams'),(10553,'Issue',584,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\update.exe) AND process.command_line.keyword:(*\\-\\-processStart*.exe* OR *\\-\\-processStartAndWait*.exe* OR *\\-\\-createShortcut*.exe*))\nindex: so-*\nname: Squirrel Lolbin\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10554,'Issue',584,9,'{{collapse(View Sigma)\n\n\ntitle: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: experimental\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\ntags:\n- attack.execution\nauthor: Karneades / Markus Neis\ndate: 2019/11/12\nfalsepositives:\n- 1Clipboard\n- Beaker Browser\n- Caret\n- Collectie\n- Discord\n- Figma\n- Flow\n- Ghost\n- GitHub Desktop\n- GitKraken\n- Hyper\n- Insomnia\n- JIBO\n- Kap\n- Kitematic\n- Now Desktop\n- Postman\n- PostmanCanary\n- Rambox\n- Simplenote\n- Skype\n- Slack\n- SourceTree\n- Stride\n- Svgsus\n- WebTorrent\n- WhatsApp\n- WordPress.com\n- atom\n- gitkraken\n- slack\n- teams\nlevel: high\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\update.exe\'\n CommandLine:\n - \'*--processStart*.exe*\'\n - \'*--processStartAndWait*.exe*\'\n - \'*--createShortcut*.exe*\'\n condition: selection\n\n
\n}}'),(10555,'Issue',585,1,'Suspicious Svchost Process'),(10556,'Issue',585,2,'Florian Roth'),(10557,'Issue',585,8,'none'),(10558,'Issue',585,10,'high'),(10559,'Issue',585,13,'community'),(10560,'Issue',585,14,'windows'),(10562,'Issue',585,11,'e79b5ce03'),(10563,'Issue',585,12,'01d2e2a1-5f09-44f7-9fc1-24faa7479b6d'),(10564,'Issue',585,16,'win-proc'),(10565,'Issue',585,17,''),(10566,'Issue',585,7,''),(10567,'Issue',585,3,'Detects a suspicious svchost process start'),(10568,'Issue',585,4,''),(10569,'Issue',585,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10570,'Issue',585,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.executable.keyword:*\\\\svchost.exe AND (NOT (process.parent.executable.keyword:(*\\\\services.exe OR *\\\\MsMpEng.exe OR *\\\\Mrt.exe OR *\\\\rpcnet.exe OR *\\\\svchost.exe)))) AND (NOT (NOT _exists_:process.parent.executable)))\nindex: so-*\nname: Suspicious Svchost Process\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10571,'Issue',585,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Svchost Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: experimental\ndescription: Detects a suspicious svchost process start\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2017/08/15\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\svchost.exe\'\n filter:\n ParentImage:\n - \'*\\services.exe\'\n - \'*\\MsMpEng.exe\'\n - \'*\\Mrt.exe\'\n - \'*\\rpcnet.exe\'\n - \'*\\svchost.exe\'\n filter_null:\n ParentImage:\n condition: selection and not filter and not filter_null\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10572,'Issue',585,15,'T1036'),(10573,'Issue',586,1,'Suspect Svchost Activity'),(10574,'Issue',586,2,'David Burkett'),(10575,'Issue',586,8,'https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2'),(10576,'Issue',586,10,'critical'),(10577,'Issue',586,13,'community'),(10578,'Issue',586,14,'windows'),(10580,'Issue',586,11,'df188a171'),(10581,'Issue',586,12,'16c37b52-b141-42a5-a3ea-bbe098444397'),(10582,'Issue',586,16,'win-proc'),(10583,'Issue',586,17,''),(10584,'Issue',586,7,''),(10585,'Issue',586,3,'It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.'),(10586,'Issue',586,4,''),(10587,'Issue',586,5,'_False Positives_\nrpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10588,'Issue',586,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND NOT _exists_:process.command_line AND process.executable.keyword:*\\\\svchost.exe) AND (NOT (process.parent.executable.keyword:(*\\\\rpcnet.exe OR *\\\\rpcnetp.exe))))\nindex: so-*\nname: Suspect Svchost Activity\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10589,'Issue',586,9,'{{collapse(View Sigma)\n\n\ntitle: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: experimental\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments\n and is normally observed when a malicious process spawns the process and injects\n code into the process memory space.\nreferences:\n- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett\ndate: 2019/12/28\ntags:\n- attack.t1055\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n CommandLine:\n selection2:\n Image: \'*\\svchost.exe\'\n filter:\n ParentImage:\n - \'*\\rpcnet.exe\'\n - \'*\\rpcnetp.exe\'\n condition: (selection1 and selection2) and not filter\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: critical\n\n
\n}}'),(10590,'Issue',586,15,'T1055'),(10591,'Issue',587,1,'Sysprep on AppData Folder'),(10592,'Issue',587,2,'Florian Roth'),(10593,'Issue',587,8,'https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b'),(10594,'Issue',587,10,'medium'),(10595,'Issue',587,13,'community'),(10596,'Issue',587,14,'windows'),(10597,'Issue',587,15,''),(10598,'Issue',587,11,'ec7672eaa'),(10599,'Issue',587,12,'d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e'),(10600,'Issue',587,16,'win-proc'),(10601,'Issue',587,17,''),(10602,'Issue',587,7,''),(10603,'Issue',587,3,'Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)'),(10604,'Issue',587,4,''),(10605,'Issue',587,5,'_False Positives_\nFalse positives depend on scripts and administrative tools used in the monitored environment'),(10606,'Issue',587,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(*\\\\sysprep.exe\\ *\\\\AppData\\\\* OR sysprep.exe\\ *\\\\AppData\\\\*))\nindex: so-*\nname: Sysprep on AppData Folder\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10607,'Issue',587,9,'{{collapse(View Sigma)\n\n\ntitle: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: experimental\ndescription: Detects suspicious sysprep process start with AppData folder as target\n (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\ntags:\n- attack.execution\nauthor: Florian Roth\ndate: 2018/06/22\nmodified: 2018/12/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - \'*\\sysprep.exe *\\AppData\\\\*\'\n - sysprep.exe *\\AppData\\\\*\n condition: selection\nfalsepositives:\n- False positives depend on scripts and administrative tools used in the monitored\n environment\nlevel: medium\n\n
\n}}'),(10608,'Issue',588,1,'Suspicious SYSVOL Domain Group Policy Access'),(10609,'Issue',588,2,'Markus Neis'),(10610,'Issue',588,8,'https://adsecurity.org/?p=2288\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100'),(10611,'Issue',588,10,'medium'),(10612,'Issue',588,13,'community'),(10613,'Issue',588,14,'windows'),(10615,'Issue',588,11,'3587e5ee1'),(10616,'Issue',588,12,'05f3c945-dcc8-4393-9f3d-af65077a8f86'),(10617,'Issue',588,16,'win-proc'),(10618,'Issue',588,17,''),(10619,'Issue',588,7,''),(10620,'Issue',588,3,'Detects Access to Domain Group Policies stored in SYSVOL'),(10621,'Issue',588,4,''),(10622,'Issue',588,5,'_False Positives_\nadministrative activity'),(10623,'Issue',588,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\\\SYSVOL\\\\*\\\\policies\\\\*)\nindex: so-*\nname: Suspicious SYSVOL Domain Group Policy Access\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10624,'Issue',588,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: experimental\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n- https://adsecurity.org/?p=2288\n- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis\ndate: 2018/04/09\nmodified: 2018/12/11\ntags:\n- attack.credential_access\n- attack.t1003\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*\\SYSVOL\\\\*\\policies\\\\*\'\n condition: selection\nfalsepositives:\n- administrative activity\nlevel: medium\n\n
\n}}'),(10625,'Issue',588,15,'T1003'),(10626,'Issue',589,1,'Taskmgr as LOCAL_SYSTEM'),(10627,'Issue',589,2,'Florian Roth'),(10628,'Issue',589,8,'none'),(10629,'Issue',589,10,'high'),(10630,'Issue',589,13,'community'),(10631,'Issue',589,14,'windows'),(10633,'Issue',589,11,'6bcf5f333'),(10634,'Issue',589,12,'9fff585c-c33e-4a86-b3cd-39312079a65f'),(10635,'Issue',589,16,'win-proc'),(10636,'Issue',589,17,''),(10637,'Issue',589,7,''),(10638,'Issue',589,3,'Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM'),(10639,'Issue',589,4,''),(10640,'Issue',589,5,'_False Positives_\nUnkown'),(10641,'Issue',589,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\taskmgr.exe)\nindex: so-*\nname: Taskmgr as LOCAL_SYSTEM\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10642,'Issue',589,9,'{{collapse(View Sigma)\n\n\ntitle: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: experimental\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/18\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n User: NT AUTHORITY\\SYSTEM\n Image: \'*\\taskmgr.exe\'\n condition: selection\nfalsepositives:\n- Unkown\nlevel: high\n\n
\n}}'),(10643,'Issue',589,15,'T1036'),(10644,'Issue',590,1,'Taskmgr as Parent'),(10645,'Issue',590,2,'Florian Roth'),(10646,'Issue',590,8,'none'),(10647,'Issue',590,10,'low'),(10648,'Issue',590,13,'community'),(10649,'Issue',590,14,'windows'),(10651,'Issue',590,11,'0181905d0'),(10652,'Issue',590,12,'3d7679bd-0c00-440c-97b0-3f204273e6c7'),(10653,'Issue',590,16,'win-proc'),(10654,'Issue',590,17,''),(10655,'Issue',590,7,''),(10656,'Issue',590,3,'Detects the creation of a process from Windows task manager'),(10657,'Issue',590,4,''),(10658,'Issue',590,5,'_False Positives_\nAdministrative activity\n\n_Interesting Log Fields_\nImage\nCommandLine\nParentCommandLine'),(10659,'Issue',590,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\taskmgr.exe AND (NOT (process.executable.keyword:(*\\\\resmon.exe OR *\\\\mmc.exe OR *\\\\taskmgr.exe))))\nindex: so-*\nname: Taskmgr as Parent\npriority: 4\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10660,'Issue',590,9,'{{collapse(View Sigma)\n\n\ntitle: Taskmgr as Parent\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: experimental\ndescription: Detects the creation of a process from Windows task manager\ntags:\n- attack.defense_evasion\n- attack.t1036\nauthor: Florian Roth\ndate: 2018/03/13\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\taskmgr.exe\'\n filter:\n Image:\n - \'*\\resmon.exe\'\n - \'*\\mmc.exe\'\n - \'*\\taskmgr.exe\'\n condition: selection and not filter\nfields:\n- Image\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative activity\nlevel: low\n\n
\n}}'),(10661,'Issue',590,15,'T1036'),(10662,'Issue',591,1,'Suspicious TSCON Start'),(10663,'Issue',591,2,'Florian Roth'),(10664,'Issue',591,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10665,'Issue',591,10,'high'),(10666,'Issue',591,13,'community'),(10667,'Issue',591,14,'windows'),(10669,'Issue',591,11,'884abbf53'),(10670,'Issue',591,12,'9847f263-4a81-424f-970c-875dab15b79b'),(10671,'Issue',591,16,'win-proc'),(10672,'Issue',591,17,''),(10673,'Issue',591,7,''),(10674,'Issue',591,3,'Detects a tscon.exe start as LOCAL SYSTEM'),(10675,'Issue',591,4,''),(10676,'Issue',591,5,'_False Positives_\nUnknown'),(10677,'Issue',591,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\tscon.exe)\nindex: so-*\nname: Suspicious TSCON Start\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10678,'Issue',591,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious TSCON Start\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: experimental\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nauthor: Florian Roth\ndate: 2018/03/17\ntags:\n- attack.command_and_control\n- attack.t1219\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n User: NT AUTHORITY\\SYSTEM\n Image: \'*\\tscon.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10679,'Issue',591,15,'T1219'),(10680,'Issue',592,1,'Suspicious RDP Redirect Using TSCON'),(10681,'Issue',592,2,'Florian Roth'),(10682,'Issue',592,8,'http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6'),(10683,'Issue',592,10,'high'),(10684,'Issue',592,13,'community'),(10685,'Issue',592,14,'windows'),(10687,'Issue',592,11,'0ad8fd2d6'),(10688,'Issue',592,12,'f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb'),(10689,'Issue',592,16,'win-proc'),(10690,'Issue',592,17,''),(10691,'Issue',592,7,''),(10692,'Issue',592,3,'Detects a suspicious RDP session redirect using tscon.exe'),(10693,'Issue',592,4,''),(10694,'Issue',592,5,'_False Positives_\nUnknown'),(10695,'Issue',592,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*\\ \\/dest\\:rdp\\-tcp\\:*)\nindex: so-*\nname: Suspicious RDP Redirect Using TSCON\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10696,'Issue',592,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: experimental\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\ntags:\n- attack.lateral_movement\n- attack.privilege_escalation\n- attack.t1076\n- car.2013-07-002\nauthor: Florian Roth\ndate: 2018/03/17\nmodified: 2018/12/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'* /dest:rdp-tcp:*\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10697,'Issue',592,15,'T1076'),(10698,'Issue',593,1,'Suspicious Use of CSharp Interactive Console'),(10699,'Issue',593,2,'Michael R. (@nahamike01)'),(10700,'Issue',593,8,'https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/'),(10701,'Issue',593,10,'high'),(10702,'Issue',593,13,'community'),(10703,'Issue',593,14,'windows'),(10705,'Issue',593,11,'b2533edff'),(10706,'Issue',593,12,'a9e416a8-e613-4f8b-88b8-a7d1d1af2f61'),(10707,'Issue',593,16,'win-proc'),(10708,'Issue',593,17,''),(10709,'Issue',593,7,''),(10710,'Issue',593,3,'Detects the execution of CSharp interactive console by PowerShell'),(10711,'Issue',593,4,''),(10712,'Issue',593,5,'_False Positives_\nPossible depending on environment. Pair with other factors such as net connections, command-line args, etc.'),(10713,'Issue',593,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\csi.exe AND process.parent.executable.keyword:*\\\\powershell.exe AND OriginalFileName:\"csi.exe\")\nindex: so-*\nname: Suspicious Use of CSharp Interactive Console\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10714,'Issue',593,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: experimental\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020/03/08\ntags:\n- attack.execution\n- attack.t1127\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\csi.exe\n ParentImage|endswith: \\powershell.exe\n OriginalFileName: csi.exe\n condition: selection\nfalsepositives:\n- Possible depending on environment. Pair with other factors such as net connections,\n command-line args, etc.\nlevel: high\n\n
\n}}'),(10715,'Issue',593,15,'T1127'),(10716,'Issue',594,1,'Suspicious Userinit Child Process'),(10717,'Issue',594,2,'Florian Roth (rule), Samir Bousseaden (idea)'),(10718,'Issue',594,8,'https://twitter.com/SBousseaden/status/1139811587760562176'),(10719,'Issue',594,10,'medium'),(10720,'Issue',594,13,'community'),(10721,'Issue',594,14,'windows'),(10722,'Issue',594,15,''),(10723,'Issue',594,11,'afd4cadf2'),(10724,'Issue',594,12,'b655a06a-31c0-477a-95c2-3726b83d649d'),(10725,'Issue',594,16,'win-proc'),(10726,'Issue',594,17,''),(10727,'Issue',594,7,''),(10728,'Issue',594,3,'Detects a suspicious child process of userinit'),(10729,'Issue',594,4,''),(10730,'Issue',594,5,'_False Positives_\nAdministrative scripts\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10731,'Issue',594,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND (process.parent.executable.keyword:*\\\\userinit.exe AND (NOT (process.command_line.keyword:*\\\\netlogon\\\\*))) AND (NOT (process.executable.keyword:*\\\\explorer.exe)))\nindex: so-*\nname: Suspicious Userinit Child Process\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10732,'Issue',594,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: experimental\ndescription: Detects a suspicious child process of userinit\nreferences:\n- https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (rule), Samir Bousseaden (idea)\ndate: 2019/06/17\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage: \'*\\userinit.exe\'\n filter1:\n CommandLine: \'*\\\\netlogon\\\\*\'\n filter2:\n Image: \'*\\explorer.exe\'\n condition: selection and not filter1 and not filter2\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Administrative scripts\nlevel: medium\n\n
\n}}'),(10733,'Issue',595,1,'Whoami Execution'),(10734,'Issue',595,2,'Florian Roth'),(10735,'Issue',595,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(10736,'Issue',595,10,'high'),(10737,'Issue',595,13,'community'),(10738,'Issue',595,14,'windows'),(10740,'Issue',595,11,'28ff9a2dc'),(10741,'Issue',595,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(10742,'Issue',595,16,'win-proc'),(10743,'Issue',595,17,''),(10744,'Issue',595,7,''),(10745,'Issue',595,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(10746,'Issue',595,4,''),(10747,'Issue',595,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(10748,'Issue',595,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10749,'Issue',595,9,'{{collapse(View Sigma)\n\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\whoami.exe\'\n selection2:\n OriginalFileName: whoami.exe\n condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(10750,'Issue',595,15,'T1033'),(10751,'Issue',596,1,'Suspicious WMI Execution'),(10752,'Issue',596,2,'Michael Haag, Florian Roth, juju4'),(10753,'Issue',596,8,'https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/'),(10754,'Issue',596,10,'medium'),(10755,'Issue',596,13,'community'),(10756,'Issue',596,14,'windows'),(10758,'Issue',596,11,'c641d0d76'),(10759,'Issue',596,12,'526be59f-a573-4eea-b5f7-f0973207634d'),(10760,'Issue',596,16,'win-proc'),(10761,'Issue',596,17,''),(10762,'Issue',596,7,''),(10763,'Issue',596,3,'Detects WMI executing suspicious commands'),(10764,'Issue',596,4,''),(10765,'Issue',596,5,'_False Positives_\nWill need to be tuned\nIf using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10766,'Issue',596,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\wmic.exe) AND process.command_line.keyword:(*\\/NODE\\:*process\\ call\\ create\\ * OR *\\ path\\ AntiVirusProduct\\ get\\ * OR *\\ path\\ FirewallProduct\\ get\\ * OR *\\ shadowcopy\\ delete\\ *))\nindex: so-*\nname: Suspicious WMI Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10767,'Issue',596,9,'{{collapse(View Sigma)\n\n\ntitle: Suspicious WMI Execution\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nstatus: experimental\ndescription: Detects WMI executing suspicious commands\nreferences:\n- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/\n- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/\nauthor: Michael Haag, Florian Roth, juju4\ndate: 2019/01/16\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\wmic.exe\'\n CommandLine:\n - \'*/NODE:*process call create *\'\n - \'* path AntiVirusProduct get *\'\n - \'* path FirewallProduct get *\'\n - \'* shadowcopy delete *\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.execution\n- attack.t1047\n- car.2016-03-002\nfalsepositives:\n- Will need to be tuned\n- If using Splunk, I recommend | stats count by Computer,CommandLine following for\n easy hunting by Computer/CommandLine.\nlevel: medium\n\n
\n}}'),(10768,'Issue',596,15,'T1047'),(10769,'Issue',597,1,'Sysmon Driver Unload'),(10770,'Issue',597,2,'Kirill Kiryanov, oscd.community'),(10771,'Issue',597,8,'https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon'),(10772,'Issue',597,10,'high'),(10773,'Issue',597,13,'community'),(10774,'Issue',597,14,'windows'),(10775,'Issue',597,15,''),(10776,'Issue',597,11,'d7439c16c'),(10777,'Issue',597,12,'4d7cda18-1b12-4e52-b45c-d28653210df8'),(10778,'Issue',597,16,'win-proc'),(10779,'Issue',597,17,''),(10780,'Issue',597,7,''),(10781,'Issue',597,3,'Detect possible Sysmon driver unload'),(10782,'Issue',597,4,''),(10783,'Issue',597,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nDetails'),(10784,'Issue',597,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\fltmc.exe AND process.command_line.keyword:*unload* AND process.command_line.keyword:*sys*)\nindex: so-*\nname: Sysmon Driver Unload\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10785,'Issue',597,9,'{{collapse(View Sigma)\n\n\ntitle: Sysmon Driver Unload\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nstatus: experimental\nauthor: Kirill Kiryanov, oscd.community\ndescription: Detect possible Sysmon driver unload\ndate: 2019/10/23\nmodified: 2019/11/07\nreferences:\n- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n Image|endswith: \\fltmc.exe\n CommandLine|contains|all:\n - unload\n - sys\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\nfields:\n- CommandLine\n- Details\n\n
\n}}'),(10786,'Issue',598,1,'System File Execution Location Anomaly'),(10787,'Issue',598,2,'Florian Roth, Patrick Bareiss'),(10788,'Issue',598,8,'https://twitter.com/GelosSnake/status/934900723426439170'),(10789,'Issue',598,10,'high'),(10790,'Issue',598,13,'community'),(10791,'Issue',598,14,'windows'),(10793,'Issue',598,11,'c8ddca7b8'),(10794,'Issue',598,12,'e4a6b256-3e47-40fc-89d2-7a477edd6915'),(10795,'Issue',598,16,'win-proc'),(10796,'Issue',598,17,''),(10797,'Issue',598,7,''),(10798,'Issue',598,3,'Detects a Windows program executable started in a suspicious folder'),(10799,'Issue',598,4,''),(10800,'Issue',598,5,'_False Positives_\nExotic software\n\n_Interesting Log Fields_\nComputerName\nUser\nImage'),(10801,'Issue',598,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (process.executable.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))\nindex: so-*\nname: System File Execution Location Anomaly\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10802,'Issue',598,9,'{{collapse(View Sigma)\n\n\ntitle: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nstatus: experimental\ndescription: Detects a Windows program executable started in a suspicious folder\nreferences:\n- https://twitter.com/GelosSnake/status/934900723426439170\nauthor: Florian Roth, Patrick Bareiss\ndate: 2017/11/27\ntags:\n- attack.defense_evasion\n- attack.t1036\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image:\n - \'*\\svchost.exe\'\n - \'*\\rundll32.exe\'\n - \'*\\services.exe\'\n - \'*\\powershell.exe\'\n - \'*\\regsvr32.exe\'\n - \'*\\spoolsv.exe\'\n - \'*\\lsass.exe\'\n - \'*\\smss.exe\'\n - \'*\\csrss.exe\'\n - \'*\\conhost.exe\'\n - \'*\\wininit.exe\'\n - \'*\\lsm.exe\'\n - \'*\\winlogon.exe\'\n - \'*\\explorer.exe\'\n - \'*\\taskhost.exe\'\n filter:\n Image:\n - C:\\Windows\\System32\\\\*\n - C:\\Windows\\system32\\\\*\n - C:\\Windows\\SysWow64\\\\*\n - C:\\Windows\\SysWOW64\\\\*\n - C:\\Windows\\explorer.exe\n - C:\\Windows\\winsxs\\\\*\n - C:\\Windows\\WinSxS\\\\*\n - \\SystemRoot\\System32\\\\*\n condition: selection and not filter\nfields:\n- ComputerName\n- User\n- Image\nfalsepositives:\n- Exotic software\nlevel: high\n\n
\n}}'),(10803,'Issue',598,15,'T1036'),(10804,'Issue',599,1,'Tap Installer Execution'),(10805,'Issue',599,2,'Daniil Yugoslavskiy, Ian Davis, oscd.community'),(10806,'Issue',599,8,'none'),(10807,'Issue',599,10,'medium'),(10808,'Issue',599,13,'community'),(10809,'Issue',599,14,'windows'),(10811,'Issue',599,11,'f0f415f09'),(10812,'Issue',599,12,'99793437-3e16-439b-be0f-078782cf953d'),(10813,'Issue',599,16,'win-proc'),(10814,'Issue',599,17,''),(10815,'Issue',599,7,''),(10816,'Issue',599,3,'Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques'),(10817,'Issue',599,4,''),(10818,'Issue',599,5,'_False Positives_\nLegitimate OpenVPN TAP insntallation'),(10819,'Issue',599,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\tapinstall.exe)\nindex: so-*\nname: Tap Installer Execution\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10820,'Issue',599,9,'{{collapse(View Sigma)\n\n\ntitle: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration\n using tunneling techniques\nstatus: experimental\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\ntags:\n- attack.exfiltration\n- attack.t1048\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\tapinstall.exe\n condition: selection\nfalsepositives:\n- Legitimate OpenVPN TAP insntallation\nlevel: medium\n\n
