diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml index f483b6e47d1..1bb15c5abf4 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: Exploitation Indicator Of CVE-2022-42475 id: 293ccb8c-bed8-4868-8296-bef30e303b7e -status: experimental +status: test description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd. references: - https://www.fortiguard.com/psirt/FG-IR-22-398 diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 76bc58c80e4..9b8e5582e64 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,6 +1,6 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 -status: experimental +status: test description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml index 51d4f2d343f..0f2db55b544 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml @@ -3,7 +3,7 @@ id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1 related: - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 type: similar -status: experimental +status: test description: | This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml index a5b7c079d12..1f5177a1f6d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml @@ -3,7 +3,7 @@ id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 related: - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1 type: similar -status: experimental +status: test description: | This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index 651a9363f40..1520735459d 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -3,7 +3,7 @@ id: 1a821580-588b-4323-9422-660f7e131020 related: - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f type: similar -status: experimental +status: test description: | Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml index 4914ee493d8..54c5f4a936c 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml @@ -1,6 +1,6 @@ title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation id: d27eabad-9068-401a-b0d6-9eac744d6e67 -status: experimental +status: test description: | Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709. references: diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml index f63b2547f00..ed6c82ce731 100644 --- a/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml @@ -3,7 +3,7 @@ id: 4109cb6a-a4af-438a-9f0c-056abba41c6f related: - id: 1a821580-588b-4323-9422-660f7e131020 type: similar -status: experimental +status: test description: | This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. diff --git a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml index 24eb3cbda42..e0e6cb1ee5b 100644 --- a/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml +++ b/rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml @@ -1,6 +1,6 @@ title: Potential Raspberry Robin CPL Execution Activity id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81 -status: experimental +status: test description: | Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants. diff --git a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml index e40426947ff..9a3133c6bda 100644 --- a/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml +++ b/rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml @@ -1,6 +1,6 @@ title: DPRK Threat Actor - C2 Communication DNS Indicators id: 4d16c9a6-4362-4863-9940-1dee35f1d70f -status: experimental +status: test description: Detects DNS queries for C2 domains used by DPRK Threat actors. references: - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 diff --git a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml index f4d21e4595a..e3db0e2b46f 100644 --- a/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml +++ b/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml @@ -1,6 +1,6 @@ title: ScreenConnect - SlashAndGrab Exploitation Indicators id: 05164d17-8e11-4d7d-973e-9e4962436b87 -status: experimental +status: test description: | Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress references: diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml index 432593f2bdd..e8dfcfac80d 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml @@ -5,7 +5,7 @@ related: type: derived - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 type: derived -status: experimental +status: test description: | Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml index 138f44b31d7..8c4d88f2547 100644 --- a/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml @@ -1,6 +1,6 @@ title: Shell Context Menu Command Tampering id: 868df2d1-0939-4562-83a7-27408c4a1ada -status: experimental +status: test description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/ diff --git a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml index 0cd347efae5..4c9e9d3de9b 100644 --- a/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml +++ b/rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml @@ -1,6 +1,6 @@ title: AWS Console GetSigninToken Potential Abuse id: f8103686-e3e8-46f3-be72-65f7fcb4aa53 -status: experimental +status: test description: | Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml index ab30043f2fa..6c6dad09725 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml @@ -1,6 +1,6 @@ title: Bitbucket Full Data Export Triggered id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8 -status: experimental +status: test description: Detects when full data export is attempted. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml index 2e920a4e307..c47aabd523d 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Global Permission Changed id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310 -status: experimental +status: test description: Detects global permissions change activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml index 6e8bda2c16c..d85ad0009c4 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml @@ -1,6 +1,6 @@ title: Bitbucket Global Secret Scanning Rule Deleted id: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05 -status: experimental +status: test description: Detects Bitbucket global secret scanning rule deletion activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml index 39179f0e763..88bb6f2772e 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Global SSH Settings Changed id: 16ab6143-510a-44e2-a615-bdb80b8317fc -status: experimental +status: test description: Detects Bitbucket global SSH access configuration changes. