diff --git a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml index fd228b982f4..fc80250ee3b 100644 --- a/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml @@ -4,7 +4,7 @@ related: - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b type: similar status: experimental -description: Detects DNS queries to "ufile.io". Which was seen abused by malware and threat actor as a method for data exfiltration +description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml index 66548d2478c..8371db7ffec 100644 --- a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml +++ b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml @@ -1,7 +1,7 @@ title: Windows Update Error id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59 status: stable -description: Detects windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed. +description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed. author: frack113 date: 2021/12/04 modified: 2023/09/07 diff --git a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 55e00d4a7ec..6cdbf91d933 100644 --- a/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -1,7 +1,7 @@ title: DNS Server Discovery Via LDAP Query id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e status: experimental -description: Detect DNS server discovery via LDAP query requests from uncommon applications +description: Detects DNS server discovery via LDAP query requests from uncommon applications references: - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 diff --git a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml index d18f006a333..08641bace06 100644 --- a/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml +++ b/rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml @@ -1,4 +1,4 @@ -title: TeamViewer Domain Query By Non TeamViewer Application +title: TeamViewer Domain Query By Non-TeamViewer Application id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e status: test description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) diff --git a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml index 27579d45e3f..1ef60ac954e 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io_query.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io_query.yml @@ -4,7 +4,7 @@ related: - id: 090ffaad-c01a-4879-850c-6d57da98452d type: similar status: experimental -description: Detects DNS queries to "ufile.io". Which was seen abused by malware and threat actor as a method for data exfiltration +description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: yatinwad, TheDFIRReport diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml index 7c878521d0f..9d875f79343 100644 --- a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml @@ -1,7 +1,7 @@ title: Malicious Driver Load By Name id: 39b64854-5497-4b57-a448-40977b8c9679 status: experimental -description: Detects the load of known malicious drivers via their names only.. +description: Detects the load of known malicious drivers via their names only. references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) @@ -87,6 +87,6 @@ detection: - '\daxin_blank4.sys' condition: selection falsepositives: - - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. + - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non-vulnerable version. - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible) level: medium diff --git a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml index d26e749d923..64756bc1864 100644 --- a/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -4,7 +4,7 @@ related: - id: 3a525307-d100-48ae-b3b9-0964699d7f97 type: similar status: experimental -description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determin the source of the crash. +description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) @@ -29,5 +29,5 @@ detection: - '.hdmp' condition: selection falsepositives: - - Some admin PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. + - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. level: medium diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 970003268ce..9c5ed041352 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -1,7 +1,7 @@ title: DLL Load By System Process From Suspicious Locations id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c status: experimental -description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious or under privileged location such as "C:\Users\Public" +description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 8cc02c55046..36b9dafb639 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -1,7 +1,7 @@ -title: Python Image Load By Non Python Process +title: Python Image Load By Non-Python Process id: cbb56d62-4060-40f7-9466-d8aaf3123f83 status: experimental -description: Detects the image load of Python Core by a non python process. Might be indicative of a Python script bundled with Py2Exe. +description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. references: - https://www.py2exe.org/ - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml index b9884d64aec..72f5fe98184 100755 --- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,7 +1,7 @@ title: PowerShell Initiated Network Connection id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental -description: Detects a Powershell process that initiate a network connections. Check for suspicious target ports and target systems. +description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems. references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth (Nextron Systems) diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 765264a0203..b05cf39a94d 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -1,7 +1,7 @@ title: Python Initiated Connection id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6 status: experimental -description: Detects a python process intitating a network connection. While this often related to package installation, it can also indicate a potential malicious scripts communicating with a C&C server. +description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index 6065dba7cc8..2c16c8aa48b 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -4,7 +4,7 @@ related: - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e type: derived status: test -description: Detects execution of chromium based browser in headless mode +description: Detects execution of Chromium based browser in headless mode references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html diff --git a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml index 0271691c531..ce5ff6c94c3 100644 --- a/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml @@ -4,7 +4,7 @@ related: - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 type: derived status: test -description: Detects uncommon or suspicious child process of "eventvwr.exe" which might indicate a UAC bypass attempt +description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml index 5e398fb40b4..3757fd550f9 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml @@ -2,8 +2,8 @@ title: WebDav Client Execution Via Rundll32.EXE id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 status: test description: | - Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. - This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). + Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". + This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md diff --git a/rules/windows/sysmon/sysmon_file_block_executable.yml b/rules/windows/sysmon/sysmon_file_block_executable.yml index a82e1fb5f73..2dd947a46e4 100644 --- a/rules/windows/sysmon/sysmon_file_block_executable.yml +++ b/rules/windows/sysmon/sysmon_file_block_executable.yml @@ -1,7 +1,7 @@ title: Sysmon Blocked Executable id: 23b71bc5-953e-4971-be4c-c896cda73fc2 status: experimental -description: Triggers on any Sysmon "FileBlockExecutable" event. Which should indicates a violation of the block policy set +description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e author: Nasreddine Bencherchali (Nextron Systems)