\n}}'),(10821,'Issue',599,15,'T1048'),(10822,'Issue',600,1,'Tasks Folder Evasion'),(10823,'Issue',600,2,'Sreeman'),(10824,'Issue',600,8,'https://twitter.com/subTee/status/1216465628946563073\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26'),(10825,'Issue',600,10,'high'),(10826,'Issue',600,13,'community'),(10827,'Issue',600,14,'windows'),(10829,'Issue',600,11,'0eb37ce7b'),(10830,'Issue',600,12,'cc4e02ba-9c06-48e2-b09e-2500cace9ae0'),(10831,'Issue',600,16,'win-proc'),(10832,'Issue',600,17,''),(10833,'Issue',600,7,''),(10834,'Issue',600,3,'The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr'),(10835,'Issue',600,4,''),(10836,'Issue',600,5,'_False Positives_\nUnknown\n\n_Interesting Log Fields_\nCommandLine\nParentProcess\nCommandLine'),(10837,'Issue',600,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (process.command_line.keyword:(*echo\\ * OR *copy\\ * OR *type\\ * OR *file\\ createnew*) AND process.command_line.keyword:(*\\ C\\:\\\\Windows\\\\System32\\\\Tasks\\* OR *\\ C\\:\\\\Windows\\\\SysWow64\\\\Tasks\\*))\nindex: so-*\nname: Tasks Folder Evasion\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10838,'Issue',600,9,'{{collapse(View Sigma)\n\n\ntitle: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: experimental\ndescription: The Tasks folder in system32 and syswow64 are globally writable paths.\n Adversaries can take advantage of this and load or influence any script hosts or\n ANY .NET Application in Tasks to load and execute a custom assembly into cscript,\n wscript, regsvr32, mshta, eventvwr\nreferences:\n- https://twitter.com/subTee/status/1216465628946563073\n- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\ndate: 2020/01/13\nauthor: Sreeman\ntags:\n- attack.t1064\n- attack.t1211\n- attack.t1059\n- attack.defense_evasion\n- attack.persistence\nlogsource:\n product: Windows\ndetection:\n selection1:\n CommandLine|contains:\n - \'echo \'\n - \'copy \'\n - \'type \'\n - file createnew\n selection2:\n CommandLine|contains:\n - \' C:\\Windows\\System32\\Tasks\\\'\n - \' C:\\Windows\\SysWow64\\Tasks\\\'\n condition: selection1 and selection2\nfields:\n- CommandLine\n- ParentProcess\n- CommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10839,'Issue',600,15,'T1064'),(10840,'Issue',600,15,'T1211'),(10841,'Issue',600,15,'T1059'),(10842,'Issue',601,1,'Terminal Service Process Spawn'),(10843,'Issue',601,2,'Florian Roth'),(10844,'Issue',601,8,'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/'),(10845,'Issue',601,10,'high'),(10846,'Issue',601,13,'community'),(10847,'Issue',601,14,'windows'),(10848,'Issue',601,15,''),(10849,'Issue',601,11,'b5e174d1b'),(10850,'Issue',601,12,'1012f107-b8f1-4271-af30-5aed2de89b39'),(10851,'Issue',601,16,'win-proc'),(10852,'Issue',601,17,''),(10853,'Issue',601,7,''),(10854,'Issue',601,3,'Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)'),(10855,'Issue',601,4,''),(10856,'Issue',601,5,'_False Positives_\nUnknown'),(10857,'Issue',601,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.command_line.keyword:*\\\\svchost.exe*termsvcs AND (NOT (process.executable.keyword:*\\\\rdpclip.exe)))\nindex: so-*\nname: Terminal Service Process Spawn\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10858,'Issue',601,9,'{{collapse(View Sigma)\n\n\ntitle: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: experimental\ndescription: Detects a process spawned by the terminal service server process (this\n could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth\ndate: 2019/05/22\ntags:\n- car.2013-07-002\nlogsource:\n product: windows\n category: process_creation\ndetection:\n selection:\n ParentCommandLine: \'*\\svchost.exe*termsvcs\'\n filter:\n Image: \'*\\rdpclip.exe\'\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10859,'Issue',602,1,'Domain Trust Discovery'),(10860,'Issue',602,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10861,'Issue',602,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html'),(10862,'Issue',602,10,'medium'),(10863,'Issue',602,13,'community'),(10864,'Issue',602,14,'windows'),(10866,'Issue',602,11,'c1662fb6e'),(10867,'Issue',602,12,'3bad990e-4848-4a78-9530-b427d854aac0'),(10868,'Issue',602,16,'win-proc'),(10869,'Issue',602,17,''),(10870,'Issue',602,7,''),(10871,'Issue',602,3,'Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.'),(10872,'Issue',602,4,''),(10873,'Issue',602,5,'_False Positives_\nLegitimate use of the utilities by legitimate user for legitimate reason'),(10874,'Issue',602,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\nltest.exe AND process.command_line.keyword:*domain_trusts*) OR (process.executable.keyword:*\\\\dsquery.exe AND process.command_line.keyword:*trustedDomain*)))\nindex: so-*\nname: Domain Trust Discovery\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10875,'Issue',602,9,'{{collapse(View Sigma)\n\n\ntitle: Domain Trust Discovery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\ndescription: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.\n This technique is used by attackers to enumerate Active Directory trusts.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\n- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\ntags:\n- attack.discovery\n- attack.t1482\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\nltest.exe\n CommandLine|contains: domain_trusts\n - Image|endswith: \\dsquery.exe\n CommandLine|contains: trustedDomain\n condition: selection\nfalsepositives:\n- Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\n\n
\n}}'),(10876,'Issue',602,15,'T1482'),(10877,'Issue',603,1,'Bypass UAC via CMSTP'),(10878,'Issue',603,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community'),(10879,'Issue',603,8,'https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md'),(10880,'Issue',603,10,'high'),(10881,'Issue',603,13,'community'),(10882,'Issue',603,14,'windows'),(10884,'Issue',603,11,'7c2726c72'),(10885,'Issue',603,12,'e66779cc-383e-4224-a3a4-267eeb585c40'),(10886,'Issue',603,16,'win-proc'),(10887,'Issue',603,17,''),(10888,'Issue',603,7,''),(10889,'Issue',603,3,'Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).'),(10890,'Issue',603,4,''),(10891,'Issue',603,5,'_False Positives_\nLegitimate use of cmstp.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10892,'Issue',603,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\cmstp.exe AND process.command_line.keyword:(*\\/s* OR *\\/au*))\nindex: so-*\nname: Bypass UAC via CMSTP\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10893,'Issue',603,9,'{{collapse(View Sigma)\n\n\ntitle: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\ndescription: Detect child processes of automatically elevated instances of Microsoft\n Connection Manager Profile Installer (cmstp.exe).\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\nmodified: 2019/11/11\ndate: 2019/10/24\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1191\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\cmstp.exe\n CommandLine|contains:\n - /s\n - /au\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10894,'Issue',603,15,'T1191'),(10895,'Issue',603,15,'T1088'),(10896,'Issue',604,1,'Bypass UAC via Fodhelper.exe'),(10897,'Issue',604,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10898,'Issue',604,8,'https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md'),(10899,'Issue',604,10,'high'),(10900,'Issue',604,13,'community'),(10901,'Issue',604,14,'windows'),(10903,'Issue',604,11,'b29738791'),(10904,'Issue',604,12,'7f741dcf-fc22-4759-87b4-9ae8376676a2'),(10905,'Issue',604,16,'win-proc'),(10906,'Issue',604,17,''),(10907,'Issue',604,7,''),(10908,'Issue',604,3,'Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10909,'Issue',604,4,''),(10910,'Issue',604,5,'_False Positives_\nLegitimate use of fodhelper.exe utility by legitimate user\n\n_Interesting Log Fields_\nComputerName\nUser\nCommandLine'),(10911,'Issue',604,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\fodhelper.exe)\nindex: so-*\nname: Bypass UAC via Fodhelper.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10912,'Issue',604,9,'{{collapse(View Sigma)\n\n\ntitle: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries\n use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\fodhelper.exe\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n\n
\n}}'),(10913,'Issue',604,15,'T1088'),(10914,'Issue',605,1,'Bypass UAC via WSReset.exe'),(10915,'Issue',605,2,'E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community'),(10916,'Issue',605,8,'https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html'),(10917,'Issue',605,10,'high'),(10918,'Issue',605,13,'community'),(10919,'Issue',605,14,'windows'),(10921,'Issue',605,11,'88c9a0107'),(10922,'Issue',605,12,'d797268e-28a9-49a7-b9a8-2f5039011c5c'),(10923,'Issue',605,16,'win-proc'),(10924,'Issue',605,17,''),(10925,'Issue',605,7,''),(10926,'Issue',605,3,'Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.'),(10927,'Issue',605,4,''),(10928,'Issue',605,5,'_False Positives_\nUnknown'),(10929,'Issue',605,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\wsreset.exe AND (NOT (process.executable.keyword:*\\\\conhost.exe)))\nindex: so-*\nname: Bypass UAC via WSReset.exe\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10930,'Issue',605,9,'{{collapse(View Sigma)\n\n\ntitle: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\ndescription: Identifies use of WSReset.exe to bypass User Account Control. Adversaries\n use this technique to execute privileged processes.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\ntags:\n- attack.privilege_escalation\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\wsreset.exe\n filter:\n Image|endswith: \\conhost.exe\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10931,'Issue',605,15,'T1088'),(10932,'Issue',606,1,'Possible Privilege Escalation via Weak Service Permissions'),(10933,'Issue',606,2,'Teymur Kheirkhabarov'),(10934,'Issue',606,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/'),(10935,'Issue',606,10,'high'),(10936,'Issue',606,13,'community'),(10937,'Issue',606,14,'windows'),(10939,'Issue',606,11,'20df1ec32'),(10940,'Issue',606,12,'d937b75f-a665-4480-88a5-2f20e9f9b22a'),(10941,'Issue',606,16,'win-proc'),(10942,'Issue',606,17,''),(10943,'Issue',606,7,''),(10944,'Issue',606,3,'Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand'),(10945,'Issue',606,4,''),(10946,'Issue',606,5,'_False Positives_\nUnknown'),(10947,'Issue',606,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\sc.exe AND IntegrityLevel:\"Medium\" AND (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.command_line.keyword:*config* AND process.command_line.keyword:*binPath*) OR (process.command_line.keyword:*failure* AND process.command_line.keyword:*command*)))\nindex: so-*\nname: Possible Privilege Escalation via Weak Service Permissions\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10948,'Issue',606,9,'{{collapse(View Sigma)\n\n\ntitle: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level\n to change service ImagePath or FailureCommand\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n- https://pentestlab.blog/2017/03/30/weak-service-permissions/\ntags:\n- attack.privilege_escalation\n- attack.t1134\nstatus: experimental\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2019/11/11\nlogsource:\n category: process_creation\n product: windows\ndetection:\n scbynonadmin:\n Image|endswith: \\sc.exe\n IntegrityLevel: Medium\n binpath:\n CommandLine|contains|all:\n - config\n - binPath\n failurecommand:\n CommandLine|contains|all:\n - failure\n - command\n condition: scbynonadmin and (binpath or failurecommand)\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(10949,'Issue',606,15,'T1134'),(10950,'Issue',607,1,'Java Running with Remote Debugging'),(10951,'Issue',607,2,'Florian Roth'),(10952,'Issue',607,8,'none'),(10953,'Issue',607,10,'medium'),(10954,'Issue',607,13,'community'),(10955,'Issue',607,14,'windows'),(10957,'Issue',607,11,'b24838b11'),(10958,'Issue',607,12,'8f88e3f6-2a49-48f5-a5c4-2f7eedf78710'),(10959,'Issue',607,16,'win-proc'),(10960,'Issue',607,17,''),(10961,'Issue',607,7,''),(10962,'Issue',607,3,'Detects a JAVA process running with remote debugging allowing more than just localhost to connect'),(10963,'Issue',607,4,''),(10964,'Issue',607,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10965,'Issue',607,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:*transport\\=dt_socket,address\\=* AND (NOT (process.command_line.keyword:*address\\=127.0.0.1* OR process.command_line.keyword:*address\\=localhost*)))\nindex: so-*\nname: Java Running with Remote Debugging\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10966,'Issue',607,9,'{{collapse(View Sigma)\n\n\ntitle: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\ndescription: Detects a JAVA process running with remote debugging allowing more than\n just localhost to connect\nauthor: Florian Roth\ndate: 2019/01/16\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine: \'*transport=dt_socket,address=*\'\n exclusion:\n - CommandLine: \'*address=127.0.0.1*\'\n - CommandLine: \'*address=localhost*\'\n condition: selection and not exclusion\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: medium\n\n
\n}}'),(10967,'Issue',607,15,'T1046'),(10968,'Issue',608,1,'Webshell Detection With Command Line Keywords'),(10969,'Issue',608,2,'Florian Roth'),(10970,'Issue',608,8,'none'),(10971,'Issue',608,10,'high'),(10972,'Issue',608,13,'community'),(10973,'Issue',608,14,'windows'),(10975,'Issue',608,11,'8d70dcff6'),(10976,'Issue',608,12,'bed2a484-9348-4143-8a8a-b801c979301c'),(10977,'Issue',608,16,'win-proc'),(10978,'Issue',608,17,''),(10979,'Issue',608,7,''),(10980,'Issue',608,3,'Detects certain command line parameters often used during reconnaissance activity via web shells'),(10981,'Issue',608,4,''),(10982,'Issue',608,5,'_False Positives_\nunknown\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(10983,'Issue',608,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\apache* OR *\\\\tomcat* OR *\\\\w3wp.exe OR *\\\\php\\-cgi.exe OR *\\\\nginx.exe OR *\\\\httpd.exe) AND process.command_line.keyword:(*whoami* OR *net\\ user\\ * OR *ping\\ \\-n\\ * OR *systeminfo OR *&cd&echo* OR *cd\\ \\/d*))\nindex: so-*\nname: Webshell Detection With Command Line Keywords\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(10984,'Issue',608,9,'{{collapse(View Sigma)\n\n\ntitle: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\ndescription: Detects certain command line parameters often used during reconnaissance\n activity via web shells\nauthor: Florian Roth\nreference:\n- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\ndate: 2017/01/01\nmodified: 2019/10/26\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\apache*\'\n - \'*\\tomcat*\'\n - \'*\\w3wp.exe\'\n - \'*\\php-cgi.exe\'\n - \'*\\nginx.exe\'\n - \'*\\httpd.exe\'\n CommandLine:\n - \'*whoami*\'\n - \'*net user *\'\n - \'*ping -n *\'\n - \'*systeminfo\'\n - \'*&cd&echo*\'\n - \'*cd /d*\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- unknown\nlevel: high\n\n
\n}}'),(10985,'Issue',608,15,'T1100'),(10986,'Issue',609,1,'Shells Spawned by Web Servers'),(10987,'Issue',609,2,'Thomas Patzke'),(10988,'Issue',609,8,'none'),(10989,'Issue',609,10,'high'),(10990,'Issue',609,13,'community'),(10991,'Issue',609,14,'windows'),(10993,'Issue',609,11,'f05538a42'),(10994,'Issue',609,12,'8202070f-edeb-4d31-a010-a26c72ac5600'),(10995,'Issue',609,16,'win-proc'),(10996,'Issue',609,17,''),(10997,'Issue',609,7,''),(10998,'Issue',609,3,'Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack'),(10999,'Issue',609,4,''),(11000,'Issue',609,5,'_False Positives_\nParticular web applications may spawn a shell process legitimately\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11001,'Issue',609,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND process.executable.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))\nindex: so-*\nname: Shells Spawned by Web Servers\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11002,'Issue',609,9,'{{collapse(View Sigma)\n\n\ntitle: Shells Spawned by Web Servers\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: experimental\ndescription: Web servers that spawn shell processes could be the result of a successfully\n placed web shell or an other attack\nauthor: Thomas Patzke\ndate: 2019/01/16\nmodified: 2020/03/25\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\w3wp.exe\'\n - \'*\\httpd.exe\'\n - \'*\\nginx.exe\'\n - \'*\\php-cgi.exe\'\n - \'*\\tomcat.exe\'\n Image:\n - \'*\\cmd.exe\'\n - \'*\\sh.exe\'\n - \'*\\bash.exe\'\n - \'*\\powershell.exe\'\n - \'*\\bitsadmin.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\ntags:\n- attack.privilege_escalation\n- attack.persistence\n- attack.t1100\nfalsepositives:\n- Particular web applications may spawn a shell process legitimately\nlevel: high\n\n
\n}}'),(11003,'Issue',609,15,'T1100'),(11004,'Issue',610,1,'Run Whoami as SYSTEM'),(11005,'Issue',610,2,'Teymur Kheirkhabarov'),(11006,'Issue',610,8,'https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment'),(11007,'Issue',610,10,'high'),(11008,'Issue',610,13,'community'),(11009,'Issue',610,14,'windows'),(11011,'Issue',610,11,'4e41dd00b'),(11012,'Issue',610,12,'80167ada-7a12-41ed-b8e9-aa47195c66a1'),(11013,'Issue',610,16,'win-proc'),(11014,'Issue',610,17,''),(11015,'Issue',610,7,''),(11016,'Issue',610,3,'Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.'),(11017,'Issue',610,4,''),(11018,'Issue',610,5,'_False Positives_\nUnknown'),(11019,'Issue',610,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND event_data.User:\"NT\\ AUTHORITY\\\\SYSTEM\" AND process.executable.keyword:*\\\\whoami.exe)\nindex: so-*\nname: Run Whoami as SYSTEM\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11020,'Issue',610,9,'{{collapse(View Sigma)\n\n\ntitle: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: experimental\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of\n a successful local privilege escalation.\nreferences:\n- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/23\nmodified: 2019/11/11\ntags:\n- attack.discovery\n- attack.privilege_escalation\n- attack.t1033\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n User: NT AUTHORITY\\SYSTEM\n Image|endswith: \\whoami.exe\n condition: selection\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}'),(11021,'Issue',610,15,'T1033'),(11022,'Issue',611,1,'Windows 10 Scheduled Task SandboxEscaper 0-day'),(11023,'Issue',611,2,'Olaf Hartong'),(11024,'Issue',611,8,'https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe'),(11025,'Issue',611,10,'high'),(11026,'Issue',611,13,'community'),(11027,'Issue',611,14,'windows'),(11029,'Issue',611,11,'3ff4919f0'),(11030,'Issue',611,12,'931b6802-d6a6-4267-9ffa-526f57f22aaf'),(11031,'Issue',611,16,'win-proc'),(11032,'Issue',611,17,''),(11033,'Issue',611,7,''),(11034,'Issue',611,3,'Detects Task Scheduler .job import arbitrary DACL write\\par'),(11035,'Issue',611,4,''),(11036,'Issue',611,5,'_False Positives_\nUnknown'),(11037,'Issue',611,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"schtasks.exe\" AND process.command_line.keyword:*\\/change*\\/TN*\\/RU*\\/RP*)\nindex: so-*\nname: Windows 10 Scheduled Task SandboxEscaper 0-day\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11038,'Issue',611,9,'{{collapse(View Sigma)\n\n\ntitle: Windows 10 Scheduled Task SandboxEscaper 0-day\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: experimental\ndescription: Detects Task Scheduler .job import arbitrary DACL write\\par\nreferences:\n- https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe\nauthor: Olaf Hartong\ndate: 2019/05/22\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: schtasks.exe\n CommandLine: \'*/change*/TN*/RU*/RP*\'\n condition: selection\nfalsepositives:\n- Unknown\ntags:\n- attack.privilege_escalation\n- attack.execution\n- attack.t1053\n- car.2013-08-001\nlevel: high\n\n
\n}}'),(11039,'Issue',611,15,'T1053'),(11040,'Issue',612,1,'WMI Backdoor Exchange Transport Agent'),(11041,'Issue',612,2,'Florian Roth'),(11042,'Issue',612,8,'https://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120'),(11043,'Issue',612,10,'critical'),(11044,'Issue',612,13,'community'),(11045,'Issue',612,14,'windows'),(11047,'Issue',612,11,'a650229e3'),(11048,'Issue',612,12,'797011dc-44f4-4e6f-9f10-a8ceefbe566b'),(11049,'Issue',612,16,'win-proc'),(11050,'Issue',612,17,''),(11051,'Issue',612,7,''),(11052,'Issue',612,3,'Detects a WMi backdoor in Exchange Transport Agents via WMi event filters'),(11053,'Issue',612,4,''),(11054,'Issue',612,5,'_False Positives_\nUnknown'),(11055,'Issue',612,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\EdgeTransport.exe)\nindex: so-*\nname: WMI Backdoor Exchange Transport Agent\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11056,'Issue',612,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: experimental\ndescription: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters\nauthor: Florian Roth\ndate: 2019/10/11\nreferences:\n- https://twitter.com/cglyer/status/1182389676876980224\n- https://twitter.com/cglyer/status/1182391019633029120\nlogsource:\n category: process_creation\n product: windows\ntags:\n- attack.persistence\n- attack.t1084\ndetection:\n selection:\n ParentImage: \'*\\EdgeTransport.exe\'\n condition: selection\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11057,'Issue',612,15,'T1084'),(11058,'Issue',613,1,'WMI Persistence - Script Event Consumer'),(11059,'Issue',613,2,'Thomas Patzke'),(11060,'Issue',613,8,'https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/'),(11061,'Issue',613,10,'high'),(11062,'Issue',613,13,'community'),(11063,'Issue',613,14,'windows'),(11065,'Issue',613,11,'8e6b7ecfd'),(11066,'Issue',613,12,'ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e'),(11067,'Issue',613,16,'win-proc'),(11068,'Issue',613,17,''),(11069,'Issue',613,7,''),(11070,'Issue',613,3,'Detects WMI script event consumers'),(11071,'Issue',613,4,''),(11072,'Issue',613,5,'_False Positives_\nLegitimate event consumers'),(11073,'Issue',613,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable:\"C\\:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\" AND process.parent.executable:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\")\nindex: so-*\nname: WMI Persistence - Script Event Consumer\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11074,'Issue',613,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: experimental\ndescription: Detects WMI script event consumers\nreferences:\n- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018/03/07\ntags:\n- attack.execution\n- attack.persistence\n- attack.t1047\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n ParentImage: C:\\Windows\\System32\\svchost.exe\n condition: selection\nfalsepositives:\n- Legitimate event consumers\nlevel: high\n\n
\n}}'),(11075,'Issue',613,15,'T1047'),(11076,'Issue',614,1,'WMI Spawning Windows PowerShell'),(11077,'Issue',614,2,'Markus Neis / @Karneades'),(11078,'Issue',614,8,'https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e'),(11079,'Issue',614,10,'high'),(11080,'Issue',614,13,'community'),(11081,'Issue',614,14,'windows'),(11083,'Issue',614,11,'127d6cb16'),(11084,'Issue',614,12,'692f0bec-83ba-4d04-af7e-e884a96059b6'),(11085,'Issue',614,16,'win-proc'),(11086,'Issue',614,17,''),(11087,'Issue',614,7,''),(11088,'Issue',614,3,'Detects WMI spawning PowerShell'),(11089,'Issue',614,4,''),(11090,'Issue',614,5,'_False Positives_\nAppvClient\nCCM'),(11091,'Issue',614,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\wmiprvse.exe) AND process.executable.keyword:(*\\\\powershell.exe))\nindex: so-*\nname: WMI Spawning Windows PowerShell\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11092,'Issue',614,9,'{{collapse(View Sigma)\n\n\ntitle: WMI Spawning Windows PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nstatus: experimental\ndescription: Detects WMI spawning PowerShell\nreferences:\n- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml\n- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis / @Karneades\ndate: 2019/04/03\ntags:\n- attack.execution\n- attack.defense_evasion\n- attack.t1064\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage:\n - \'*\\wmiprvse.exe\'\n Image:\n - \'*\\powershell.exe\'\n condition: selection\nfalsepositives:\n- AppvClient\n- CCM\nlevel: high\n\n
\n}}'),(11093,'Issue',614,15,'T1064'),(11094,'Issue',615,1,'Wmiprvse Spawning Process'),(11095,'Issue',615,2,'Roberto Rodriguez @Cyb3rWard0g'),(11096,'Issue',615,8,'https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md'),(11097,'Issue',615,10,'critical'),(11098,'Issue',615,13,'community'),(11099,'Issue',615,14,'windows'),(11101,'Issue',615,11,'eab53c8fb'),(11102,'Issue',615,12,'d21374ff-f574-44a7-9998-4a8c8bf33d7d'),(11103,'Issue',615,16,'win-proc'),(11104,'Issue',615,17,''),(11105,'Issue',615,7,''),(11106,'Issue',615,3,'Detects wmiprvse spawning processes'),(11107,'Issue',615,4,''),(11108,'Issue',615,5,'_False Positives_\nUnknown'),(11109,'Issue',615,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:*\\\\WmiPrvSe.exe AND (NOT (LogonId:\"0x3e7\" OR Username:\"NT\\ AUTHORITY\\\\SYSTEM\")))\nindex: so-*\nname: Wmiprvse Spawning Process\npriority: 1\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11110,'Issue',615,9,'{{collapse(View Sigma)\n\n\ntitle: Wmiprvse Spawning Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\ndescription: Detects wmiprvse spawning processes\nstatus: experimental\ndate: 2019/08/15\nmodified: 2019/11/10\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md\ntags:\n- attack.execution\n- attack.t1047\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith: \\WmiPrvSe.exe\n filter:\n - LogonId: \'0x3e7\'\n - Username: NT AUTHORITY\\SYSTEM\n condition: selection and not filter\nfalsepositives:\n- Unknown\nlevel: critical\n\n