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml index ce0a8b0aa98..cb09d1cda9d 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Audit Log Configuration Updated id: 6aa12161-235a-4dfb-9c74-fe08df8d8da1 -status: experimental +status: test description: Detects changes to the bitbucket audit log configuration. references: - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml index b1baeb37115..1b5a7a1fb4b 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml @@ -1,6 +1,6 @@ title: Bitbucket Project Secret Scanning Allowlist Added id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30 -status: experimental +status: test description: Detects when a secret scanning allowlist rule is added for projects. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml index 6019e448233..2b4c012ae51 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Secret Scanning Exempt Repository Added id: b91e8d5e-0033-44fe-973f-b730316f23a1 -status: experimental +status: test description: Detects when a repository is exempted from secret scanning feature. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml index 5ef1c1901ed..dce9a90f6c3 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml @@ -1,6 +1,6 @@ title: Bitbucket Secret Scanning Rule Deleted id: ff91e3f0-ad15-459f-9a85-1556390c138d -status: experimental +status: test description: Detects when secret scanning rule is deleted for the project or repository. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml index 08ebde49a7c..d07b69e3309 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket Unauthorized Access To A Resource id: 7215374a-de4f-4b33-8ba5-70804c9251d3 -status: experimental +status: test description: Detects unauthorized access attempts to a resource. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml index ebb2f462150..a678f07dc31 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml @@ -1,6 +1,6 @@ title: Bitbucket Unauthorized Full Data Export Triggered id: 34d81081-03c9-4a7f-91c9-5e46af625cde -status: experimental +status: test description: Detects when full data export is attempted an unauthorized user. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml index a0e96ebd384..ba8d21c409a 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Details Export Attempt Detected id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3 -status: experimental +status: test description: Detects user data export activity. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml index 7eed1a8403e..4fad0d31bae 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Login Failure id: 70ed1d26-0050-4b38-a599-92c53d57d45a -status: experimental +status: test description: | Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml index 9e9a0cebde4..d1fa3fdbdb5 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Login Failure Via SSH id: d3f90469-fb05-42ce-b67d-0fded91bbef3 -status: experimental +status: test description: | Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field. diff --git a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml index 221d4a24fc9..aff1211d40f 100644 --- a/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml +++ b/rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml @@ -1,6 +1,6 @@ title: Bitbucket User Permissions Export Attempt id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2 -status: experimental +status: test description: Detects user permission data export attempt. references: - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html diff --git a/rules/cloud/github/github_push_protection_bypass_detected.yml b/rules/cloud/github/github_push_protection_bypass_detected.yml index 7e537f304b3..a619e57d300 100644 --- a/rules/cloud/github/github_push_protection_bypass_detected.yml +++ b/rules/cloud/github/github_push_protection_bypass_detected.yml @@ -1,6 +1,6 @@ title: Github Push Protection Bypass Detected id: 02cf536a-cf21-4876-8842-4159c8aee3cc -status: experimental +status: test description: Detects when a user bypasses the push protection on a secret detected by secret scanning. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations diff --git a/rules/cloud/github/github_push_protection_disabled.yml b/rules/cloud/github/github_push_protection_disabled.yml index dff55ef9118..296b8125eb0 100644 --- a/rules/cloud/github/github_push_protection_disabled.yml +++ b/rules/cloud/github/github_push_protection_disabled.yml @@ -1,6 +1,6 @@ title: Github Push Protection Disabled id: ccd55945-badd-4bae-936b-823a735d37dd -status: experimental +status: test description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. references: - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations diff --git a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml index eebe651bf39..ca0de698b91 100644 --- a/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml +++ b/rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml @@ -1,6 +1,6 @@ title: Active Directory Certificate Services Denied Certificate Enrollment Request id: 994bfd6d-0a2e-481e-a861-934069fcf5f5 -status: experimental +status: test description: | Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures. diff --git a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml index e87cd0f4fed..2f097f59400 100644 --- a/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml +++ b/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml @@ -1,6 +1,6 @@ title: No Suitable Encryption Key Found For Generating Kerberos Ticket id: b1e0b3f5-b62e-41be-886a-daffde446ad4 -status: experimental +status: test description: | Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled. diff --git a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml index ee5288b09c8..bb67b6b82d0 100644 --- a/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml +++ b/rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml @@ -1,6 +1,6 @@ title: DNS Query Request To OneLaunch Update Service id: df68f791-ad95-447f-a271-640a0dab9cf8 -status: experimental +status: test description: | Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain. diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index cce9bc1f3ba..c651259e622 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -1,6 +1,6 @@ title: Unsigned DLL Loaded by Windows Utility id: b5de0c9a-6f19-43e0-af4e-55ad01f550af -status: experimental +status: test description: | Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code. diff --git a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml index 2a5248dfb6d..14edd6ab649 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml @@ -1,6 +1,6 @@ title: HackTool - Evil-WinRm Execution - PowerShell Module id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51 -status: experimental +status: test description: | Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility. references: diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index bf8053d1212..f666d4895c4 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -1,6 +1,6 @@ title: Potential Credential Dumping Activity Via LSASS id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da -status: experimental +status: test description: | Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index 98edaf1a986..0f50997da81 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 6f1fae87e99..b4a8cf6cffc 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a type: derived -status: experimental +status: test description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index d86cf13668d..ea4a95808c5 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,6 +1,6 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 -status: experimental +status: test description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index abbed65b2dd..d96cbf5ad45 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,6 +1,6 @@ title: Potentially Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 -status: experimental +status: test description: | Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. references: diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 68c22c51fae..b82b4a93ee3 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -9,7 +9,7 @@ related: type: similar - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution type: similar -status: experimental +status: test description: | Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index 6b74583968f..95994b838a6 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -3,7 +3,7 @@ id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsolete -status: experimental +status: test description: | Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. references: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index f584edbd743..1734125a56f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -3,7 +3,7 @@ id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f type: obsolete -status: experimental +status: test description: | Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. references: diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index cf707302bd3..7e745360300 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,6 +1,6 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 -status: experimental +status: test description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index fc62df134c1..1b20ada9acd 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -5,7 +5,7 @@ related: type: similar - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e type: obsolete -status: experimental +status: test description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 5e81fdb2abd..892f6d19f9f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 type: derived -status: experimental +status: test description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml index 0234458bf40..05010f5d315 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate id: 41f407b5-3096-44ea-a74f-96d04fbc41be -status: experimental +status: test description: | Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml index ebe5cec977c..7848faadace 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Remote Command Execution id: b1f73849-6329-4069-bc8f-78a604bb8b23 -status: experimental +status: test description: Detects the execution of a system command via the ScreenConnect RMM service. references: - https://github.com/SigmaHQ/sigma/pull/4467 diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml index 4c96eab5ac8..964b93cc835 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - ScreenConnect Server Web Shell Execution id: b19146a3-25d4-41b4-928b-1e2a92641b1b -status: experimental +status: test description: Detects potential web shell execution from the ScreenConnect server process. references: - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/ diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml index f5ae7a5751b..36cbe7befdd 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - Simple Help Execution id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2 -status: experimental +status: test description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml index 7ecfdb1441c..135bbaf94fe 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml @@ -1,6 +1,6 @@ title: Interesting Service Enumeration Via Sc.EXE id: e83e8899-c9b2-483b-b355-5decc942b959 -status: experimental +status: test description: | Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index 0e5e79ac389..456e35274ec 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -1,6 +1,6 @@ title: Port Forwarding Activity Via SSH.EXE id: 327f48c1-a6db-4eb8-875a-f6981f1b0183 -status: experimental +status: test description: Detects port forwarding activity via SSH.exe references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml index 01636c4e67d..2f37af92a8b 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml @@ -1,6 +1,6 @@ title: Suspicious File Download From IP Via Wget.EXE - Paths id: 40aa399c-7b02-4715-8e5f-73572b493f33 -status: experimental +status: test description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index 22817da9b36..ad25c8fd8d2 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -1,6 +1,6 @@ title: Enumerate All Information With Whoami.EXE id: c248c896-e412-4279-8c15-1c558067b6fa -status: experimental +status: test description: Detects the execution of "whoami.exe" with the "/all" flag references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ diff --git a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml index 6ab23312f4a..777a1fdcd09 100644 --- a/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml @@ -1,6 +1,6 @@ title: Potential SentinelOne Shell Context Menu Scan Command Tampering id: 6c304b02-06e6-402d-8be4-d5833cdf8198 -status: experimental +status: test description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. references: - https://mrd0x.com/sentinelone-persistence-via-menu-context/