\n}}'),(11111,'Issue',615,15,'T1047'),(11112,'Issue',616,1,'Microsoft Workflow Compiler'),(11113,'Issue',616,2,'Nik Seetharaman'),(11114,'Issue',616,8,'https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb'),(11115,'Issue',616,10,'high'),(11116,'Issue',616,13,'community'),(11117,'Issue',616,14,'windows'),(11119,'Issue',616,11,'b7e329a1b'),(11120,'Issue',616,12,'419dbf2b-8a9b-4bea-bf99-7544b050ec8d'),(11121,'Issue',616,16,'win-proc'),(11122,'Issue',616,17,''),(11123,'Issue',616,7,''),(11124,'Issue',616,3,'Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.'),(11125,'Issue',616,4,''),(11126,'Issue',616,5,'_False Positives_\nLegitimate MWC use (unlikely in modern enterprise environments)\n\n_Interesting Log Fields_\nCommandLine\nParentCommandLine'),(11127,'Issue',616,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\Microsoft.Workflow.Compiler.exe)\nindex: so-*\nname: Microsoft Workflow Compiler\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11128,'Issue',616,9,'{{collapse(View Sigma)\n\n\ntitle: Microsoft Workflow Compiler\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: experimental\ndescription: Detects invocation of Microsoft Workflow Compiler, which may permit the\n execution of arbitrary unsigned code.\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1127\nauthor: Nik Seetharaman\ndate: 2019/01/16\nreferences:\n- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\Microsoft.Workflow.Compiler.exe\'\n condition: selection\nfields:\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: high\n\n
\n}}'),(11129,'Issue',616,15,'T1127'),(11130,'Issue',617,1,'Wsreset UAC Bypass'),(11131,'Issue',617,2,'Florian Roth'),(11132,'Issue',617,8,'https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://twitter.com/ReaQta/status/1222548288731217921'),(11133,'Issue',617,10,'high'),(11134,'Issue',617,13,'community'),(11135,'Issue',617,14,'windows'),(11137,'Issue',617,11,'a20c95e40'),(11138,'Issue',617,12,'bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae'),(11139,'Issue',617,16,'win-proc'),(11140,'Issue',617,17,''),(11141,'Issue',617,7,''),(11142,'Issue',617,3,'Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC'),(11143,'Issue',617,4,''),(11144,'Issue',617,5,'_False Positives_\nUnknown sub processes of Wsreset.exe\n\n_Interesting Log Fields_\nCommandLine'),(11145,'Issue',617,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.parent.executable.keyword:(*\\\\WSreset.exe))\nindex: so-*\nname: Wsreset UAC Bypass\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11146,'Issue',617,9,'{{collapse(View Sigma)\n\n\ntitle: Wsreset UAC Bypass\nid: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\nstatus: experimental\ndescription: Detects a method that uses Wsreset.exe tool that can be used to reset\n the Windows Store to bypass UAC\nreferences:\n- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n- https://www.activecyber.us/activelabs/windows-uac-bypass\n- https://twitter.com/ReaQta/status/1222548288731217921\nauthor: Florian Roth\ndate: 2020/01/30\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1088\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|endswith:\n - \\WSreset.exe\n condition: selection\nfields:\n- CommandLine\nfalsepositives:\n- Unknown sub processes of Wsreset.exe\nlevel: high\n\n
\n}}'),(11147,'Issue',617,15,'T1088'),(11148,'Issue',618,1,'XSL Script Processing'),(11149,'Issue',618,2,'Timur Zinniatullin, oscd.community'),(11150,'Issue',618,8,'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml'),(11151,'Issue',618,10,'medium'),(11152,'Issue',618,13,'community'),(11153,'Issue',618,14,'windows'),(11155,'Issue',618,11,'53788ea86'),(11156,'Issue',618,12,'05c36dd6-79d6-4a9a-97da-3db20298ab2d'),(11157,'Issue',618,16,'win-proc'),(11158,'Issue',618,17,''),(11159,'Issue',618,7,'gVP62XEBH72G5DlCexmq'),(11160,'Issue',618,3,'Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses'),(11161,'Issue',618,4,''),(11162,'Issue',618,5,'_False Positives_\nWMIC.exe FP depend on scripts and administrative methods used in the monitored environment\nmsxsl.exe is not installed by default so unlikely.'),(11163,'Issue',618,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND ((process.executable.keyword:*\\\\wmic.exe AND process.command_line.keyword:*\\/format*) OR process.executable.keyword:*\\\\msxsl.exe))\nindex: so-*\nname: XSL Script Processing\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11164,'Issue',618,9,'{{collapse(View Sigma)\r\n\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n the processing and rendering of data within XML files, rule detects when adversaries\r\n abuse this functionality to execute arbitrary files while potentially bypassing\r\n application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n - Image|endswith: \\wmic.exe\r\n CommandLine|contains: /format\r\n - Image|endswith: \\msxsl.exe\r\n condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(11165,'Issue',618,15,'T1220'),(11184,'Issue',620,1,'New Sensitive Shared Resource'),(11185,'Issue',620,2,'Josh Brower'),(11186,'Issue',620,10,'medium'),(11187,'Issue',620,13,'imported'),(11188,'Issue',620,14,'osquery'),(11189,'Issue',620,8,'none'),(11191,'Issue',620,11,'8a0e88be7'),(11192,'Issue',620,12,'none'),(11193,'Issue',620,16,''),(11194,'Issue',620,17,''),(11195,'Issue',620,7,''),(11196,'Issue',620,3,'Network shares with loose access controls are common places that leak sensitive information. This play proactively looks for newly shared resources that likely contain sensitive data. Follow-up will be needed to confirm that appropriate access control is in place.'),(11197,'Issue',620,4,''),(11198,'Issue',620,5,'_False Positives_\nunknown'),(11199,'Issue',620,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((osquery.columns.qid:\"601\" AND osquery.columns.name.keyword:(*hr* OR *finance* OR *backup* OR *www* OR *scan*)) AND (NOT (osquery.result.counter:\"0\")))\nindex: so-osquery-*\nname: New Sensitive Shared Resource\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11200,'Issue',620,9,'{{collapse(View Sigma)\n\n\ntitle: New Sensitive Shared Resource\ndescription: Network shares with loose access controls are common places that leak\n sensitive information. This play proactively looks for newly shared resources that\n likely contain sensitive data. Follow-up will be needed to confirm that appropriate\n access control is in place.\nstatus: experimental\nauthor: Josh Brower\ntags:\n- attack.discovery\n- attack.t1135\nlogsource:\n product: osquery\n definition: select Description,Name,Path, \"601\" AS qid from shared_resources where\n type = 0 AND name <> \"print$\";\n qid: 601\ndetection:\n selection:\n qid: 601\n column_name:\n - \'*hr*\'\n - \'*finance*\'\n - \'*backup*\'\n - \'*www*\'\n - \'*scan*\'\n filter:\n counter: 0\n condition: selection and not filter\nfalsepositives:\n- unknown\nlevel: medium\ntasks:\n 1 - Check Share Permissions: Are share permissions set to an appropriate level?\n They should be tied to the relevant AD Security Group.\n 2 - Contact System/Service Owner: If share permissions are not appropriate, contact\n the system/service owner for remediation.\n\n
\n}}'),(11201,'Issue',620,15,'T1135'),(11202,'Issue',621,1,'Whoami Execution'),(11203,'Issue',621,2,'Florian Roth'),(11204,'Issue',621,10,'high'),(11205,'Issue',621,13,'imported'),(11206,'Issue',621,14,'windows'),(11207,'Issue',621,8,'https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/'),(11209,'Issue',621,11,'b2904c00a'),(11210,'Issue',621,12,'e28a5a99-da44-436d-b7a0-2afc20a5f413'),(11211,'Issue',621,16,''),(11212,'Issue',621,17,''),(11213,'Issue',621,7,''),(11214,'Issue',621,3,'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators'),(11215,'Issue',621,4,''),(11216,'Issue',621,5,'_False Positives_\nAdmin activity\nScripts and administrative tools used in the monitored environment'),(11217,'Issue',621,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: ((event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\") AND (process.executable.keyword:*\\\\whoami.exe OR OriginalFileName:\"whoami.exe\"))\nindex: so-*\nname: Whoami Execution\npriority: 2\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11218,'Issue',621,9,'{{collapse(View Sigma)\n\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\whoami.exe\'\n selection2:\n OriginalFileName: whoami.exe\n condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}'),(11219,'Issue',621,15,'T1033'),(11220,'Issue',622,1,'Advanced IP Scanner'),(11221,'Issue',622,2,'@ROxPinTeddy'),(11222,'Issue',622,10,'medium'),(11223,'Issue',622,13,'community'),(11224,'Issue',622,14,'windows'),(11225,'Issue',622,8,'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html'),(11227,'Issue',622,11,'28e0c60a4'),(11228,'Issue',622,12,'bef37fa2-f205-4a7b-b484-0759bfd5f86f'),(11229,'Issue',622,16,'win-proc'),(11230,'Issue',622,17,''),(11231,'Issue',622,7,''),(11232,'Issue',622,3,'Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.'),(11233,'Issue',622,4,''),(11234,'Issue',622,5,'_False Positives_\nLegitimate administrative use'),(11235,'Issue',622,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.executable.keyword:*\\\\advanced_ip_scanner*)\nindex: so-*\nname: Advanced IP Scanner\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11236,'Issue',622,9,'{{collapse(View Sigma)\n\n\ntitle: Advanced IP Scanner\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\nstatus: experimental\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for\n ransomware groups.\nreferences:\n- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\nauthor: \'@ROxPinTeddy\'\ndate: 2020/05/12\ntags:\n- attack.discovery\n- attack.t1046\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|contains: \\advanced_ip_scanner\n condition: selection\nfalsepositives:\n- Legitimate administrative use\nlevel: medium\n\n
\n}}'),(11237,'Issue',622,15,'T1046'),(11238,'Issue',623,1,'Harvesting of Wifi Credentials Using netsh.exe'),(11239,'Issue',623,2,'Andreas Hunkeler (@Karneades)'),(11240,'Issue',623,10,'medium'),(11241,'Issue',623,13,'community'),(11242,'Issue',623,14,'windows'),(11243,'Issue',623,8,'https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/'),(11245,'Issue',623,11,'c7fcf9aee'),(11246,'Issue',623,12,'42b1a5b8-353f-4f10-b256-39de4467faff'),(11247,'Issue',623,16,'win-proc'),(11248,'Issue',623,17,''),(11249,'Issue',623,7,''),(11250,'Issue',623,3,'Detect the harvesting of wifi credentials using netsh.exe'),(11251,'Issue',623,4,''),(11252,'Issue',623,5,'_False Positives_\nLegitimate administrator or user uses netsh.exe wlan functionality for legitimate reason'),(11253,'Issue',623,6,'{{collapse(View ElastAlert Config)\n\n\nfilter:\n- query:\n query_string:\n query: (event.code:\"1\" AND event.dataset:\"Microsoft\\-Windows\\-Sysmon\\/Operational\" AND process.command_line.keyword:(netsh\\ wlan\\ s*\\ p*\\ k*\\=clear))\nindex: so-*\nname: Harvesting of Wifi Credentials Using netsh.exe\npriority: 3\nrealert:\n minutes: 0\ntype: any\n
\n}}'),(11254,'Issue',623,9,'{{collapse(View Sigma)\n\n\ntitle: Harvesting of Wifi Credentials Using netsh.exe\nid: 42b1a5b8-353f-4f10-b256-39de4467faff\nstatus: experimental\ndescription: Detect the harvesting of wifi credentials using netsh.exe\nreferences:\n- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2020/04/20\ntags:\n- attack.discovery\n- attack.t1040\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine:\n - netsh wlan s* p* k*=clear\n condition: selection\nfalsepositives:\n- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate\n reason\nlevel: medium\n\n
\n}}'),(11255,'Issue',623,15,'T1040');
/*!40000 ALTER TABLE `custom_values` ENABLE KEYS */;
UNLOCK TABLES;
@@ -798,7 +798,7 @@ CREATE TABLE `issues` (
KEY `index_issues_on_created_on` (`created_on`),
KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`),
KEY `index_issues_on_parent_id` (`parent_id`)
-) ENGINE=InnoDB AUTO_INCREMENT=620 DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
@@ -807,7 +807,7 @@ CREATE TABLE `issues` (
LOCK TABLES `issues` WRITE;
/*!40000 ALTER TABLE `issues` DISABLE KEYS */;
-INSERT INTO `issues` VALUES (313,1,1,'Executable in ADS',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:55:14','2020-05-01 20:55:14',NULL,0,NULL,NULL,313,1,2,0,NULL),(314,1,1,'Alternate PowerShell Hosts Module Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,314,1,2,0,NULL),(315,1,1,'Alternate PowerShell Hosts Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,315,1,2,0,NULL),(316,1,1,'OceanLotus Registry Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,316,1,2,0,NULL),(317,1,1,'Turla Group Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,317,1,2,0,NULL),(318,1,1,'Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,318,1,2,0,NULL),(319,1,1,'CACTUSTORCH Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,319,1,2,0,NULL),(320,1,1,'CobaltStrike Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:18','2020-05-01 20:55:18',NULL,0,NULL,NULL,320,1,2,0,NULL),(321,1,1,'CreateRemoteThread API and LoadLibrary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:18','2020-05-01 20:55:19',NULL,0,NULL,NULL,321,1,2,0,NULL),(322,1,1,'Credentials Dumping Tools Accessing LSASS Memory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:19','2020-05-01 20:55:19',NULL,0,NULL,NULL,322,1,2,0,NULL),(323,1,1,'Cred Dump Tools Dropped Files',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,323,1,2,0,NULL),(324,1,1,'Cred Dump-Tools Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,324,1,2,0,NULL),(325,1,1,'DHCP Callout DLL Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,325,1,2,0,NULL),(326,1,1,'Disable Security Events Logging Adding Reg Key MiniNt',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,326,1,2,0,NULL),(327,1,1,'Detection of SafetyKatz',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,327,1,2,0,NULL),(328,1,1,'Suspicious In-Memory Module Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,328,1,2,0,NULL),(329,1,1,'In-memory PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:23','2020-05-01 20:55:23',NULL,0,NULL,NULL,329,1,2,0,NULL),(330,1,1,'Suspect Svchost Memory Asccess',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:23','2020-05-01 20:55:24',NULL,0,NULL,NULL,330,1,2,0,NULL),(331,1,1,'LSASS Memory Dump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:24','2020-05-01 20:55:24',NULL,0,NULL,NULL,331,1,2,0,NULL),(332,1,1,'LSASS Memory Dump File Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:24','2020-05-01 20:55:25',NULL,0,NULL,NULL,332,1,2,0,NULL),(333,1,1,'Malicious Named Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:25','2020-05-01 20:55:25',NULL,0,NULL,NULL,333,1,2,0,NULL),(334,1,1,'Suspicious Typical Malware Back Connect Ports',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:26','2020-05-01 20:55:26',NULL,0,NULL,NULL,334,1,2,0,NULL),(335,1,1,'Malware Shellcode in Verclsid Target Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:27','2020-05-01 20:55:27',NULL,0,NULL,NULL,335,1,2,0,NULL),(336,1,1,'Mimikatz In-Memory',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:55:27','2020-05-01 20:55:28',NULL,0,NULL,NULL,336,1,2,0,NULL),(337,1,1,'Mimikatz through Windows Remote Management',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:28','2020-05-01 20:55:28',NULL,0,NULL,NULL,337,1,2,0,NULL),(338,1,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,338,1,2,0,NULL),(339,1,1,'Narrator\'s Feedback-Hub Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,339,1,2,0,NULL),(340,1,1,'New DLL Added to AppCertDlls Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,340,1,2,0,NULL),(341,1,1,'New DLL Added to AppInit_DLLs Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,341,1,2,0,NULL),(342,1,1,'Password Dumper Remote Thread in LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,342,1,2,0,NULL),(343,1,1,'Possible DNS Rebinding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,343,1,2,0,NULL),(344,1,1,'Possible Privilege Escalation via Service Permissions Weakness',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:32','2020-05-01 20:55:32',NULL,0,NULL,NULL,344,1,2,0,NULL),(345,1,1,'PowerShell Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:32','2020-05-01 20:55:33',NULL,0,NULL,NULL,345,1,2,0,NULL),(346,1,1,'Malicious PowerShell Commandlet Names',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:33','2020-05-01 20:55:33',NULL,0,NULL,NULL,346,1,2,0,NULL),(347,1,1,'PowerShell Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,347,1,2,0,NULL),(348,1,1,'QuarksPwDump Dump File',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,348,1,2,0,NULL),(349,1,1,'Raw Disk Access Using Illegitimate Tools',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:35','2020-05-01 20:55:35',NULL,0,NULL,NULL,349,1,2,0,NULL),(350,1,1,'RDP Registry Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:35','2020-05-01 20:55:36',NULL,0,NULL,NULL,350,1,2,0,NULL),(351,1,1,'RDP Over Reverse SSH Tunnel',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:36','2020-05-01 20:55:36',NULL,0,NULL,NULL,351,1,2,0,NULL),(352,1,1,'RDP Sensitive Settings Changed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,352,1,2,0,NULL),(353,1,1,'Windows Registry Persistence COM Key Linking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,353,1,2,0,NULL),(354,1,1,'Windows Registry Persistence COM Search Order Hijacking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,354,1,2,0,NULL),(355,1,1,'Windows Registry Trust Record Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,355,1,2,0,NULL),(356,1,1,'Regsvr32 Network Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,356,1,2,0,NULL),(357,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,357,1,2,0,NULL),(358,1,1,'Renamed jusched.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,358,1,2,0,NULL),(359,1,1,'Renamed PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,359,1,2,0,NULL),(360,1,1,'Renamed ProcDump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:41','2020-05-01 20:55:41',NULL,0,NULL,NULL,360,1,2,0,NULL),(361,1,1,'Renamed PsExec',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:41','2020-05-01 20:55:42',NULL,0,NULL,NULL,361,1,2,0,NULL),(362,1,1,'Rundll32 Internet Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:42','2020-05-01 20:55:42',NULL,0,NULL,NULL,362,1,2,0,NULL),(363,1,1,'Security Support Provider (SSP) Added to LSA Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,363,1,2,0,NULL),(364,1,1,'Suspicious ADSI-Cache Usage By Unknown Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,364,1,2,0,NULL),(365,1,1,'Suspicious desktop.ini Action',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,365,1,2,0,NULL),(366,1,1,'Suspicious RUN Key from Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,366,1,2,0,NULL),(367,1,1,'Suspicious Driver Load from Temp',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,367,1,2,0,NULL),(368,1,1,'Suspicious File Characteristics Due to Missing Fields',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,368,1,2,0,NULL),(369,1,1,'Possible Process Hollowing Image Loading',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,369,1,2,0,NULL),(370,1,1,'DLL Load via LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,370,1,2,0,NULL),(371,1,1,'dotNET DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,371,1,2,0,NULL),(372,1,1,'CLR DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,372,1,2,0,NULL),(373,1,1,'GAC DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:48','2020-05-01 20:55:48',NULL,0,NULL,NULL,373,1,2,0,NULL),(374,1,1,'Active Directory Parsing DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:48','2020-05-01 20:55:49',NULL,0,NULL,NULL,374,1,2,0,NULL),(375,1,1,'Active Directory Kerberos DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:49','2020-05-01 20:55:49',NULL,0,NULL,NULL,375,1,2,0,NULL),(376,1,1,'PowerShell Rundll32 Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:49','2020-05-01 20:55:50',NULL,0,NULL,NULL,376,1,2,0,NULL),(377,1,1,'Suspicious PROCEXP152.sys File Created In TMP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:50','2020-05-01 20:55:50',NULL,0,NULL,NULL,377,1,2,0,NULL),(378,1,1,'Suspicious Program Location with Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,378,1,2,0,NULL),(379,1,1,'Suspicious Outbound RDP Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,379,1,2,0,NULL),(380,1,1,'Registry Persistence via Explorer Run Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,380,1,2,0,NULL),(381,1,1,'New RUN Key Pointing to Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,381,1,2,0,NULL),(382,1,1,'Suspicious Service Installed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,382,1,2,0,NULL),(383,1,1,'VBA DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,383,1,2,0,NULL),(384,1,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,384,1,2,0,NULL),(385,1,1,'Suspicious Keyboard Layout Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,385,1,2,0,NULL),(386,1,1,'Suspicious Outbound Kerberos Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,386,1,2,0,NULL),(387,1,1,'Suspicious Remote Thread Created',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,387,1,2,0,NULL),(388,1,1,'Svchost DLL Search Order Hijack',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:56','2020-05-01 20:55:56',NULL,0,NULL,NULL,388,1,2,0,NULL),(389,1,1,'Hijack Legit RDP Session to Move Laterally',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:56','2020-05-01 20:55:57',NULL,0,NULL,NULL,389,1,2,0,NULL),(390,1,1,'UAC Bypass via Event Viewer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:57','2020-05-01 20:55:57',NULL,0,NULL,NULL,390,1,2,0,NULL),(391,1,1,'UAC Bypass via Sdclt',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:57','2020-05-01 20:55:58',NULL,0,NULL,NULL,391,1,2,0,NULL),(392,1,1,'Unsigned Image Loaded Into LSASS Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:58','2020-05-01 20:55:58',NULL,0,NULL,NULL,392,1,2,0,NULL),(393,1,1,'Windows Webshell Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,393,1,2,0,NULL),(394,1,1,'Microsoft Binary Github Communication',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,394,1,2,0,NULL),(395,1,1,'Microsoft Binary Suspicious Communication Endpoint',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,395,1,2,0,NULL),(396,1,1,'Registry Persistence Mechanisms',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,396,1,2,0,NULL),(397,1,1,'WMI Event Subscription',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,397,1,2,0,NULL),(398,1,1,'WMI Modules Loaded',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,398,1,2,0,NULL),(399,1,1,'WMI Persistence - Command Line Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,399,1,2,0,NULL),(400,1,1,'WMI Persistence - Script Event Consumer File Write',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,400,1,2,0,NULL),(401,1,1,'Suspicious Scripting in a WMI Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,401,1,2,0,NULL),(402,1,1,'APT29',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,402,1,2,0,NULL),(403,1,1,'Baby Shark Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,403,1,2,0,NULL),(404,1,1,'Judgement Panda Credential Access Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,404,1,2,0,NULL),(405,1,1,'BlueMashroom DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:05','2020-05-01 20:56:05',NULL,0,NULL,NULL,405,1,2,0,NULL),(406,1,1,'WMIExec VBS Script',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:05','2020-05-01 20:56:06',NULL,0,NULL,NULL,406,1,2,0,NULL),(407,1,1,'CrackMapExecWin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:06','2020-05-01 20:56:06',NULL,0,NULL,NULL,407,1,2,0,NULL),(408,1,1,'Elise Backdoor',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:06','2020-05-01 20:56:07',NULL,0,NULL,NULL,408,1,2,0,NULL),(409,1,1,'Emissary Panda Malware SLLauncher',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:07','2020-05-01 20:56:07',NULL,0,NULL,NULL,409,1,2,0,NULL),(410,1,1,'Equation Group DLL_U Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,410,1,2,0,NULL),(411,1,1,'Hurricane Panda Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,411,1,2,0,NULL),(412,1,1,'Judgement Panda Exfil Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,412,1,2,0,NULL),(413,1,1,'Mustang Panda Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,413,1,2,0,NULL),(414,1,1,'Sofacy Trojan Loader Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:10','2020-05-01 20:56:10',NULL,0,NULL,NULL,414,1,2,0,NULL),(415,1,1,'Ps.exe Renamed SysInternals Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,415,1,2,0,NULL),(416,1,1,'TropicTrooper Campaign November 2018',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,416,1,2,0,NULL),(417,1,1,'Winnti Malware HK University Campaign',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:12','2020-05-01 20:56:12',NULL,0,NULL,NULL,417,1,2,0,NULL),(418,1,1,'ZxShell Malware',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:12','2020-05-01 20:56:13',NULL,0,NULL,NULL,418,1,2,0,NULL),(419,1,1,'Hiding Files with Attrib.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:13','2020-05-01 20:56:13',NULL,0,NULL,NULL,419,1,2,0,NULL),(420,1,1,'Modification of Boot Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:14','2020-05-01 20:56:14',NULL,0,NULL,NULL,420,1,2,0,NULL),(421,1,1,'SquiblyTwo',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-01 20:56:15',NULL,0,NULL,NULL,421,1,2,0,NULL),(422,1,1,'Change Default File Association',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:15','2020-05-01 20:56:15',NULL,0,NULL,NULL,422,1,2,0,NULL),(423,1,1,'Cmdkey Cached Credentials Recon',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,423,1,2,0,NULL),(424,1,1,'CMSTP UAC Bypass via COM Object Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,424,1,2,0,NULL),(425,1,1,'Control Panel Items',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,425,1,2,0,NULL),(426,1,1,'Copying Sensitive Files with Credential Data',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,426,1,2,0,NULL),(427,1,1,'Fireball Archer Install',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:18','2020-05-01 20:56:18',NULL,0,NULL,NULL,427,1,2,0,NULL),(428,1,1,'Data Compressed - rar.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:18','2020-05-01 20:56:19',NULL,0,NULL,NULL,428,1,2,0,NULL),(429,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:19','2020-05-01 20:56:19',NULL,0,NULL,NULL,429,1,2,0,NULL),(430,1,1,'Encoded FromBase64String',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,430,1,2,0,NULL),(431,1,1,'Encoded IEX',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,431,1,2,0,NULL),(432,1,1,'Disable of ETW Trace',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,432,1,2,0,NULL),(433,1,1,'Exfiltration and Tunneling Tools Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,433,1,2,0,NULL),(434,1,1,'Exploit for CVE-2015-1641',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,434,1,2,0,NULL),(435,1,1,'Exploit for CVE-2017-0261',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,435,1,2,0,NULL),(436,1,1,'Droppers Exploiting CVE-2017-11882',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:23','2020-05-01 20:56:23',NULL,0,NULL,NULL,436,1,2,0,NULL),(437,1,1,'Exploit for CVE-2017-8759',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:23','2020-05-01 20:56:24',NULL,0,NULL,NULL,437,1,2,0,NULL),(438,1,1,'Exploiting SetupComplete.cmd CVE-2019-1378',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:24','2020-05-01 20:56:24',NULL,0,NULL,NULL,438,1,2,0,NULL),(439,1,1,'Exploiting CVE-2019-1388',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,439,1,2,0,NULL),(440,1,1,'Exploited CVE-2020-10189 Zoho ManageEngine',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,440,1,2,0,NULL),(441,1,1,'File or Folder Permissions Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,441,1,2,0,NULL),(442,1,1,'Grabbing Sensitive Hives via Reg Utility',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,442,1,2,0,NULL),(443,1,1,'Bloodhound and Sharphound Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,443,1,2,0,NULL),(444,1,1,'Koadic Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,444,1,2,0,NULL),(445,1,1,'Rubeus Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,445,1,2,0,NULL),(446,1,1,'SecurityXploded Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,446,1,2,0,NULL),(447,1,1,'HH.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,447,1,2,0,NULL),(448,1,1,'HTML Help Shell Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,448,1,2,0,NULL),(449,1,1,'Suspicious HWP Sub Processes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,449,1,2,0,NULL),(450,1,1,'Impacket Lateralization Detection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,450,1,2,0,NULL),(451,1,1,'Indirect Command Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,451,1,2,0,NULL),(452,1,1,'Suspicious Debugger Registration Cmdline',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,452,1,2,0,NULL),(453,1,1,'Interactive AT Job',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,453,1,2,0,NULL),(454,1,1,'Invoke-Obfuscation Obfuscated IEX Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,454,1,2,0,NULL),(455,1,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:33','2020-05-01 20:56:33',NULL,0,NULL,NULL,455,1,2,0,NULL),(456,1,1,'MSHTA Spwaned by SVCHOST',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:33','2020-05-01 20:56:34',NULL,0,NULL,NULL,456,1,2,0,NULL),(457,1,1,'Local Accounts Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:34','2020-05-01 20:56:34',NULL,0,NULL,NULL,457,1,2,0,NULL),(458,1,1,'LSASS Memory Dumping',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,458,1,2,0,NULL),(459,1,1,'Dridex Process Pattern',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,459,1,2,0,NULL),(460,1,1,'DTRACK Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,460,1,2,0,NULL),(461,1,1,'Emotet Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,461,1,2,0,NULL),(462,1,1,'Formbook Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,462,1,2,0,NULL),(463,1,1,'NotPetya Ransomware Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,463,1,2,0,NULL),(464,1,1,'QBot Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,464,1,2,0,NULL),(465,1,1,'Ryuk Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,465,1,2,0,NULL),(466,1,1,'WScript or CScript Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,466,1,2,0,NULL),(467,1,1,'Trickbot Malware Recon Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,467,1,2,0,NULL),(468,1,1,'WannaCry Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:40','2020-05-01 20:56:40',NULL,0,NULL,NULL,468,1,2,0,NULL),(469,1,1,'MavInject Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:40','2020-05-01 20:56:41',NULL,0,NULL,NULL,469,1,2,0,NULL),(470,1,1,'Meterpreter or Cobalt Strike Getsystem Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:41','2020-05-01 20:56:41',NULL,0,NULL,NULL,470,1,2,0,NULL),(471,1,1,'Mimikatz Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,471,1,2,0,NULL),(472,1,1,'MMC Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,472,1,2,0,NULL),(473,1,1,'MSHTA Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,473,1,2,0,NULL),(474,1,1,'Quick Execution of a Series of Suspicious Commands',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,474,1,2,0,NULL),(475,1,1,'Windows Network Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,475,1,2,0,NULL),(476,1,1,'Net.exe User Account Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,476,1,2,0,NULL),(477,1,1,'Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,477,1,2,0,NULL),(478,1,1,'Capture a Network Trace with netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,478,1,2,0,NULL),(479,1,1,'Netsh Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,479,1,2,0,NULL),(480,1,1,'Netsh RDP Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,480,1,2,0,NULL),(481,1,1,'Network Sniffing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:47','2020-05-01 20:56:47',NULL,0,NULL,NULL,481,1,2,0,NULL),(482,1,1,'New Service Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:47','2020-05-01 20:56:48',NULL,0,NULL,NULL,482,1,2,0,NULL),(483,1,1,'Non Interactive PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:48','2020-05-01 20:56:48',NULL,0,NULL,NULL,483,1,2,0,NULL),(484,1,1,'Microsoft Office Product Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,484,1,2,0,NULL),(485,1,1,'MS Office Product Spawning Exe in User Dir',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,485,1,2,0,NULL),(486,1,1,'Executable Used by PlugX in Uncommon Location',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,486,1,2,0,NULL),(487,1,1,'Possible Applocker Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,487,1,2,0,NULL),(488,1,1,'Detection of Possible Rotten Potato',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,488,1,2,0,NULL),(489,1,1,'Powershell AMSI Bypass via .NET Reflection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,489,1,2,0,NULL),(490,1,1,'Audio Capture via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,490,1,2,0,NULL),(491,1,1,'PowerShell Base64 Encoded Shellcode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,491,1,2,0,NULL),(492,1,1,'Suspicious Bitsadmin Job via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,492,1,2,0,NULL),(493,1,1,'Detection of PowerShell Execution via DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,493,1,2,0,NULL),(494,1,1,'PowerShell Downgrade Attack',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,494,1,2,0,NULL),(495,1,1,'PowerShell Download from URL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,495,1,2,0,NULL),(496,1,1,'FromBase64String Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:55','2020-05-01 20:56:55',NULL,0,NULL,NULL,496,1,2,0,NULL),(497,1,1,'Suspicious PowerShell Parameter Substring',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:55','2020-05-01 20:56:56',NULL,0,NULL,NULL,497,1,2,0,NULL),(498,1,1,'Suspicious XOR Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:56','2020-05-01 20:56:56',NULL,0,NULL,NULL,498,1,2,0,NULL),(499,1,1,'Default PowerSploit and Empire Schtasks Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:56','2020-05-01 20:56:57',NULL,0,NULL,NULL,499,1,2,0,NULL),(500,1,1,'Windows Processes Suspicious Parent Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:57','2020-05-01 20:56:57',NULL,0,NULL,NULL,500,1,2,0,NULL),(501,1,1,'Bitsadmin Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,501,1,2,0,NULL),(502,1,1,'Process Dump via Rundll32 and Comsvcs.dll',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,502,1,2,0,NULL),(503,1,1,'PsExec Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,503,1,2,0,NULL),(504,1,1,'Query Registry',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,504,1,2,0,NULL),(505,1,1,'MSTSC Shadowing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,505,1,2,0,NULL),(506,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,506,1,2,0,NULL),(507,1,1,'Discovery of a System Time',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:01','2020-05-01 20:57:01',NULL,0,NULL,NULL,507,1,2,0,NULL),(508,1,1,'Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:01','2020-05-01 20:57:02',NULL,0,NULL,NULL,508,1,2,0,NULL),(509,1,1,'Highly Relevant Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:02','2020-05-01 20:57:02',NULL,0,NULL,NULL,509,1,2,0,NULL),(510,1,1,'Execution of Renamed PaExec',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,510,1,2,0,NULL),(511,1,1,'Run PowerShell Script from ADS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,511,1,2,0,NULL),(512,1,1,'Possible Shim Database Persistence via sdbinst.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,512,1,2,0,NULL),(513,1,1,'Service Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,513,1,2,0,NULL),(514,1,1,'Stop Windows Service',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,514,1,2,0,NULL),(515,1,1,'Shadow Copies Access via Symlink',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,515,1,2,0,NULL),(516,1,1,'Shadow Copies Creation Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,516,1,2,0,NULL),(517,1,1,'Shadow Copies Deletion Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,517,1,2,0,NULL),(518,1,1,'Windows Shell Spawning Suspicious Program',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,518,1,2,0,NULL),(519,1,1,'Audio Capture via SoundRecorder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,519,1,2,0,NULL),(520,1,1,'Possible SPN Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,520,1,2,0,NULL),(521,1,1,'Possible Ransomware or Unauthorized MBR Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,521,1,2,0,NULL),(522,1,1,'Application Whitelisting Bypass via Bginfo',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,522,1,2,0,NULL),(523,1,1,'Suspicious Calculator Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,523,1,2,0,NULL),(524,1,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,524,1,2,0,NULL),(525,1,1,'Suspicious Certutil Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,525,1,2,0,NULL),(526,1,1,'Certutil Encode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:11','2020-05-01 20:57:11',NULL,0,NULL,NULL,526,1,2,0,NULL),(527,1,1,'Suspicious Commandline Escape',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:11','2020-05-01 20:57:12',NULL,0,NULL,NULL,527,1,2,0,NULL),(528,1,1,'Command Line Execution with Suspicious URL and AppData Strings',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:12','2020-05-01 20:57:12',NULL,0,NULL,NULL,528,1,2,0,NULL),(529,1,1,'Suspicious Code Page Switch',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:12','2020-05-01 20:57:13',NULL,0,NULL,NULL,529,1,2,0,NULL),(530,1,1,'Reconnaissance Activity with Net Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:13','2020-05-01 20:57:13',NULL,0,NULL,NULL,530,1,2,0,NULL),(531,1,1,'Suspicious Compression Tool Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,531,1,2,0,NULL),(532,1,1,'Process Dump via Comsvcs DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,532,1,2,0,NULL),(533,1,1,'Suspicious Control Panel DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,533,1,2,0,NULL),(534,1,1,'Copy from Admin Share',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,534,1,2,0,NULL),(535,1,1,'Suspicious Parent of Csc.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,535,1,2,0,NULL),(536,1,1,'Suspicious Csc.exe Source File Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,536,1,2,0,NULL),(537,1,1,'Curl Start Combination',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,537,1,2,0,NULL),(538,1,1,'ZOHO Dctask64 Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,538,1,2,0,NULL),(539,1,1,'Devtoolslauncher.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,539,1,2,0,NULL),(540,1,1,'Direct Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,540,1,2,0,NULL),(541,1,1,'Application Whitelisting Bypass via Dnx.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:19','2020-05-01 20:57:19',NULL,0,NULL,NULL,541,1,2,0,NULL),(542,1,1,'Suspicious Double Extension',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:19','2020-05-01 20:57:20',NULL,0,NULL,NULL,542,1,2,0,NULL),(543,1,1,'Application Whitelisting Bypass via Dxcap.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:20','2020-05-01 20:57:20',NULL,0,NULL,NULL,543,1,2,0,NULL),(544,1,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,544,1,2,0,NULL),(545,1,1,'Executables Started in Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,545,1,2,0,NULL),(546,1,1,'Execution in Non-Executable Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,546,1,2,0,NULL),(547,1,1,'Execution in Webserver Root Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,547,1,2,0,NULL),(548,1,1,'Firewall Disabled via Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,548,1,2,0,NULL),(549,1,1,'Fsutil Suspicious Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,549,1,2,0,NULL),(550,1,1,'Suspicious GUP Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,550,1,2,0,NULL),(551,1,1,'IIS Native-Code Module Command Line Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,551,1,2,0,NULL),(552,1,1,'Suspicious MsiExec Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:25','2020-05-01 20:57:25',NULL,0,NULL,NULL,552,1,2,0,NULL),(553,1,1,'MsiExec Web Install',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:25','2020-05-01 20:57:26',NULL,0,NULL,NULL,553,1,2,0,NULL),(554,1,1,'Malicious Payload Download via Office Binaries',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:26','2020-05-01 20:57:26',NULL,0,NULL,NULL,554,1,2,0,NULL),(555,1,1,'Net.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,555,1,2,0,NULL),(556,1,1,'Suspicious Netsh DLL Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,556,1,2,0,NULL),(557,1,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,557,1,2,0,NULL),(558,1,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,558,1,2,0,NULL),(559,1,1,'OpenWith.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,559,1,2,0,NULL),(560,1,1,'Suspicious Execution from Outlook',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,560,1,2,0,NULL),(561,1,1,'Execution in Outlook Temp Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,561,1,2,0,NULL),(562,1,1,'Ping Hex IP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,562,1,2,0,NULL),(563,1,1,'Empire PowerShell Launch Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,563,1,2,0,NULL),(564,1,1,'Empire PowerShell UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,564,1,2,0,NULL),(565,1,1,'Suspicious Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:32','2020-05-01 20:57:32',NULL,0,NULL,NULL,565,1,2,0,NULL),(566,1,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:32','2020-05-01 20:57:33',NULL,0,NULL,NULL,566,1,2,0,NULL),(567,1,1,'Suspicious PowerShell Invocation Based on Parent Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:33','2020-05-01 20:57:33',NULL,0,NULL,NULL,567,1,2,0,NULL),(568,1,1,'Suspicious Use of Procdump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,568,1,2,0,NULL),(569,1,1,'Suspicious Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,569,1,2,0,NULL),(570,1,1,'Suspicious Program Location Process Starts',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,570,1,2,0,NULL),(571,1,1,'PowerShell Script Run in AppData',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,571,1,2,0,NULL),(572,1,1,'PowerShell DownloadFile',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,572,1,2,0,NULL),(573,1,1,'Psr.exe Capture Screenshots',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,573,1,2,0,NULL),(574,1,1,'Suspicious RASdial Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,574,1,2,0,NULL),(575,1,1,'Suspicious Reconnaissance Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,575,1,2,0,NULL),(576,1,1,'Regsvr32 Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,576,1,2,0,NULL),(577,1,1,'Renamed ZOHO Dctask64',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,577,1,2,0,NULL),(578,1,1,'Suspicious Process Start Locations',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:39','2020-05-01 20:57:39',NULL,0,NULL,NULL,578,1,2,0,NULL),(579,1,1,'Suspicious Rundll32 Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:39','2020-05-01 20:57:40',NULL,0,NULL,NULL,579,1,2,0,NULL),(580,1,1,'Suspicious Call by Ordinal',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:40','2020-05-01 20:57:40',NULL,0,NULL,NULL,580,1,2,0,NULL),(581,1,1,'Scheduled Task Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,581,1,2,0,NULL),(582,1,1,'WSF/JSE/JS/VBA/VBE File Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,582,1,2,0,NULL),(583,1,1,'Suspicious Service Path Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,583,1,2,0,NULL),(584,1,1,'Squirrel Lolbin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,584,1,2,0,NULL),(585,1,1,'Suspicious Svchost Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,585,1,2,0,NULL),(586,1,1,'Suspect Svchost Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,586,1,2,0,NULL),(587,1,1,'Sysprep on AppData Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,587,1,2,0,NULL),(588,1,1,'Suspicious SYSVOL Domain Group Policy Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,588,1,2,0,NULL),(589,1,1,'Taskmgr as LOCAL_SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,589,1,2,0,NULL),(590,1,1,'Taskmgr as Parent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,590,1,2,0,NULL),(591,1,1,'Suspicious TSCON Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:46','2020-05-01 20:57:46',NULL,0,NULL,NULL,591,1,2,0,NULL),(592,1,1,'Suspicious RDP Redirect Using TSCON',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:46','2020-05-01 20:57:47',NULL,0,NULL,NULL,592,1,2,0,NULL),(593,1,1,'Suspicious Use of CSharp Interactive Console',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:47','2020-05-01 20:57:47',NULL,0,NULL,NULL,593,1,2,0,NULL),(594,1,1,'Suspicious Userinit Child Process',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:47','2020-05-01 20:57:48',NULL,0,NULL,NULL,594,1,2,0,NULL),(595,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:48','2020-05-01 20:57:48',NULL,0,NULL,NULL,595,1,2,0,NULL),(596,1,1,'Suspicious WMI Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,596,1,2,0,NULL),(597,1,1,'Sysmon Driver Unload',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,597,1,2,0,NULL),(598,1,1,'System File Execution Location Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,598,1,2,0,NULL),(599,1,1,'Tap Installer Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,599,1,2,0,NULL),(600,1,1,'Tasks Folder Evasion',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,600,1,2,0,NULL),(601,1,1,'Terminal Service Process Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,601,1,2,0,NULL),(602,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,602,1,2,0,NULL),(603,1,1,'Bypass UAC via CMSTP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,603,1,2,0,NULL),(604,1,1,'Bypass UAC via Fodhelper.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,604,1,2,0,NULL),(605,1,1,'Bypass UAC via WSReset.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,605,1,2,0,NULL),(606,1,1,'Possible Privilege Escalation via Weak Service Permissions',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:54','2020-05-01 20:57:54',NULL,0,NULL,NULL,606,1,2,0,NULL),(607,1,1,'Java Running with Remote Debugging',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:54','2020-05-01 20:57:55',NULL,0,NULL,NULL,607,1,2,0,NULL),(608,1,1,'Webshell Detection With Command Line Keywords',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:55','2020-05-01 20:57:55',NULL,0,NULL,NULL,608,1,2,0,NULL),(609,1,1,'Shells Spawned by Web Servers',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:55','2020-05-01 20:57:56',NULL,0,NULL,NULL,609,1,2,0,NULL),(610,1,1,'Run Whoami as SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:56','2020-05-01 20:57:56',NULL,0,NULL,NULL,610,1,2,0,NULL),(611,1,1,'Windows 10 Scheduled Task SandboxEscaper 0-day',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,611,1,2,0,NULL),(612,1,1,'WMI Backdoor Exchange Transport Agent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,612,1,2,0,NULL),(613,1,1,'WMI Persistence - Script Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,613,1,2,0,NULL),(614,1,1,'WMI Spawning Windows PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,614,1,2,0,NULL),(615,1,1,'Wmiprvse Spawning Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,615,1,2,0,NULL),(616,1,1,'Microsoft Workflow Compiler',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,616,1,2,0,NULL),(617,1,1,'Wsreset UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:58:00','2020-05-01 20:58:00',NULL,0,NULL,NULL,617,1,2,0,NULL),(618,1,1,'XSL Script Processing',NULL,NULL,NULL,4,NULL,1,NULL,9,3,'2020-05-01 20:58:00','2020-05-03 10:00:57',NULL,0,NULL,NULL,618,1,2,0,NULL),(619,1,1,'Whoami Execution',NULL,NULL,NULL,3,NULL,1,NULL,9,3,'2020-05-02 12:35:33','2020-05-02 19:59:29',NULL,0,NULL,NULL,619,1,2,0,NULL);
+INSERT INTO `issues` VALUES (313,1,1,'Executable in ADS',NULL,NULL,NULL,6,NULL,1,NULL,9,0,'2020-05-01 20:55:14','2020-05-01 20:55:14',NULL,0,NULL,NULL,313,1,2,0,NULL),(314,1,1,'Alternate PowerShell Hosts Module Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,314,1,2,0,NULL),(315,1,1,'Alternate PowerShell Hosts Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:15','2020-05-01 20:55:15',NULL,0,NULL,NULL,315,1,2,0,NULL),(316,1,1,'OceanLotus Registry Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,316,1,2,0,NULL),(317,1,1,'Turla Group Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:16','2020-05-01 20:55:16',NULL,0,NULL,NULL,317,1,2,0,NULL),(318,1,1,'Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,318,1,2,0,NULL),(319,1,1,'CACTUSTORCH Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:17','2020-05-01 20:55:17',NULL,0,NULL,NULL,319,1,2,0,NULL),(320,1,1,'CobaltStrike Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:18','2020-05-01 20:55:18',NULL,0,NULL,NULL,320,1,2,0,NULL),(321,1,1,'CreateRemoteThread API and LoadLibrary',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:18','2020-05-01 20:55:19',NULL,0,NULL,NULL,321,1,2,0,NULL),(322,1,1,'Credentials Dumping Tools Accessing LSASS Memory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:19','2020-05-01 20:55:19',NULL,0,NULL,NULL,322,1,2,0,NULL),(323,1,1,'Cred Dump Tools Dropped Files',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,323,1,2,0,NULL),(324,1,1,'Cred Dump-Tools Named Pipes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:20','2020-05-01 20:55:20',NULL,0,NULL,NULL,324,1,2,0,NULL),(325,1,1,'DHCP Callout DLL Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,325,1,2,0,NULL),(326,1,1,'Disable Security Events Logging Adding Reg Key MiniNt',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:21','2020-05-01 20:55:21',NULL,0,NULL,NULL,326,1,2,0,NULL),(327,1,1,'Detection of SafetyKatz',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,327,1,2,0,NULL),(328,1,1,'Suspicious In-Memory Module Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:22','2020-05-01 20:55:22',NULL,0,NULL,NULL,328,1,2,0,NULL),(329,1,1,'In-memory PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:23','2020-05-01 20:55:23',NULL,0,NULL,NULL,329,1,2,0,NULL),(330,1,1,'Suspect Svchost Memory Asccess',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:23','2020-05-01 20:55:24',NULL,0,NULL,NULL,330,1,2,0,NULL),(331,1,1,'LSASS Memory Dump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:24','2020-05-01 20:55:24',NULL,0,NULL,NULL,331,1,2,0,NULL),(332,1,1,'LSASS Memory Dump File Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:24','2020-05-01 20:55:25',NULL,0,NULL,NULL,332,1,2,0,NULL),(333,1,1,'Malicious Named Pipe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:25','2020-05-01 20:55:25',NULL,0,NULL,NULL,333,1,2,0,NULL),(334,1,1,'Suspicious Typical Malware Back Connect Ports',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:26','2020-05-01 20:55:26',NULL,0,NULL,NULL,334,1,2,0,NULL),(335,1,1,'Malware Shellcode in Verclsid Target Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:27','2020-05-01 20:55:27',NULL,0,NULL,NULL,335,1,2,0,NULL),(336,1,1,'Mimikatz In-Memory',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:55:27','2020-05-01 20:55:28',NULL,0,NULL,NULL,336,1,2,0,NULL),(337,1,1,'Mimikatz through Windows Remote Management',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:28','2020-05-01 20:55:28',NULL,0,NULL,NULL,337,1,2,0,NULL),(338,1,1,'Dumping Lsass.exe Memory with MiniDumpWriteDump API',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,338,1,2,0,NULL),(339,1,1,'Narrator\'s Feedback-Hub Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:29','2020-05-01 20:55:29',NULL,0,NULL,NULL,339,1,2,0,NULL),(340,1,1,'New DLL Added to AppCertDlls Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,340,1,2,0,NULL),(341,1,1,'New DLL Added to AppInit_DLLs Registry Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:30','2020-05-01 20:55:30',NULL,0,NULL,NULL,341,1,2,0,NULL),(342,1,1,'Password Dumper Remote Thread in LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,342,1,2,0,NULL),(343,1,1,'Possible DNS Rebinding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:31','2020-05-01 20:55:31',NULL,0,NULL,NULL,343,1,2,0,NULL),(344,1,1,'Possible Privilege Escalation via Service Permissions Weakness',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:32','2020-05-01 20:55:32',NULL,0,NULL,NULL,344,1,2,0,NULL),(345,1,1,'PowerShell Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:32','2020-05-01 20:55:33',NULL,0,NULL,NULL,345,1,2,0,NULL),(346,1,1,'Malicious PowerShell Commandlet Names',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:33','2020-05-01 20:55:33',NULL,0,NULL,NULL,346,1,2,0,NULL),(347,1,1,'PowerShell Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,347,1,2,0,NULL),(348,1,1,'QuarksPwDump Dump File',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:34','2020-05-01 20:55:34',NULL,0,NULL,NULL,348,1,2,0,NULL),(349,1,1,'Raw Disk Access Using Illegitimate Tools',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:35','2020-05-01 20:55:35',NULL,0,NULL,NULL,349,1,2,0,NULL),(350,1,1,'RDP Registry Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:35','2020-05-01 20:55:36',NULL,0,NULL,NULL,350,1,2,0,NULL),(351,1,1,'RDP Over Reverse SSH Tunnel',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:36','2020-05-01 20:55:36',NULL,0,NULL,NULL,351,1,2,0,NULL),(352,1,1,'RDP Sensitive Settings Changed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,352,1,2,0,NULL),(353,1,1,'Windows Registry Persistence COM Key Linking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:37','2020-05-01 20:55:37',NULL,0,NULL,NULL,353,1,2,0,NULL),(354,1,1,'Windows Registry Persistence COM Search Order Hijacking',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,354,1,2,0,NULL),(355,1,1,'Windows Registry Trust Record Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:38','2020-05-01 20:55:38',NULL,0,NULL,NULL,355,1,2,0,NULL),(356,1,1,'Regsvr32 Network Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,356,1,2,0,NULL),(357,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:39','2020-05-01 20:55:39',NULL,0,NULL,NULL,357,1,2,0,NULL),(358,1,1,'Renamed jusched.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,358,1,2,0,NULL),(359,1,1,'Renamed PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:40','2020-05-01 20:55:40',NULL,0,NULL,NULL,359,1,2,0,NULL),(360,1,1,'Renamed ProcDump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:41','2020-05-01 20:55:41',NULL,0,NULL,NULL,360,1,2,0,NULL),(361,1,1,'Renamed PsExec',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:41','2020-05-01 20:55:42',NULL,0,NULL,NULL,361,1,2,0,NULL),(362,1,1,'Rundll32 Internet Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:42','2020-05-01 20:55:42',NULL,0,NULL,NULL,362,1,2,0,NULL),(363,1,1,'Security Support Provider (SSP) Added to LSA Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,363,1,2,0,NULL),(364,1,1,'Suspicious ADSI-Cache Usage By Unknown Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:43','2020-05-01 20:55:43',NULL,0,NULL,NULL,364,1,2,0,NULL),(365,1,1,'Suspicious desktop.ini Action',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,365,1,2,0,NULL),(366,1,1,'Suspicious RUN Key from Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:44','2020-05-01 20:55:44',NULL,0,NULL,NULL,366,1,2,0,NULL),(367,1,1,'Suspicious Driver Load from Temp',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,367,1,2,0,NULL),(368,1,1,'Suspicious File Characteristics Due to Missing Fields',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:45','2020-05-01 20:55:45',NULL,0,NULL,NULL,368,1,2,0,NULL),(369,1,1,'Possible Process Hollowing Image Loading',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,369,1,2,0,NULL),(370,1,1,'DLL Load via LSASS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:46','2020-05-01 20:55:46',NULL,0,NULL,NULL,370,1,2,0,NULL),(371,1,1,'dotNET DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,371,1,2,0,NULL),(372,1,1,'CLR DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:47','2020-05-01 20:55:47',NULL,0,NULL,NULL,372,1,2,0,NULL),(373,1,1,'GAC DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:48','2020-05-01 20:55:48',NULL,0,NULL,NULL,373,1,2,0,NULL),(374,1,1,'Active Directory Parsing DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:48','2020-05-01 20:55:49',NULL,0,NULL,NULL,374,1,2,0,NULL),(375,1,1,'Active Directory Kerberos DLL Loaded Via Office Applications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:49','2020-05-01 20:55:49',NULL,0,NULL,NULL,375,1,2,0,NULL),(376,1,1,'PowerShell Rundll32 Remote Thread Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:49','2020-05-01 20:55:50',NULL,0,NULL,NULL,376,1,2,0,NULL),(377,1,1,'Suspicious PROCEXP152.sys File Created In TMP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:50','2020-05-01 20:55:50',NULL,0,NULL,NULL,377,1,2,0,NULL),(378,1,1,'Suspicious Program Location with Network Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,378,1,2,0,NULL),(379,1,1,'Suspicious Outbound RDP Connections',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:51','2020-05-01 20:55:51',NULL,0,NULL,NULL,379,1,2,0,NULL),(380,1,1,'Registry Persistence via Explorer Run Key',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,380,1,2,0,NULL),(381,1,1,'New RUN Key Pointing to Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:52','2020-05-01 20:55:52',NULL,0,NULL,NULL,381,1,2,0,NULL),(382,1,1,'Suspicious Service Installed',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,382,1,2,0,NULL),(383,1,1,'VBA DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:53','2020-05-01 20:55:53',NULL,0,NULL,NULL,383,1,2,0,NULL),(384,1,1,'Windows Mangement Instrumentation DLL Loaded Via Microsoft Word',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,384,1,2,0,NULL),(385,1,1,'Suspicious Keyboard Layout Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:54','2020-05-01 20:55:54',NULL,0,NULL,NULL,385,1,2,0,NULL),(386,1,1,'Suspicious Outbound Kerberos Connection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,386,1,2,0,NULL),(387,1,1,'Suspicious Remote Thread Created',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:55','2020-05-01 20:55:55',NULL,0,NULL,NULL,387,1,2,0,NULL),(388,1,1,'Svchost DLL Search Order Hijack',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:56','2020-05-01 20:55:56',NULL,0,NULL,NULL,388,1,2,0,NULL),(389,1,1,'Hijack Legit RDP Session to Move Laterally',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:56','2020-05-01 20:55:57',NULL,0,NULL,NULL,389,1,2,0,NULL),(390,1,1,'UAC Bypass via Event Viewer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:57','2020-05-01 20:55:57',NULL,0,NULL,NULL,390,1,2,0,NULL),(391,1,1,'UAC Bypass via Sdclt',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:55:57','2020-05-01 20:55:58',NULL,0,NULL,NULL,391,1,2,0,NULL),(392,1,1,'Unsigned Image Loaded Into LSASS Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:58','2020-05-01 20:55:58',NULL,0,NULL,NULL,392,1,2,0,NULL),(393,1,1,'Windows Webshell Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,393,1,2,0,NULL),(394,1,1,'Microsoft Binary Github Communication',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:55:59','2020-05-01 20:55:59',NULL,0,NULL,NULL,394,1,2,0,NULL),(395,1,1,'Microsoft Binary Suspicious Communication Endpoint',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,395,1,2,0,NULL),(396,1,1,'Registry Persistence Mechanisms',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:00','2020-05-01 20:56:00',NULL,0,NULL,NULL,396,1,2,0,NULL),(397,1,1,'WMI Event Subscription',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,397,1,2,0,NULL),(398,1,1,'WMI Modules Loaded',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:01','2020-05-01 20:56:01',NULL,0,NULL,NULL,398,1,2,0,NULL),(399,1,1,'WMI Persistence - Command Line Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,399,1,2,0,NULL),(400,1,1,'WMI Persistence - Script Event Consumer File Write',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:02','2020-05-01 20:56:02',NULL,0,NULL,NULL,400,1,2,0,NULL),(401,1,1,'Suspicious Scripting in a WMI Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,401,1,2,0,NULL),(402,1,1,'APT29',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:03','2020-05-01 20:56:03',NULL,0,NULL,NULL,402,1,2,0,NULL),(403,1,1,'Baby Shark Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,403,1,2,0,NULL),(404,1,1,'Judgement Panda Credential Access Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:04','2020-05-01 20:56:04',NULL,0,NULL,NULL,404,1,2,0,NULL),(405,1,1,'BlueMashroom DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:05','2020-05-01 20:56:05',NULL,0,NULL,NULL,405,1,2,0,NULL),(406,1,1,'WMIExec VBS Script',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:05','2020-05-01 20:56:06',NULL,0,NULL,NULL,406,1,2,0,NULL),(407,1,1,'CrackMapExecWin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:06','2020-05-01 20:56:06',NULL,0,NULL,NULL,407,1,2,0,NULL),(408,1,1,'Elise Backdoor',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:06','2020-05-01 20:56:07',NULL,0,NULL,NULL,408,1,2,0,NULL),(409,1,1,'Emissary Panda Malware SLLauncher',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:07','2020-05-01 20:56:07',NULL,0,NULL,NULL,409,1,2,0,NULL),(410,1,1,'Equation Group DLL_U Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,410,1,2,0,NULL),(411,1,1,'Hurricane Panda Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:08','2020-05-01 20:56:08',NULL,0,NULL,NULL,411,1,2,0,NULL),(412,1,1,'Judgement Panda Exfil Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,412,1,2,0,NULL),(413,1,1,'Mustang Panda Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:09','2020-05-01 20:56:09',NULL,0,NULL,NULL,413,1,2,0,NULL),(414,1,1,'Sofacy Trojan Loader Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:10','2020-05-01 20:56:10',NULL,0,NULL,NULL,414,1,2,0,NULL),(415,1,1,'Ps.exe Renamed SysInternals Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,415,1,2,0,NULL),(416,1,1,'TropicTrooper Campaign November 2018',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:11','2020-05-01 20:56:11',NULL,0,NULL,NULL,416,1,2,0,NULL),(417,1,1,'Winnti Malware HK University Campaign',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:12','2020-05-01 20:56:12',NULL,0,NULL,NULL,417,1,2,0,NULL),(418,1,1,'ZxShell Malware',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:12','2020-05-01 20:56:13',NULL,0,NULL,NULL,418,1,2,0,NULL),(419,1,1,'Hiding Files with Attrib.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:13','2020-05-01 20:56:13',NULL,0,NULL,NULL,419,1,2,0,NULL),(420,1,1,'Modification of Boot Configuration',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-13 14:07:10',NULL,0,NULL,NULL,420,1,2,0,NULL),(421,1,1,'SquiblyTwo',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:14','2020-05-01 20:56:15',NULL,0,NULL,NULL,421,1,2,0,NULL),(422,1,1,'Change Default File Association',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:15','2020-05-01 20:56:15',NULL,0,NULL,NULL,422,1,2,0,NULL),(423,1,1,'Cmdkey Cached Credentials Recon',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,423,1,2,0,NULL),(424,1,1,'CMSTP UAC Bypass via COM Object Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:16','2020-05-01 20:56:16',NULL,0,NULL,NULL,424,1,2,0,NULL),(425,1,1,'Control Panel Items',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,425,1,2,0,NULL),(426,1,1,'Copying Sensitive Files with Credential Data',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:17','2020-05-01 20:56:17',NULL,0,NULL,NULL,426,1,2,0,NULL),(427,1,1,'Fireball Archer Install',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:18','2020-05-01 20:56:18',NULL,0,NULL,NULL,427,1,2,0,NULL),(428,1,1,'Data Compressed - rar.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:18','2020-05-01 20:56:19',NULL,0,NULL,NULL,428,1,2,0,NULL),(429,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:19','2020-05-01 20:56:19',NULL,0,NULL,NULL,429,1,2,0,NULL),(430,1,1,'Encoded FromBase64String',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,430,1,2,0,NULL),(431,1,1,'Encoded IEX',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:20','2020-05-01 20:56:20',NULL,0,NULL,NULL,431,1,2,0,NULL),(432,1,1,'Disable of ETW Trace',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,432,1,2,0,NULL),(433,1,1,'Exfiltration and Tunneling Tools Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:21','2020-05-01 20:56:21',NULL,0,NULL,NULL,433,1,2,0,NULL),(434,1,1,'Exploit for CVE-2015-1641',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,434,1,2,0,NULL),(435,1,1,'Exploit for CVE-2017-0261',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:22','2020-05-01 20:56:22',NULL,0,NULL,NULL,435,1,2,0,NULL),(436,1,1,'Droppers Exploiting CVE-2017-11882',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:23','2020-05-01 20:56:23',NULL,0,NULL,NULL,436,1,2,0,NULL),(437,1,1,'Exploit for CVE-2017-8759',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:23','2020-05-01 20:56:24',NULL,0,NULL,NULL,437,1,2,0,NULL),(438,1,1,'Exploiting SetupComplete.cmd CVE-2019-1378',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:24','2020-05-01 20:56:24',NULL,0,NULL,NULL,438,1,2,0,NULL),(439,1,1,'Exploiting CVE-2019-1388',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,439,1,2,0,NULL),(440,1,1,'Exploited CVE-2020-10189 Zoho ManageEngine',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:25','2020-05-01 20:56:25',NULL,0,NULL,NULL,440,1,2,0,NULL),(441,1,1,'File or Folder Permissions Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,441,1,2,0,NULL),(442,1,1,'Grabbing Sensitive Hives via Reg Utility',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:26','2020-05-01 20:56:26',NULL,0,NULL,NULL,442,1,2,0,NULL),(443,1,1,'Bloodhound and Sharphound Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,443,1,2,0,NULL),(444,1,1,'Koadic Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:27','2020-05-01 20:56:27',NULL,0,NULL,NULL,444,1,2,0,NULL),(445,1,1,'Rubeus Hack Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,445,1,2,0,NULL),(446,1,1,'SecurityXploded Tool',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:28','2020-05-01 20:56:28',NULL,0,NULL,NULL,446,1,2,0,NULL),(447,1,1,'HH.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,447,1,2,0,NULL),(448,1,1,'HTML Help Shell Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:29','2020-05-01 20:56:29',NULL,0,NULL,NULL,448,1,2,0,NULL),(449,1,1,'Suspicious HWP Sub Processes',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,449,1,2,0,NULL),(450,1,1,'Impacket Lateralization Detection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:30','2020-05-01 20:56:30',NULL,0,NULL,NULL,450,1,2,0,NULL),(451,1,1,'Indirect Command Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,451,1,2,0,NULL),(452,1,1,'Suspicious Debugger Registration Cmdline',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:31','2020-05-01 20:56:31',NULL,0,NULL,NULL,452,1,2,0,NULL),(453,1,1,'Interactive AT Job',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,453,1,2,0,NULL),(454,1,1,'Invoke-Obfuscation Obfuscated IEX Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:32','2020-05-01 20:56:32',NULL,0,NULL,NULL,454,1,2,0,NULL),(455,1,1,'Windows Kernel and 3rd-Party Drivers Exploits Token Stealing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:33','2020-05-01 20:56:33',NULL,0,NULL,NULL,455,1,2,0,NULL),(456,1,1,'MSHTA Spwaned by SVCHOST',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:33','2020-05-01 20:56:34',NULL,0,NULL,NULL,456,1,2,0,NULL),(457,1,1,'Local Accounts Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:34','2020-05-01 20:56:34',NULL,0,NULL,NULL,457,1,2,0,NULL),(458,1,1,'LSASS Memory Dumping',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,458,1,2,0,NULL),(459,1,1,'Dridex Process Pattern',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:35','2020-05-01 20:56:35',NULL,0,NULL,NULL,459,1,2,0,NULL),(460,1,1,'DTRACK Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,460,1,2,0,NULL),(461,1,1,'Emotet Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:36','2020-05-01 20:56:36',NULL,0,NULL,NULL,461,1,2,0,NULL),(462,1,1,'Formbook Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,462,1,2,0,NULL),(463,1,1,'NotPetya Ransomware Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:37','2020-05-01 20:56:37',NULL,0,NULL,NULL,463,1,2,0,NULL),(464,1,1,'QBot Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,464,1,2,0,NULL),(465,1,1,'Ryuk Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:38','2020-05-01 20:56:38',NULL,0,NULL,NULL,465,1,2,0,NULL),(466,1,1,'WScript or CScript Dropper',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,466,1,2,0,NULL),(467,1,1,'Trickbot Malware Recon Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:39','2020-05-01 20:56:39',NULL,0,NULL,NULL,467,1,2,0,NULL),(468,1,1,'WannaCry Ransomware',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:40','2020-05-01 20:56:40',NULL,0,NULL,NULL,468,1,2,0,NULL),(469,1,1,'MavInject Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:40','2020-05-01 20:56:41',NULL,0,NULL,NULL,469,1,2,0,NULL),(470,1,1,'Meterpreter or Cobalt Strike Getsystem Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:41','2020-05-01 20:56:41',NULL,0,NULL,NULL,470,1,2,0,NULL),(471,1,1,'Mimikatz Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,471,1,2,0,NULL),(472,1,1,'MMC Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:42','2020-05-01 20:56:42',NULL,0,NULL,NULL,472,1,2,0,NULL),(473,1,1,'MSHTA Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,473,1,2,0,NULL),(474,1,1,'Quick Execution of a Series of Suspicious Commands',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:43','2020-05-01 20:56:43',NULL,0,NULL,NULL,474,1,2,0,NULL),(475,1,1,'Windows Network Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,475,1,2,0,NULL),(476,1,1,'Net.exe User Account Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:44','2020-05-01 20:56:44',NULL,0,NULL,NULL,476,1,2,0,NULL),(477,1,1,'Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,477,1,2,0,NULL),(478,1,1,'Capture a Network Trace with netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:45','2020-05-01 20:56:45',NULL,0,NULL,NULL,478,1,2,0,NULL),(479,1,1,'Netsh Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,479,1,2,0,NULL),(480,1,1,'Netsh RDP Port Forwarding',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:46','2020-05-01 20:56:46',NULL,0,NULL,NULL,480,1,2,0,NULL),(481,1,1,'Network Sniffing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:47','2020-05-01 20:56:47',NULL,0,NULL,NULL,481,1,2,0,NULL),(482,1,1,'New Service Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:47','2020-05-01 20:56:48',NULL,0,NULL,NULL,482,1,2,0,NULL),(483,1,1,'Non Interactive PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:48','2020-05-01 20:56:48',NULL,0,NULL,NULL,483,1,2,0,NULL),(484,1,1,'Microsoft Office Product Spawning Windows Shell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,484,1,2,0,NULL),(485,1,1,'MS Office Product Spawning Exe in User Dir',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:49','2020-05-01 20:56:49',NULL,0,NULL,NULL,485,1,2,0,NULL),(486,1,1,'Executable Used by PlugX in Uncommon Location',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,486,1,2,0,NULL),(487,1,1,'Possible Applocker Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:50','2020-05-01 20:56:50',NULL,0,NULL,NULL,487,1,2,0,NULL),(488,1,1,'Detection of Possible Rotten Potato',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,488,1,2,0,NULL),(489,1,1,'Powershell AMSI Bypass via .NET Reflection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:51','2020-05-01 20:56:51',NULL,0,NULL,NULL,489,1,2,0,NULL),(490,1,1,'Audio Capture via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,490,1,2,0,NULL),(491,1,1,'PowerShell Base64 Encoded Shellcode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:52','2020-05-01 20:56:52',NULL,0,NULL,NULL,491,1,2,0,NULL),(492,1,1,'Suspicious Bitsadmin Job via PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,492,1,2,0,NULL),(493,1,1,'Detection of PowerShell Execution via DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:53','2020-05-01 20:56:53',NULL,0,NULL,NULL,493,1,2,0,NULL),(494,1,1,'PowerShell Downgrade Attack',NULL,NULL,NULL,6,NULL,1,NULL,9,1,'2020-05-01 20:56:54','2020-05-13 14:07:11',NULL,0,NULL,NULL,494,1,2,0,NULL),(495,1,1,'PowerShell Download from URL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:54','2020-05-01 20:56:54',NULL,0,NULL,NULL,495,1,2,0,NULL),(496,1,1,'FromBase64String Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:55','2020-05-01 20:56:55',NULL,0,NULL,NULL,496,1,2,0,NULL),(497,1,1,'Suspicious PowerShell Parameter Substring',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:55','2020-05-01 20:56:56',NULL,0,NULL,NULL,497,1,2,0,NULL),(498,1,1,'Suspicious XOR Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:56','2020-05-01 20:56:56',NULL,0,NULL,NULL,498,1,2,0,NULL),(499,1,1,'Default PowerSploit and Empire Schtasks Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:56:56','2020-05-01 20:56:57',NULL,0,NULL,NULL,499,1,2,0,NULL),(500,1,1,'Windows Processes Suspicious Parent Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:57','2020-05-01 20:56:57',NULL,0,NULL,NULL,500,1,2,0,NULL),(501,1,1,'Bitsadmin Download',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,501,1,2,0,NULL),(502,1,1,'Process Dump via Rundll32 and Comsvcs.dll',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:58','2020-05-01 20:56:58',NULL,0,NULL,NULL,502,1,2,0,NULL),(503,1,1,'PsExec Service Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,503,1,2,0,NULL),(504,1,1,'Query Registry',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:56:59','2020-05-01 20:56:59',NULL,0,NULL,NULL,504,1,2,0,NULL),(505,1,1,'MSTSC Shadowing',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,505,1,2,0,NULL),(506,1,1,'Remote PowerShell Session',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:00','2020-05-01 20:57:00',NULL,0,NULL,NULL,506,1,2,0,NULL),(507,1,1,'Discovery of a System Time',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:01','2020-05-01 20:57:01',NULL,0,NULL,NULL,507,1,2,0,NULL),(508,1,1,'Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,2,'2020-05-01 20:57:01','2020-05-13 14:07:11',NULL,0,NULL,NULL,508,1,2,0,NULL),(509,1,1,'Highly Relevant Renamed Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:02','2020-05-01 20:57:02',NULL,0,NULL,NULL,509,1,2,0,NULL),(510,1,1,'Execution of Renamed PaExec',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,510,1,2,0,NULL),(511,1,1,'Run PowerShell Script from ADS',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:03','2020-05-01 20:57:03',NULL,0,NULL,NULL,511,1,2,0,NULL),(512,1,1,'Possible Shim Database Persistence via sdbinst.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,512,1,2,0,NULL),(513,1,1,'Service Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:04','2020-05-01 20:57:04',NULL,0,NULL,NULL,513,1,2,0,NULL),(514,1,1,'Stop Windows Service',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,514,1,2,0,NULL),(515,1,1,'Shadow Copies Access via Symlink',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:05','2020-05-01 20:57:05',NULL,0,NULL,NULL,515,1,2,0,NULL),(516,1,1,'Shadow Copies Creation Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,516,1,2,0,NULL),(517,1,1,'Shadow Copies Deletion Using Operating Systems Utilities',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:06','2020-05-01 20:57:06',NULL,0,NULL,NULL,517,1,2,0,NULL),(518,1,1,'Windows Shell Spawning Suspicious Program',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,518,1,2,0,NULL),(519,1,1,'Audio Capture via SoundRecorder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:07','2020-05-01 20:57:07',NULL,0,NULL,NULL,519,1,2,0,NULL),(520,1,1,'Possible SPN Enumeration',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,520,1,2,0,NULL),(521,1,1,'Possible Ransomware or Unauthorized MBR Modifications',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:08','2020-05-01 20:57:08',NULL,0,NULL,NULL,521,1,2,0,NULL),(522,1,1,'Application Whitelisting Bypass via Bginfo',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,522,1,2,0,NULL),(523,1,1,'Suspicious Calculator Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:09','2020-05-01 20:57:09',NULL,0,NULL,NULL,523,1,2,0,NULL),(524,1,1,'Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,524,1,2,0,NULL),(525,1,1,'Suspicious Certutil Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:10','2020-05-01 20:57:10',NULL,0,NULL,NULL,525,1,2,0,NULL),(526,1,1,'Certutil Encode',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:11','2020-05-01 20:57:11',NULL,0,NULL,NULL,526,1,2,0,NULL),(527,1,1,'Suspicious Commandline Escape',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:11','2020-05-01 20:57:12',NULL,0,NULL,NULL,527,1,2,0,NULL),(528,1,1,'Command Line Execution with Suspicious URL and AppData Strings',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:12','2020-05-01 20:57:12',NULL,0,NULL,NULL,528,1,2,0,NULL),(529,1,1,'Suspicious Code Page Switch',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:12','2020-05-01 20:57:13',NULL,0,NULL,NULL,529,1,2,0,NULL),(530,1,1,'Reconnaissance Activity with Net Command',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:13','2020-05-01 20:57:13',NULL,0,NULL,NULL,530,1,2,0,NULL),(531,1,1,'Suspicious Compression Tool Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,531,1,2,0,NULL),(532,1,1,'Process Dump via Comsvcs DLL',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:14','2020-05-01 20:57:14',NULL,0,NULL,NULL,532,1,2,0,NULL),(533,1,1,'Suspicious Control Panel DLL Load',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,533,1,2,0,NULL),(534,1,1,'Copy from Admin Share',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:15','2020-05-01 20:57:15',NULL,0,NULL,NULL,534,1,2,0,NULL),(535,1,1,'Suspicious Parent of Csc.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,535,1,2,0,NULL),(536,1,1,'Suspicious Csc.exe Source File Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:16','2020-05-01 20:57:16',NULL,0,NULL,NULL,536,1,2,0,NULL),(537,1,1,'Curl Start Combination',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,537,1,2,0,NULL),(538,1,1,'ZOHO Dctask64 Process Injection',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:17','2020-05-01 20:57:17',NULL,0,NULL,NULL,538,1,2,0,NULL),(539,1,1,'Devtoolslauncher.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,539,1,2,0,NULL),(540,1,1,'Direct Autorun Keys Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:18','2020-05-01 20:57:18',NULL,0,NULL,NULL,540,1,2,0,NULL),(541,1,1,'Application Whitelisting Bypass via Dnx.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:19','2020-05-01 20:57:19',NULL,0,NULL,NULL,541,1,2,0,NULL),(542,1,1,'Suspicious Double Extension',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:19','2020-05-01 20:57:20',NULL,0,NULL,NULL,542,1,2,0,NULL),(543,1,1,'Application Whitelisting Bypass via Dxcap.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:20','2020-05-01 20:57:20',NULL,0,NULL,NULL,543,1,2,0,NULL),(544,1,1,'Suspicious Eventlog Clear or Configuration Using Wevtutil',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,544,1,2,0,NULL),(545,1,1,'Executables Started in Suspicious Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:21','2020-05-01 20:57:21',NULL,0,NULL,NULL,545,1,2,0,NULL),(546,1,1,'Execution in Non-Executable Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,546,1,2,0,NULL),(547,1,1,'Execution in Webserver Root Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:22','2020-05-01 20:57:22',NULL,0,NULL,NULL,547,1,2,0,NULL),(548,1,1,'Firewall Disabled via Netsh',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,548,1,2,0,NULL),(549,1,1,'Fsutil Suspicious Invocation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:23','2020-05-01 20:57:23',NULL,0,NULL,NULL,549,1,2,0,NULL),(550,1,1,'Suspicious GUP Usage',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,550,1,2,0,NULL),(551,1,1,'IIS Native-Code Module Command Line Installation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:24','2020-05-01 20:57:24',NULL,0,NULL,NULL,551,1,2,0,NULL),(552,1,1,'Suspicious MsiExec Directory',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:25','2020-05-01 20:57:25',NULL,0,NULL,NULL,552,1,2,0,NULL),(553,1,1,'MsiExec Web Install',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:25','2020-05-01 20:57:26',NULL,0,NULL,NULL,553,1,2,0,NULL),(554,1,1,'Malicious Payload Download via Office Binaries',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:26','2020-05-01 20:57:26',NULL,0,NULL,NULL,554,1,2,0,NULL),(555,1,1,'Net.exe Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:27','2020-05-01 20:57:27',NULL,0,NULL,NULL,555,1,2,0,NULL),(556,1,1,'Suspicious Netsh DLL Persistence',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:27','2020-05-13 14:07:11',NULL,0,NULL,NULL,556,1,2,0,NULL),(557,1,1,'Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,557,1,2,0,NULL),(558,1,1,'Application Whitelisting Bypass via DLL Loaded by odbcconf.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:28','2020-05-01 20:57:28',NULL,0,NULL,NULL,558,1,2,0,NULL),(559,1,1,'OpenWith.exe Executes Specified Binary',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,559,1,2,0,NULL),(560,1,1,'Suspicious Execution from Outlook',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:29','2020-05-01 20:57:29',NULL,0,NULL,NULL,560,1,2,0,NULL),(561,1,1,'Execution in Outlook Temp Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,561,1,2,0,NULL),(562,1,1,'Ping Hex IP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:30','2020-05-01 20:57:30',NULL,0,NULL,NULL,562,1,2,0,NULL),(563,1,1,'Empire PowerShell Launch Parameters',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,563,1,2,0,NULL),(564,1,1,'Empire PowerShell UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:31','2020-05-01 20:57:31',NULL,0,NULL,NULL,564,1,2,0,NULL),(565,1,1,'Suspicious Encoded PowerShell Command Line',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:32','2020-05-01 20:57:32',NULL,0,NULL,NULL,565,1,2,0,NULL),(566,1,1,'Malicious Base64 Encoded PowerShell Keywords in Command Lines',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:32','2020-05-01 20:57:33',NULL,0,NULL,NULL,566,1,2,0,NULL),(567,1,1,'Suspicious PowerShell Invocation Based on Parent Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:33','2020-05-01 20:57:33',NULL,0,NULL,NULL,567,1,2,0,NULL),(568,1,1,'Suspicious Use of Procdump',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,568,1,2,0,NULL),(569,1,1,'Suspicious Process Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:34','2020-05-01 20:57:34',NULL,0,NULL,NULL,569,1,2,0,NULL),(570,1,1,'Suspicious Program Location Process Starts',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,570,1,2,0,NULL),(571,1,1,'PowerShell Script Run in AppData',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:35','2020-05-01 20:57:35',NULL,0,NULL,NULL,571,1,2,0,NULL),(572,1,1,'PowerShell DownloadFile',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,572,1,2,0,NULL),(573,1,1,'Psr.exe Capture Screenshots',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:36','2020-05-01 20:57:36',NULL,0,NULL,NULL,573,1,2,0,NULL),(574,1,1,'Suspicious RASdial Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,574,1,2,0,NULL),(575,1,1,'Suspicious Reconnaissance Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:37','2020-05-01 20:57:37',NULL,0,NULL,NULL,575,1,2,0,NULL),(576,1,1,'Regsvr32 Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,576,1,2,0,NULL),(577,1,1,'Renamed ZOHO Dctask64',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:38','2020-05-01 20:57:38',NULL,0,NULL,NULL,577,1,2,0,NULL),(578,1,1,'Suspicious Process Start Locations',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:39','2020-05-01 20:57:39',NULL,0,NULL,NULL,578,1,2,0,NULL),(579,1,1,'Suspicious Rundll32 Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:39','2020-05-01 20:57:40',NULL,0,NULL,NULL,579,1,2,0,NULL),(580,1,1,'Suspicious Call by Ordinal',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:40','2020-05-01 20:57:40',NULL,0,NULL,NULL,580,1,2,0,NULL),(581,1,1,'Scheduled Task Creation',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,581,1,2,0,NULL),(582,1,1,'WSF/JSE/JS/VBA/VBE File Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:41','2020-05-01 20:57:41',NULL,0,NULL,NULL,582,1,2,0,NULL),(583,1,1,'Suspicious Service Path Modification',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,583,1,2,0,NULL),(584,1,1,'Squirrel Lolbin',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:42','2020-05-01 20:57:42',NULL,0,NULL,NULL,584,1,2,0,NULL),(585,1,1,'Suspicious Svchost Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,585,1,2,0,NULL),(586,1,1,'Suspect Svchost Activity',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:43','2020-05-01 20:57:43',NULL,0,NULL,NULL,586,1,2,0,NULL),(587,1,1,'Sysprep on AppData Folder',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,587,1,2,0,NULL),(588,1,1,'Suspicious SYSVOL Domain Group Policy Access',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:44','2020-05-01 20:57:44',NULL,0,NULL,NULL,588,1,2,0,NULL),(589,1,1,'Taskmgr as LOCAL_SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,589,1,2,0,NULL),(590,1,1,'Taskmgr as Parent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:45','2020-05-01 20:57:45',NULL,0,NULL,NULL,590,1,2,0,NULL),(591,1,1,'Suspicious TSCON Start',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:46','2020-05-01 20:57:46',NULL,0,NULL,NULL,591,1,2,0,NULL),(592,1,1,'Suspicious RDP Redirect Using TSCON',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:46','2020-05-01 20:57:47',NULL,0,NULL,NULL,592,1,2,0,NULL),(593,1,1,'Suspicious Use of CSharp Interactive Console',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:47','2020-05-01 20:57:47',NULL,0,NULL,NULL,593,1,2,0,NULL),(594,1,1,'Suspicious Userinit Child Process',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:47','2020-05-01 20:57:48',NULL,0,NULL,NULL,594,1,2,0,NULL),(595,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:48','2020-05-01 20:57:48',NULL,0,NULL,NULL,595,1,2,0,NULL),(596,1,1,'Suspicious WMI Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,596,1,2,0,NULL),(597,1,1,'Sysmon Driver Unload',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:49','2020-05-01 20:57:49',NULL,0,NULL,NULL,597,1,2,0,NULL),(598,1,1,'System File Execution Location Anomaly',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,598,1,2,0,NULL),(599,1,1,'Tap Installer Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:50','2020-05-01 20:57:50',NULL,0,NULL,NULL,599,1,2,0,NULL),(600,1,1,'Tasks Folder Evasion',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,600,1,2,0,NULL),(601,1,1,'Terminal Service Process Spawn',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:51','2020-05-01 20:57:51',NULL,0,NULL,NULL,601,1,2,0,NULL),(602,1,1,'Domain Trust Discovery',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,602,1,2,0,NULL),(603,1,1,'Bypass UAC via CMSTP',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:52','2020-05-01 20:57:52',NULL,0,NULL,NULL,603,1,2,0,NULL),(604,1,1,'Bypass UAC via Fodhelper.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,604,1,2,0,NULL),(605,1,1,'Bypass UAC via WSReset.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:53','2020-05-01 20:57:53',NULL,0,NULL,NULL,605,1,2,0,NULL),(606,1,1,'Possible Privilege Escalation via Weak Service Permissions',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:54','2020-05-01 20:57:54',NULL,0,NULL,NULL,606,1,2,0,NULL),(607,1,1,'Java Running with Remote Debugging',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:54','2020-05-01 20:57:55',NULL,0,NULL,NULL,607,1,2,0,NULL),(608,1,1,'Webshell Detection With Command Line Keywords',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:55','2020-05-01 20:57:55',NULL,0,NULL,NULL,608,1,2,0,NULL),(609,1,1,'Shells Spawned by Web Servers',NULL,NULL,NULL,2,NULL,1,NULL,9,1,'2020-05-01 20:57:55','2020-05-01 20:57:56',NULL,0,NULL,NULL,609,1,2,0,NULL),(610,1,1,'Run Whoami as SYSTEM',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:56','2020-05-01 20:57:56',NULL,0,NULL,NULL,610,1,2,0,NULL),(611,1,1,'Windows 10 Scheduled Task SandboxEscaper 0-day',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,611,1,2,0,NULL),(612,1,1,'WMI Backdoor Exchange Transport Agent',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:57','2020-05-01 20:57:57',NULL,0,NULL,NULL,612,1,2,0,NULL),(613,1,1,'WMI Persistence - Script Event Consumer',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,613,1,2,0,NULL),(614,1,1,'WMI Spawning Windows PowerShell',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:58','2020-05-01 20:57:58',NULL,0,NULL,NULL,614,1,2,0,NULL),(615,1,1,'Wmiprvse Spawning Process',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,615,1,2,0,NULL),(616,1,1,'Microsoft Workflow Compiler',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:57:59','2020-05-01 20:57:59',NULL,0,NULL,NULL,616,1,2,0,NULL),(617,1,1,'Wsreset UAC Bypass',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-01 20:58:00','2020-05-01 20:58:00',NULL,0,NULL,NULL,617,1,2,0,NULL),(618,1,1,'XSL Script Processing',NULL,NULL,NULL,4,NULL,1,NULL,9,3,'2020-05-01 20:58:00','2020-05-03 10:00:57',NULL,0,NULL,NULL,618,1,2,0,NULL),(620,1,1,'New Sensitive Shared Resource',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 13:30:57','2020-05-13 13:30:57',NULL,0,NULL,NULL,620,1,2,0,NULL),(621,1,1,'Whoami Execution',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:05:41','2020-05-13 14:05:41',NULL,0,NULL,NULL,621,1,2,0,NULL),(622,1,1,'Advanced IP Scanner',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:09','2020-05-13 14:07:09',NULL,0,NULL,NULL,622,1,2,0,NULL),(623,1,1,'Harvesting of Wifi Credentials Using netsh.exe',NULL,NULL,NULL,2,NULL,1,NULL,9,0,'2020-05-13 14:07:11','2020-05-13 14:07:11',NULL,0,NULL,NULL,623,1,2,0,NULL);
/*!40000 ALTER TABLE `issues` ENABLE KEYS */;
UNLOCK TABLES;
@@ -827,7 +827,7 @@ CREATE TABLE `journal_details` (
`value` longtext,
PRIMARY KEY (`id`),
KEY `journal_details_journal_id` (`journal_id`)
-) ENGINE=InnoDB AUTO_INCREMENT=9 DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
@@ -836,7 +836,7 @@ CREATE TABLE `journal_details` (
LOCK TABLES `journal_details` WRITE;
/*!40000 ALTER TABLE `journal_details` DISABLE KEYS */;
-INSERT INTO `journal_details` VALUES (1,618,'attr','status_id','2','3'),(2,618,'cf','9','{{collapse(View Sigma)\n\n\ntitle: Whoami Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: experimental\ndescription: Detects the execution of whoami, which is often used by attackers after\n exloitation / privilege escalation but rarely used by administrators\nreferences:\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth\ndate: 2018/08/13\ntags:\n- attack.discovery\n- attack.t1033\n- car.2016-03-001\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image: \'*\\whoami.exe\'\n selection2:\n OriginalFileName: whoami.exe\n condition: selection or selection2\nfalsepositives:\n- Admin activity\n- Scripts and administrative tools used in the monitored environment\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\r\n\r\n\r\ntitle: Whoami Execution\r\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\r\nstatus: experimental\r\ndescription: Detects the execution of whoami, which is often used by attackers after\r\n exloitation / privilege escalation but rarely used by administrators\r\nreferences:\r\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\r\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\r\nauthor: Florian Roth\r\ndate: 2018/08/13\r\ntags:\r\n- attack.discovery\r\n- attack.t1033\r\n- car.2016-03-001\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image: \'*\\whoami.exe\'\r\n selection2:\r\n OriginalFileName: whoami.exe\r\n condition: selection or selection2\r\nfalsepositives:\r\n- Admin activity\r\n- Scripts and administrative tools used in the monitored environment\r\nlevel: high\r\n\r\n
\r\n}}'),(3,619,'cf','9','{{collapse(View Sigma)\r\n\r\n\r\ntitle: Whoami Execution\r\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\r\nstatus: experimental\r\ndescription: Detects the execution of whoami, which is often used by attackers after\r\n exloitation / privilege escalation but rarely used by administrators\r\nreferences:\r\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\r\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\r\nauthor: Florian Roth\r\ndate: 2018/08/13\r\ntags:\r\n- attack.discovery\r\n- attack.t1033\r\n- car.2016-03-001\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image: \'*\\whoami.exe\'\r\n selection2:\r\n OriginalFileName: whoami.exe\r\n condition: selection or selection2\r\nfalsepositives:\r\n- Admin activity\r\n- Scripts and administrative tools used in the monitored environment\r\nlevel: high\r\n\r\n
\r\n}}','{{collapse(View Sigma)\r\n\r\n\r\ntitle: Whoami Execution\r\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\r\nstatus: experimental\r\ndescription: Detects the execution of whoami, which is often used by attackers after\r\n exloitation / privilege escalation but rarely used by administrators\r\nreferences:\r\n- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\r\n- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\r\nauthor: Florian Roths\r\ndate: 2018/08/13\r\ntags:\r\n- attack.discovery\r\n- attack.t1033\r\n- car.2016-03-001\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image: \'*\\whoami.exe\'\r\n selection2:\r\n OriginalFileName: whoami.exe\r\n condition: selection or selection2\r\nfalsepositives:\r\n- Admin activity\r\n- Scripts and administrative tools used in the monitored environment\r\nlevel: high\r\n\r\n
\r\n}}'),(4,620,'cf','7','','aBT41nEBbPAf_3hf59Nr'),(5,621,'attr','status_id','2','3'),(6,621,'cf','9','{{collapse(View Sigma)\n\n\ntitle: XSL Script Processing\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nstatus: experimental\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\n the processing and rendering of data within XML files, rule detects when adversaries\n abuse this functionality to execute arbitrary files while potentially bypassing\n application whitelisting defenses\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\wmic.exe\n CommandLine|contains: /format\n - Image|endswith: \\msxsl.exe\n condition: selection\nfalsepositives:\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\n- msxsl.exe is not installed by default so unlikely.\nlevel: medium\ntags:\n- attack.execution\n- attack.t1220\n\n
\n}}','{{collapse(View Sigma)\r\n\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n the processing and rendering of data within XML files, rule detects when adversaries\r\n abuse this functionality to execute arbitrary files while potentially bypassing\r\n application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n - Image|endswith: \\wmic.exe\r\n CommandLine|contains: /format\r\n - Image|endswith: \\msxsl.exe\r\n condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(7,622,'cf','7','','gVP62XEBH72G5DlCexmq'),(8,623,'attr','status_id','3','4');
+INSERT INTO `journal_details` VALUES (5,621,'attr','status_id','2','3'),(6,621,'cf','9','{{collapse(View Sigma)\n\n\ntitle: XSL Script Processing\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nstatus: experimental\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\n the processing and rendering of data within XML files, rule detects when adversaries\n abuse this functionality to execute arbitrary files while potentially bypassing\n application whitelisting defenses\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n - Image|endswith: \\wmic.exe\n CommandLine|contains: /format\n - Image|endswith: \\msxsl.exe\n condition: selection\nfalsepositives:\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\n- msxsl.exe is not installed by default so unlikely.\nlevel: medium\ntags:\n- attack.execution\n- attack.t1220\n\n
\n}}','{{collapse(View Sigma)\r\n\r\n\r\ntitle: XSL Script Processing\r\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\r\nstatus: experimental\r\ndescription: Extensible Stylesheet Language (XSL) files are commonly used to describe\r\n the processing and rendering of data within XML files, rule detects when adversaries\r\n abuse this functionality to execute arbitrary files while potentially bypassing\r\n application whitelisting defenses\r\nauthor: Timur Zinniatullin, oscd.community\r\ndate: 2019/10/21\r\nmodified: 2019/11/04\r\nreferences:\r\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n - Image|endswith: \\wmic.exe\r\n CommandLine|contains: /format\r\n - Image|endswith: \\msxsl.exe\r\n condition: selection\r\nfalsepositives:\r\n- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment\r\n- msxsl.exe is not installed by default so unlikely.\r\nlevel: medium\r\ntags:\r\n- attack.execution\r\n- attack.t1220\r\n\r\n
\r\n}}'),(7,622,'cf','7','','gVP62XEBH72G5DlCexmq'),(8,623,'attr','status_id','3','4'),(9,627,'cf','9','{{collapse(View Sigma)\n\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data.\n This tactic is sometimes used as by malware or an attacker as a destructive technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n- attack.impact\n- attack.t1490\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image|endswith: \\bcdedit.exe\n CommandLine: set\n selection2:\n - CommandLine|contains|all:\n - bootstatuspolicy\n - ignoreallfailures\n - CommandLine|contains|all:\n - recoveryenabled\n - no\n condition: selection1 and selection2\nfields:\n- ComputerName\n- User\n- CommandLine\nfalsepositives:\n- Unlikely\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n\n\ntitle: Modification of Boot Configuration\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\ndescription: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive\n technique.\nstatus: experimental\nauthor: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2019/11/11\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml\n - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\ntags:\n - attack.impact\n - attack.t1490\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection1:\n Image|endswith: \\bcdedit.exe\n CommandLine|contains: set\n selection2:\n - CommandLine|contains|all:\n - bootstatuspolicy\n - ignoreallfailures\n - CommandLine|contains|all:\n - recoveryenabled\n - \'no\'\n condition: selection1 and selection2\nfields:\n - ComputerName\n - User\n - CommandLine\nfalsepositives:\n - Unlikely\nlevel: high\n\n
\n}}'),(10,629,'cf','9','{{collapse(View Sigma)\n\n\naction: global\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n- id: 6331d09b-4785-4c13-980f-f96661356249\n type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with\n the actually used engine version 2.0\nreferences:\n- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n- attack.defense_evasion\n- attack.execution\n- attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n- Penetration Test\n- Unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains:\n - \' -version 2 \'\n - \' -versio 2 \'\n - \' -versi 2 \'\n - \' -vers 2 \'\n - \' -ver 2 \'\n - \' -ve 2 \'\n Image|endswith: \\powershell.exe\n condition: selection\n\n
\n}}','{{collapse(View Sigma)\n\n\ntitle: PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n - id: 6331d09b-4785-4c13-980f-f96661356249\n type: derived\nstatus: experimental\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\ntags:\n - attack.defense_evasion\n - attack.execution\n - attack.t1086\nauthor: Harish Segar (rule)\ndate: 2020/03/20\nfalsepositives:\n - Penetration Test\n - Unknown\nlevel: medium\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n CommandLine|contains: \n - \' -version 2 \'\n - \' -versio 2 \'\n - \' -versi 2 \'\n - \' -vers 2 \'\n - \' -ver 2 \'\n - \' -ve 2 \' \n Image|endswith: \'\\powershell.exe\'\n condition: selection\n\n
\n}}'),(11,630,'cf','9','{{collapse(View Sigma)\n\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or\n malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community\n (improvements)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n- https://attack.mitre.org/techniques/T1036/\n- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n- attack.t1036\n- attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - cmd.exe\n - powershell.exe\n - powershell_ise.exe\n - psexec.exe\n - psexec.c\n - cscript.exe\n - wscript.exe\n - mshta.exe\n - regsvr32.exe\n - wmic.exe\n - certutil.exe\n - rundll32.exe\n - cmstp.exe\n - msiexec.exe\n - 7z.exe\n - winrar.exe\n - wevtutil.exe\n - net.exe\n - net1.exe\n filter:\n Image|endswith:\n - \\cmd.exe\n - \\powershell.exe\n - \\powershell_ise.exe\n - \\psexec.exe\n - \\psexec64.exe\n - \\cscript.exe\n - \\wscript.exe\n - \\mshta.exe\n - \\regsvr32.exe\n - \\wmic.exe\n - \\certutil.exe\n - \\rundll32.exe\n - \\cmstp.exe\n - \\msiexec.exe\n - \\7z.exe\n - \\winrar.exe\n - \\wevtutil.exe\n - \\net.exe\n - \\net1.exe\n condition: selection and not filter\nfalsepositives:\n- Custom applications use renamed binaries adding slight change to binary name. Typically\n this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}','{{collapse(View Sigma)\n\n\ntitle: Renamed Binary\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nstatus: experimental\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nauthor: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)\ndate: 2019/06/15\nmodified: 2019/11/11\nreferences:\n - https://attack.mitre.org/techniques/T1036/\n - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\ntags:\n - attack.t1036\n - attack.defense_evasion\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n OriginalFileName:\n - \'cmd.exe\'\n - \'powershell.exe\'\n - \'powershell_ise.exe\'\n - \'psexec.exe\'\n - \'psexec.c\' # old versions of psexec (2016 seen)\n - \'cscript.exe\'\n - \'wscript.exe\'\n - \'mshta.exe\'\n - \'regsvr32.exe\'\n - \'wmic.exe\'\n - \'certutil.exe\'\n - \'rundll32.exe\'\n - \'cmstp.exe\'\n - \'msiexec.exe\'\n - \'7z.exe\'\n - \'winrar.exe\'\n - \'wevtutil.exe\'\n - \'net.exe\'\n - \'net1.exe\'\n - \'netsh.exe\'\n filter:\n Image|endswith:\n - \'\\cmd.exe\'\n - \'\\powershell.exe\'\n - \'\\powershell_ise.exe\'\n - \'\\psexec.exe\'\n - \'\\psexec64.exe\'\n - \'\\cscript.exe\'\n - \'\\wscript.exe\'\n - \'\\mshta.exe\'\n - \'\\regsvr32.exe\'\n - \'\\wmic.exe\'\n - \'\\certutil.exe\'\n - \'\\rundll32.exe\'\n - \'\\cmstp.exe\'\n - \'\\msiexec.exe\'\n - \'\\7z.exe\'\n - \'\\winrar.exe\'\n - \'\\wevtutil.exe\'\n - \'\\net.exe\'\n - \'\\net1.exe\'\n - \'\\netsh.exe\'\n condition: selection and not filter\nfalsepositives:\n - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\n\n
\n}}'),(12,631,'cf','9','{{collapse(View Sigma)\n\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: test\nreferences:\n- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n- attack.persistence\n- attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n Image|endswith: \\netsh.exe\n CommandLine|contains|all:\n - add\n - helper\n condition: selection\nfields:\n- ComputerName\n- User\n- CommandLine\n- ParentCommandLine\nfalsepositives:\n- Unknown\nlevel: high\n\n
\n}}','{{collapse(View Sigma)\n\n\ntitle: Suspicious Netsh DLL Persistence\nid: 56321594-9087-49d9-bf10-524fe8479452\ndescription: Detects persitence via netsh helper\nstatus: testing\nreferences:\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1128/T1128.md\ntags:\n - attack.persistence\n - attack.t1128\ndate: 2019/10/25\nmodified: 2019/10/25\nauthor: Victor Sergeev, oscd.community\nlogsource:\n category: process_creation\n product: windows \ndetection:\n selection:\n Image|endswith: \'\\netsh.exe\'\n CommandLine|contains|all:\n - \'add\'\n - \'helper\'\n condition: selection\nfields:\n - ComputerName\n - User\n - CommandLine\n - ParentCommandLine\nfalsepositives:\n - Unknown\nlevel: high\n\n
\n}}');
/*!40000 ALTER TABLE `journal_details` ENABLE KEYS */;
UNLOCK TABLES;
@@ -860,7 +860,7 @@ CREATE TABLE `journals` (
KEY `index_journals_on_user_id` (`user_id`),
KEY `index_journals_on_journalized_id` (`journalized_id`),
KEY `index_journals_on_created_on` (`created_on`)
-) ENGINE=InnoDB AUTO_INCREMENT=624 DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB AUTO_INCREMENT=633 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
@@ -869,7 +869,7 @@ CREATE TABLE `journals` (
LOCK TABLES `journals` WRITE;
/*!40000 ALTER TABLE `journals` DISABLE KEYS */;
-INSERT INTO `journals` VALUES (311,313,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:14',0),(312,314,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(313,315,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(314,316,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(315,317,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(316,318,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(317,319,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(318,320,'Issue',9,'Play imported successfully.','2020-05-01 20:55:18',0),(319,321,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(320,322,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(321,323,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(322,324,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(323,325,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(324,326,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(325,327,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(326,328,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(327,329,'Issue',9,'Play imported successfully.','2020-05-01 20:55:23',0),(328,330,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(329,331,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(330,332,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(331,333,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(332,334,'Issue',9,'Play imported successfully.','2020-05-01 20:55:26',0),(333,335,'Issue',9,'Play imported successfully.','2020-05-01 20:55:27',0),(334,336,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:28',0),(335,337,'Issue',9,'Play imported successfully.','2020-05-01 20:55:28',0),(336,338,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(337,339,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(338,340,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(339,341,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(340,342,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(341,343,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(342,344,'Issue',9,'Play imported successfully.','2020-05-01 20:55:32',0),(343,345,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(344,346,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(345,347,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(346,348,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(347,349,'Issue',9,'Play imported successfully.','2020-05-01 20:55:35',0),(348,350,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(349,351,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(350,352,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(351,353,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(352,354,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(353,355,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(354,356,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(355,357,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(356,358,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(357,359,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(358,360,'Issue',9,'Play imported successfully.','2020-05-01 20:55:41',0),(359,361,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(360,362,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(361,363,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(362,364,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(363,365,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(364,366,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(365,367,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(366,368,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(367,369,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(368,370,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(369,371,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(370,372,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(371,373,'Issue',9,'Play imported successfully.','2020-05-01 20:55:48',0),(372,374,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(373,375,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(374,376,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(375,377,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(376,378,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(377,379,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(378,380,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(379,381,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(380,382,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(381,383,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(382,384,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(383,385,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(384,386,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(385,387,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(386,388,'Issue',9,'Play imported successfully.','2020-05-01 20:55:56',0),(387,389,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(388,390,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(389,391,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(390,392,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(391,393,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(392,394,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(393,395,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(394,396,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(395,397,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(396,398,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(397,399,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(398,400,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(399,401,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(400,402,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(401,403,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(402,404,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(403,405,'Issue',9,'Play imported successfully.','2020-05-01 20:56:05',0),(404,406,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(405,407,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(406,408,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(407,409,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(408,410,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(409,411,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(410,412,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(411,413,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(412,414,'Issue',9,'Play imported successfully.','2020-05-01 20:56:10',0),(413,415,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(414,416,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(415,417,'Issue',9,'Play imported successfully.','2020-05-01 20:56:12',0),(416,418,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(417,419,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(418,420,'Issue',9,'Play imported successfully.','2020-05-01 20:56:14',0),(419,421,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(420,422,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(421,423,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(422,424,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(423,425,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(424,426,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(425,427,'Issue',9,'Play imported successfully.','2020-05-01 20:56:18',0),(426,428,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(427,429,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(428,430,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(429,431,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(430,432,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(431,433,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(432,434,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(433,435,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(434,436,'Issue',9,'Play imported successfully.','2020-05-01 20:56:23',0),(435,437,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(436,438,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(437,439,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(438,440,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(439,441,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(440,442,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(441,443,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(442,444,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(443,445,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(444,446,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(445,447,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(446,448,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(447,449,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(448,450,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(449,451,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(450,452,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(451,453,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(452,454,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(453,455,'Issue',9,'Play imported successfully.','2020-05-01 20:56:33',0),(454,456,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(455,457,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(456,458,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(457,459,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(458,460,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(459,461,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(460,462,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(461,463,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(462,464,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(463,465,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(464,466,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(465,467,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(466,468,'Issue',9,'Play imported successfully.','2020-05-01 20:56:40',0),(467,469,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(468,470,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(469,471,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(470,472,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(471,473,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(472,474,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(473,475,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(474,476,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(475,477,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(476,478,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(477,479,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(478,480,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(479,481,'Issue',9,'Play imported successfully.','2020-05-01 20:56:47',0),(480,482,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(481,483,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(482,484,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(483,485,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(484,486,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(485,487,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(486,488,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(487,489,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(488,490,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(489,491,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(490,492,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(491,493,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(492,494,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:56:54',0),(493,495,'Issue',9,'Play imported successfully.','2020-05-01 20:56:54',0),(494,496,'Issue',9,'Play imported successfully.','2020-05-01 20:56:55',0),(495,497,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(496,498,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(497,499,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(498,500,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(499,501,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(500,502,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(501,503,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(502,504,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(503,505,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(504,506,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(505,507,'Issue',9,'Play imported successfully.','2020-05-01 20:57:01',0),(506,508,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(507,509,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(508,510,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(509,511,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(510,512,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(511,513,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(512,514,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(513,515,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(514,516,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(515,517,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(516,518,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(517,519,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(518,520,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(519,521,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(520,522,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(521,523,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(522,524,'Issue',9,'Play imported successfully.','2020-05-01 20:57:10',0),(523,525,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(524,526,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(525,527,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(526,528,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(527,529,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(528,530,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(529,531,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(530,532,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(531,533,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(532,534,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(533,535,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(534,536,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(535,537,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(536,538,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(537,539,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(538,540,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(539,541,'Issue',9,'Play imported successfully.','2020-05-01 20:57:19',0),(540,542,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(541,543,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(542,544,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(543,545,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(544,546,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(545,547,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(546,548,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(547,549,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(548,550,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(549,551,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(550,552,'Issue',9,'Play imported successfully.','2020-05-01 20:57:25',0),(551,553,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(552,554,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(553,555,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(554,556,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(555,557,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(556,558,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(557,559,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(558,560,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(559,561,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(560,562,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(561,563,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(562,564,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(563,565,'Issue',9,'Play imported successfully.','2020-05-01 20:57:32',0),(564,566,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(565,567,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(566,568,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(567,569,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(568,570,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(569,571,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(570,572,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(571,573,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(572,574,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(573,575,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(574,576,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(575,577,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(576,578,'Issue',9,'Play imported successfully.','2020-05-01 20:57:39',0),(577,579,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(578,580,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(579,581,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(580,582,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(581,583,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(582,584,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(583,585,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(584,586,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(585,587,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(586,588,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(587,589,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(588,590,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(589,591,'Issue',9,'Play imported successfully.','2020-05-01 20:57:46',0),(590,592,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(591,593,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(592,594,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(593,595,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(594,596,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(595,597,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(596,598,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(597,599,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(598,600,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(599,601,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(600,602,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(601,603,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(602,604,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(603,605,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(604,606,'Issue',9,'Play imported successfully.','2020-05-01 20:57:54',0),(605,607,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(606,608,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(607,609,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(608,610,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(609,611,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(610,612,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(611,613,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(612,614,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(613,615,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(614,616,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(615,617,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(616,618,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(617,619,'Issue',9,'Play imported successfully.','2020-05-02 12:35:33',0),(618,619,'Issue',8,'','2020-05-02 12:36:46',0),(619,619,'Issue',8,'','2020-05-02 12:39:47',0),(620,619,'Issue',9,'','2020-05-02 19:59:29',0),(621,618,'Issue',8,'','2020-05-03 09:59:49',0),(622,618,'Issue',9,'','2020-05-03 10:00:04',0),(623,618,'Issue',8,'','2020-05-03 10:00:57',0);
+INSERT INTO `journals` VALUES (311,313,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:14',0),(312,314,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(313,315,'Issue',9,'Play imported successfully.','2020-05-01 20:55:15',0),(314,316,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(315,317,'Issue',9,'Play imported successfully.','2020-05-01 20:55:16',0),(316,318,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(317,319,'Issue',9,'Play imported successfully.','2020-05-01 20:55:17',0),(318,320,'Issue',9,'Play imported successfully.','2020-05-01 20:55:18',0),(319,321,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(320,322,'Issue',9,'Play imported successfully.','2020-05-01 20:55:19',0),(321,323,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(322,324,'Issue',9,'Play imported successfully.','2020-05-01 20:55:20',0),(323,325,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(324,326,'Issue',9,'Play imported successfully.','2020-05-01 20:55:21',0),(325,327,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(326,328,'Issue',9,'Play imported successfully.','2020-05-01 20:55:22',0),(327,329,'Issue',9,'Play imported successfully.','2020-05-01 20:55:23',0),(328,330,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(329,331,'Issue',9,'Play imported successfully.','2020-05-01 20:55:24',0),(330,332,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(331,333,'Issue',9,'Play imported successfully.','2020-05-01 20:55:25',0),(332,334,'Issue',9,'Play imported successfully.','2020-05-01 20:55:26',0),(333,335,'Issue',9,'Play imported successfully.','2020-05-01 20:55:27',0),(334,336,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:55:28',0),(335,337,'Issue',9,'Play imported successfully.','2020-05-01 20:55:28',0),(336,338,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(337,339,'Issue',9,'Play imported successfully.','2020-05-01 20:55:29',0),(338,340,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(339,341,'Issue',9,'Play imported successfully.','2020-05-01 20:55:30',0),(340,342,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(341,343,'Issue',9,'Play imported successfully.','2020-05-01 20:55:31',0),(342,344,'Issue',9,'Play imported successfully.','2020-05-01 20:55:32',0),(343,345,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(344,346,'Issue',9,'Play imported successfully.','2020-05-01 20:55:33',0),(345,347,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(346,348,'Issue',9,'Play imported successfully.','2020-05-01 20:55:34',0),(347,349,'Issue',9,'Play imported successfully.','2020-05-01 20:55:35',0),(348,350,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(349,351,'Issue',9,'Play imported successfully.','2020-05-01 20:55:36',0),(350,352,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(351,353,'Issue',9,'Play imported successfully.','2020-05-01 20:55:37',0),(352,354,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(353,355,'Issue',9,'Play imported successfully.','2020-05-01 20:55:38',0),(354,356,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(355,357,'Issue',9,'Play imported successfully.','2020-05-01 20:55:39',0),(356,358,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(357,359,'Issue',9,'Play imported successfully.','2020-05-01 20:55:40',0),(358,360,'Issue',9,'Play imported successfully.','2020-05-01 20:55:41',0),(359,361,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(360,362,'Issue',9,'Play imported successfully.','2020-05-01 20:55:42',0),(361,363,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(362,364,'Issue',9,'Play imported successfully.','2020-05-01 20:55:43',0),(363,365,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(364,366,'Issue',9,'Play imported successfully.','2020-05-01 20:55:44',0),(365,367,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(366,368,'Issue',9,'Play imported successfully.','2020-05-01 20:55:45',0),(367,369,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(368,370,'Issue',9,'Play imported successfully.','2020-05-01 20:55:46',0),(369,371,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(370,372,'Issue',9,'Play imported successfully.','2020-05-01 20:55:47',0),(371,373,'Issue',9,'Play imported successfully.','2020-05-01 20:55:48',0),(372,374,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(373,375,'Issue',9,'Play imported successfully.','2020-05-01 20:55:49',0),(374,376,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(375,377,'Issue',9,'Play imported successfully.','2020-05-01 20:55:50',0),(376,378,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(377,379,'Issue',9,'Play imported successfully.','2020-05-01 20:55:51',0),(378,380,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(379,381,'Issue',9,'Play imported successfully.','2020-05-01 20:55:52',0),(380,382,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(381,383,'Issue',9,'Play imported successfully.','2020-05-01 20:55:53',0),(382,384,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(383,385,'Issue',9,'Play imported successfully.','2020-05-01 20:55:54',0),(384,386,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(385,387,'Issue',9,'Play imported successfully.','2020-05-01 20:55:55',0),(386,388,'Issue',9,'Play imported successfully.','2020-05-01 20:55:56',0),(387,389,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(388,390,'Issue',9,'Play imported successfully.','2020-05-01 20:55:57',0),(389,391,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(390,392,'Issue',9,'Play imported successfully.','2020-05-01 20:55:58',0),(391,393,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(392,394,'Issue',9,'Play imported successfully.','2020-05-01 20:55:59',0),(393,395,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(394,396,'Issue',9,'Play imported successfully.','2020-05-01 20:56:00',0),(395,397,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(396,398,'Issue',9,'Play imported successfully.','2020-05-01 20:56:01',0),(397,399,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(398,400,'Issue',9,'Play imported successfully.','2020-05-01 20:56:02',0),(399,401,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(400,402,'Issue',9,'Play imported successfully.','2020-05-01 20:56:03',0),(401,403,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(402,404,'Issue',9,'Play imported successfully.','2020-05-01 20:56:04',0),(403,405,'Issue',9,'Play imported successfully.','2020-05-01 20:56:05',0),(404,406,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(405,407,'Issue',9,'Play imported successfully.','2020-05-01 20:56:06',0),(406,408,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(407,409,'Issue',9,'Play imported successfully.','2020-05-01 20:56:07',0),(408,410,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(409,411,'Issue',9,'Play imported successfully.','2020-05-01 20:56:08',0),(410,412,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(411,413,'Issue',9,'Play imported successfully.','2020-05-01 20:56:09',0),(412,414,'Issue',9,'Play imported successfully.','2020-05-01 20:56:10',0),(413,415,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(414,416,'Issue',9,'Play imported successfully.','2020-05-01 20:56:11',0),(415,417,'Issue',9,'Play imported successfully.','2020-05-01 20:56:12',0),(416,418,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(417,419,'Issue',9,'Play imported successfully.','2020-05-01 20:56:13',0),(418,420,'Issue',9,'Play imported successfully.','2020-05-01 20:56:14',0),(419,421,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(420,422,'Issue',9,'Play imported successfully.','2020-05-01 20:56:15',0),(421,423,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(422,424,'Issue',9,'Play imported successfully.','2020-05-01 20:56:16',0),(423,425,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(424,426,'Issue',9,'Play imported successfully.','2020-05-01 20:56:17',0),(425,427,'Issue',9,'Play imported successfully.','2020-05-01 20:56:18',0),(426,428,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(427,429,'Issue',9,'Play imported successfully.','2020-05-01 20:56:19',0),(428,430,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(429,431,'Issue',9,'Play imported successfully.','2020-05-01 20:56:20',0),(430,432,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(431,433,'Issue',9,'Play imported successfully.','2020-05-01 20:56:21',0),(432,434,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(433,435,'Issue',9,'Play imported successfully.','2020-05-01 20:56:22',0),(434,436,'Issue',9,'Play imported successfully.','2020-05-01 20:56:23',0),(435,437,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(436,438,'Issue',9,'Play imported successfully.','2020-05-01 20:56:24',0),(437,439,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(438,440,'Issue',9,'Play imported successfully.','2020-05-01 20:56:25',0),(439,441,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(440,442,'Issue',9,'Play imported successfully.','2020-05-01 20:56:26',0),(441,443,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(442,444,'Issue',9,'Play imported successfully.','2020-05-01 20:56:27',0),(443,445,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(444,446,'Issue',9,'Play imported successfully.','2020-05-01 20:56:28',0),(445,447,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(446,448,'Issue',9,'Play imported successfully.','2020-05-01 20:56:29',0),(447,449,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(448,450,'Issue',9,'Play imported successfully.','2020-05-01 20:56:30',0),(449,451,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(450,452,'Issue',9,'Play imported successfully.','2020-05-01 20:56:31',0),(451,453,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(452,454,'Issue',9,'Play imported successfully.','2020-05-01 20:56:32',0),(453,455,'Issue',9,'Play imported successfully.','2020-05-01 20:56:33',0),(454,456,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(455,457,'Issue',9,'Play imported successfully.','2020-05-01 20:56:34',0),(456,458,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(457,459,'Issue',9,'Play imported successfully.','2020-05-01 20:56:35',0),(458,460,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(459,461,'Issue',9,'Play imported successfully.','2020-05-01 20:56:36',0),(460,462,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(461,463,'Issue',9,'Play imported successfully.','2020-05-01 20:56:37',0),(462,464,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(463,465,'Issue',9,'Play imported successfully.','2020-05-01 20:56:38',0),(464,466,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(465,467,'Issue',9,'Play imported successfully.','2020-05-01 20:56:39',0),(466,468,'Issue',9,'Play imported successfully.','2020-05-01 20:56:40',0),(467,469,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(468,470,'Issue',9,'Play imported successfully.','2020-05-01 20:56:41',0),(469,471,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(470,472,'Issue',9,'Play imported successfully.','2020-05-01 20:56:42',0),(471,473,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(472,474,'Issue',9,'Play imported successfully.','2020-05-01 20:56:43',0),(473,475,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(474,476,'Issue',9,'Play imported successfully.','2020-05-01 20:56:44',0),(475,477,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(476,478,'Issue',9,'Play imported successfully.','2020-05-01 20:56:45',0),(477,479,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(478,480,'Issue',9,'Play imported successfully.','2020-05-01 20:56:46',0),(479,481,'Issue',9,'Play imported successfully.','2020-05-01 20:56:47',0),(480,482,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(481,483,'Issue',9,'Play imported successfully.','2020-05-01 20:56:48',0),(482,484,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(483,485,'Issue',9,'Play imported successfully.','2020-05-01 20:56:49',0),(484,486,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(485,487,'Issue',9,'Play imported successfully.','2020-05-01 20:56:50',0),(486,488,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(487,489,'Issue',9,'Play imported successfully.','2020-05-01 20:56:51',0),(488,490,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(489,491,'Issue',9,'Play imported successfully.','2020-05-01 20:56:52',0),(490,492,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(491,493,'Issue',9,'Play imported successfully.','2020-05-01 20:56:53',0),(492,494,'Issue',9,'Play status set to Disabled - Sigmac error when generating ElastAlert config.','2020-05-01 20:56:54',0),(493,495,'Issue',9,'Play imported successfully.','2020-05-01 20:56:54',0),(494,496,'Issue',9,'Play imported successfully.','2020-05-01 20:56:55',0),(495,497,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(496,498,'Issue',9,'Play imported successfully.','2020-05-01 20:56:56',0),(497,499,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(498,500,'Issue',9,'Play imported successfully.','2020-05-01 20:56:57',0),(499,501,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(500,502,'Issue',9,'Play imported successfully.','2020-05-01 20:56:58',0),(501,503,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(502,504,'Issue',9,'Play imported successfully.','2020-05-01 20:56:59',0),(503,505,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(504,506,'Issue',9,'Play imported successfully.','2020-05-01 20:57:00',0),(505,507,'Issue',9,'Play imported successfully.','2020-05-01 20:57:01',0),(506,508,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(507,509,'Issue',9,'Play imported successfully.','2020-05-01 20:57:02',0),(508,510,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(509,511,'Issue',9,'Play imported successfully.','2020-05-01 20:57:03',0),(510,512,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(511,513,'Issue',9,'Play imported successfully.','2020-05-01 20:57:04',0),(512,514,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(513,515,'Issue',9,'Play imported successfully.','2020-05-01 20:57:05',0),(514,516,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(515,517,'Issue',9,'Play imported successfully.','2020-05-01 20:57:06',0),(516,518,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(517,519,'Issue',9,'Play imported successfully.','2020-05-01 20:57:07',0),(518,520,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(519,521,'Issue',9,'Play imported successfully.','2020-05-01 20:57:08',0),(520,522,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(521,523,'Issue',9,'Play imported successfully.','2020-05-01 20:57:09',0),(522,524,'Issue',9,'Play imported successfully.','2020-05-01 20:57:10',0),(523,525,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(524,526,'Issue',9,'Play imported successfully.','2020-05-01 20:57:11',0),(525,527,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(526,528,'Issue',9,'Play imported successfully.','2020-05-01 20:57:12',0),(527,529,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(528,530,'Issue',9,'Play imported successfully.','2020-05-01 20:57:13',0),(529,531,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(530,532,'Issue',9,'Play imported successfully.','2020-05-01 20:57:14',0),(531,533,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(532,534,'Issue',9,'Play imported successfully.','2020-05-01 20:57:15',0),(533,535,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(534,536,'Issue',9,'Play imported successfully.','2020-05-01 20:57:16',0),(535,537,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(536,538,'Issue',9,'Play imported successfully.','2020-05-01 20:57:17',0),(537,539,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(538,540,'Issue',9,'Play imported successfully.','2020-05-01 20:57:18',0),(539,541,'Issue',9,'Play imported successfully.','2020-05-01 20:57:19',0),(540,542,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(541,543,'Issue',9,'Play imported successfully.','2020-05-01 20:57:20',0),(542,544,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(543,545,'Issue',9,'Play imported successfully.','2020-05-01 20:57:21',0),(544,546,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(545,547,'Issue',9,'Play imported successfully.','2020-05-01 20:57:22',0),(546,548,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(547,549,'Issue',9,'Play imported successfully.','2020-05-01 20:57:23',0),(548,550,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(549,551,'Issue',9,'Play imported successfully.','2020-05-01 20:57:24',0),(550,552,'Issue',9,'Play imported successfully.','2020-05-01 20:57:25',0),(551,553,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(552,554,'Issue',9,'Play imported successfully.','2020-05-01 20:57:26',0),(553,555,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(554,556,'Issue',9,'Play imported successfully.','2020-05-01 20:57:27',0),(555,557,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(556,558,'Issue',9,'Play imported successfully.','2020-05-01 20:57:28',0),(557,559,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(558,560,'Issue',9,'Play imported successfully.','2020-05-01 20:57:29',0),(559,561,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(560,562,'Issue',9,'Play imported successfully.','2020-05-01 20:57:30',0),(561,563,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(562,564,'Issue',9,'Play imported successfully.','2020-05-01 20:57:31',0),(563,565,'Issue',9,'Play imported successfully.','2020-05-01 20:57:32',0),(564,566,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(565,567,'Issue',9,'Play imported successfully.','2020-05-01 20:57:33',0),(566,568,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(567,569,'Issue',9,'Play imported successfully.','2020-05-01 20:57:34',0),(568,570,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(569,571,'Issue',9,'Play imported successfully.','2020-05-01 20:57:35',0),(570,572,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(571,573,'Issue',9,'Play imported successfully.','2020-05-01 20:57:36',0),(572,574,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(573,575,'Issue',9,'Play imported successfully.','2020-05-01 20:57:37',0),(574,576,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(575,577,'Issue',9,'Play imported successfully.','2020-05-01 20:57:38',0),(576,578,'Issue',9,'Play imported successfully.','2020-05-01 20:57:39',0),(577,579,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(578,580,'Issue',9,'Play imported successfully.','2020-05-01 20:57:40',0),(579,581,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(580,582,'Issue',9,'Play imported successfully.','2020-05-01 20:57:41',0),(581,583,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(582,584,'Issue',9,'Play imported successfully.','2020-05-01 20:57:42',0),(583,585,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(584,586,'Issue',9,'Play imported successfully.','2020-05-01 20:57:43',0),(585,587,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(586,588,'Issue',9,'Play imported successfully.','2020-05-01 20:57:44',0),(587,589,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(588,590,'Issue',9,'Play imported successfully.','2020-05-01 20:57:45',0),(589,591,'Issue',9,'Play imported successfully.','2020-05-01 20:57:46',0),(590,592,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(591,593,'Issue',9,'Play imported successfully.','2020-05-01 20:57:47',0),(592,594,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(593,595,'Issue',9,'Play imported successfully.','2020-05-01 20:57:48',0),(594,596,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(595,597,'Issue',9,'Play imported successfully.','2020-05-01 20:57:49',0),(596,598,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(597,599,'Issue',9,'Play imported successfully.','2020-05-01 20:57:50',0),(598,600,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(599,601,'Issue',9,'Play imported successfully.','2020-05-01 20:57:51',0),(600,602,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(601,603,'Issue',9,'Play imported successfully.','2020-05-01 20:57:52',0),(602,604,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(603,605,'Issue',9,'Play imported successfully.','2020-05-01 20:57:53',0),(604,606,'Issue',9,'Play imported successfully.','2020-05-01 20:57:54',0),(605,607,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(606,608,'Issue',9,'Play imported successfully.','2020-05-01 20:57:55',0),(607,609,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(608,610,'Issue',9,'Play imported successfully.','2020-05-01 20:57:56',0),(609,611,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(610,612,'Issue',9,'Play imported successfully.','2020-05-01 20:57:57',0),(611,613,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(612,614,'Issue',9,'Play imported successfully.','2020-05-01 20:57:58',0),(613,615,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(614,616,'Issue',9,'Play imported successfully.','2020-05-01 20:57:59',0),(615,617,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(616,618,'Issue',9,'Play imported successfully.','2020-05-01 20:58:00',0),(621,618,'Issue',8,'','2020-05-03 09:59:49',0),(622,618,'Issue',9,'','2020-05-03 10:00:04',0),(623,618,'Issue',8,'','2020-05-03 10:00:57',0),(624,620,'Issue',9,'Play imported successfully.','2020-05-13 13:30:57',0),(625,621,'Issue',9,'Play imported successfully.','2020-05-13 14:05:41',0),(626,622,'Issue',9,'Play imported successfully.','2020-05-13 14:07:09',0),(627,420,'Issue',9,'','2020-05-13 14:07:10',0),(628,623,'Issue',9,'Play imported successfully.','2020-05-13 14:07:11',0),(629,494,'Issue',9,'','2020-05-13 14:07:11',0),(630,508,'Issue',9,'','2020-05-13 14:07:11',0),(631,556,'Issue',9,'','2020-05-13 14:07:11',0);
/*!40000 ALTER TABLE `journals` ENABLE KEYS */;
UNLOCK TABLES;
@@ -1150,7 +1150,7 @@ CREATE TABLE `queries` (
LOCK TABLES `queries` WRITE;
/*!40000 ALTER TABLE `queries` DISABLE KEYS */;
-INSERT INTO `queries` VALUES (2,1,'Active Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'3\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(7,NULL,'Playbook - Imported','---\ncf_13:\n :operator: \"=\"\n :values:\n - imported\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n');
+INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Disabled Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'6\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n');
/*!40000 ALTER TABLE `queries` ENABLE KEYS */;
UNLOCK TABLES;
@@ -1314,7 +1314,7 @@ CREATE TABLE `settings` (
LOCK TABLES `settings` WRITE;
/*!40000 ALTER TABLE `settings` DISABLE KEYS */;
-INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://192.168.15.144:7000/playbook/sigmac\ncreate_url: http://192.168.15.144:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07');
+INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','1','2020-04-26 13:11:54'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.178:7000/playbook/sigmac\ncreate_url: http://10.66.166.178:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07');
/*!40000 ALTER TABLE `settings` ENABLE KEYS */;
UNLOCK TABLES;
@@ -1375,7 +1375,7 @@ CREATE TABLE `tokens` (
PRIMARY KEY (`id`),
UNIQUE KEY `tokens_value` (`value`),
KEY `index_tokens_on_user_id` (`user_id`)
-) ENGINE=InnoDB AUTO_INCREMENT=48 DEFAULT CHARSET=latin1;
+) ENGINE=InnoDB AUTO_INCREMENT=55 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
@@ -1384,7 +1384,7 @@ CREATE TABLE `tokens` (
LOCK TABLES `tokens` WRITE;
/*!40000 ALTER TABLE `tokens` DISABLE KEYS */;
-INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48');
+INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(8,8,'feeds','1f28542e983dc0a3abfc81013ff7f008f1cb6800','2020-04-26 18:50:50','2020-04-26 18:50:50'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(36,8,'session','47616205d262d3e3f05665038888edc463b872d9','2020-05-01 19:41:12','2020-05-01 19:44:24'),(39,8,'session','a4d98ddceb539f8a5d2f99ee4f4274f711f6dc14','2020-05-01 20:40:23','2020-05-01 20:40:27'),(45,8,'session','b7346c8089e9b6237d9438f7c08ce014ad46d5d2','2020-05-03 09:13:00','2020-05-03 10:01:34'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(47,8,'session','1adb4bf696b7a4eafedf633cef7dee28e138ec01','2020-05-06 20:52:43','2020-05-06 20:52:48'),(54,8,'session','c1d788feea4bc194f6b24005943807b477bc1fb8','2020-05-13 14:23:44','2020-05-13 14:29:25');
/*!40000 ALTER TABLE `tokens` ENABLE KEYS */;
UNLOCK TABLES;
@@ -1485,7 +1485,7 @@ CREATE TABLE `users` (
LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
-INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-05-06 20:48:01','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-05-06 20:52:43','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10');
+INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-05-13 14:22:22','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(8,'analyst','adfc2e9391aa2ce34a02ce5bcc225efe853ee6cc','analyst','analyst',0,1,'2020-05-13 14:23:44','en',NULL,'2020-04-26 18:46:48','2020-04-26 18:46:48','User',NULL,'none','6b5dc1c8429a1c7d69375d723f7e3207',0,'2020-04-26 18:46:48'),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
@@ -1571,7 +1571,7 @@ CREATE TABLE `webhooks` (
LOCK TABLES `webhooks` WRITE;
/*!40000 ALTER TABLE `webhooks` DISABLE KEYS */;
-INSERT INTO `webhooks` VALUES (1,'http://192.168.15.144:7000/playbook/webhook',1);
+INSERT INTO `webhooks` VALUES (1,'http://10.66.166.178:7000/playbook/webhook',1);
/*!40000 ALTER TABLE `webhooks` ENABLE KEYS */;
UNLOCK TABLES;
@@ -1768,4 +1768,4 @@ UNLOCK TABLES;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
--- Dump completed on 2020-05-06 20:56:56
+-- Dump completed on 2020-05-13 15:01:33