diff --git a/Full_tests.csv b/Full_tests.csv index 264baf52..8f695ed5 100644 --- a/Full_tests.csv +++ b/Full_tests.csv @@ -677,7 +677,7 @@ privilege-escalation;T1053.003;sh;['linux'];Cron - Add script to /etc/cron.d fol privilege-escalation;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/crontabs/ folder;2d943c18-e74a-44bf-936f-25ade6cccab4;False;4 privilege-escalation;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1 privilege-escalation;T1098.003;powershell;['azure-ad'];Simulate - Post BEC persistence via user password reset followed by user added to company administrator role;14f3af20-61f1-45b8-ad31-4637815f3f44;False;2 -privilege-escalation;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;False;1 +privilege-escalation;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;True;1 privilege-escalation;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1 privilege-escalation;T1055.003;powershell;['windows'];Thread Execution Hijacking;578025d5-faa9-4f6d-8390-aae527d503e1;True;1 privilege-escalation;T1546.011;command_prompt;['windows'];Application Shim Installation;9ab27e22-ee62-4211-962b-d36d9a0e6a18;True;1 @@ -744,7 +744,7 @@ privilege-escalation;T1546.012;powershell;['windows'];GlobalFlags in Image File privilege-escalation;T1546.008;powershell;['windows'];Attaches Command Prompt as a Debugger to a List of Target Processes;3309f53e-b22b-4eb6-8fd2-a6cf58b355a9;True;1 privilege-escalation;T1546.008;command_prompt;['windows'];Replace binary of sticky keys;934e90cf-29ca-48b3-863c-411737ad44e3;True;2 privilege-escalation;T1546.008;command_prompt;['windows'];Create Symbolic Link From osk.exe to cmd.exe;51ef369c-5e87-4f33-88cd-6d61be63edf2;True;3 -privilege-escalation;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;False;4 +privilege-escalation;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;True;4 privilege-escalation;T1055.004;command_prompt;['windows'];Process Injection via C#;611b39b7-e243-4c81-87a4-7145a90358b1;True;1 privilege-escalation;T1055.004;powershell;['windows'];EarlyBird APC Queue Injection in Go;73785dd2-323b-4205-ab16-bb6f06677e14;False;2 privilege-escalation;T1055.004;powershell;['windows'];Remote Process Injection with Go using NtQueueApcThreadEx WinAPI;4cc571b1-f450-414a-850f-879baf36aa06;False;3 @@ -996,7 +996,7 @@ execution;T1569.002;bash;['linux'];psexec.py (Impacket);edbcd8c9-3639-4844-afad- execution;T1569.002;powershell;['windows'];BlackCat pre-encryption cmds with Lateral Movement;31eb7828-97d7-4067-9c1e-c6feb85edc4b;True;4 execution;T1569.002;command_prompt;['windows'];Use RemCom to execute a command on a remote host;a5d8cdeb-be90-43a9-8b26-cc618deac1e0;True;5 execution;T1569.002;command_prompt;['windows'];Snake Malware Service Create;b8db787e-dbea-493c-96cb-9272296ddc49;True;6 -execution;T1569.002;command_prompt;['windows'];Modifying ACL of Service Control Manager via SDET;bf07f520-3909-4ef5-aa22-877a50f2f77b;False;7 +execution;T1569.002;command_prompt;['windows'];Modifying ACL of Service Control Manager via SDET;bf07f520-3909-4ef5-aa22-877a50f2f77b;True;7 execution;T1053.002;command_prompt;['windows'];At.exe Scheduled task;4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8;True;1 execution;T1053.002;sh;['linux'];At - Schedule a job;7266d898-ac82-4ec0-97c7-436075d0d08e;False;2 persistence;T1053.005;command_prompt;['windows'];Scheduled Task Startup Script;fec27f65-db86-4c2d-b66c-61945aee87c2;True;1 @@ -1036,7 +1036,7 @@ persistence;T1053.003;bash;['linux'];Cron - Add script to /var/spool/cron/cronta persistence;T1137;command_prompt;['windows'];Office Application Startup - Outlook as a C2;bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c;True;1 persistence;T1098.003;powershell;['azure-ad'];Azure AD - Add Company Administrator Role to a user;4d77f913-56f5-4a14-b4b1-bf7bb24298ad;False;1 persistence;T1098.003;powershell;['azure-ad'];Simulate - Post BEC persistence via user password reset followed by user added to company administrator role;14f3af20-61f1-45b8-ad31-4637815f3f44;False;2 -persistence;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;False;1 +persistence;T1547.012;powershell;['windows'];Print Processors;f7d38f47-c61b-47cc-a59d-fc0368f47ed0;True;1 persistence;T1574.001;command_prompt;['windows'];DLL Search Order Hijacking - amsi.dll;8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3;True;1 persistence;T1137.006;powershell;['windows'];Code Executed Via Excel Add-in File (XLL);441b1a0f-a771-428a-8af0-e99e4698cda3;True;1 persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel Add-in File (XLL);9c307886-9fef-41d5-b344-073a0f5b2f5f;False;2 @@ -1045,8 +1045,8 @@ persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via Excel persistence;T1137.006;powershell;['windows'];Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM);f89e58f9-2b49-423b-ac95-1f3e7cfd8277;False;5 persistence;T1505.002;powershell;['windows'];Install MS Exchange Transport Agent Persistence;43e92449-ff60-46e9-83a3-1a38089df94d;True;1 persistence;T1556.002;powershell;['windows'];Install and Register Password Filter DLL;a7961770-beb5-4134-9674-83d7e1fa865c;True;1 -persistence;T1505.005;powershell;['windows'];Simulate Patching termsrv.dll;0b2eadeb-4a64-4449-9d43-3d999f4a317b;False;1 -persistence;T1505.005;powershell;['windows'];Modify Terminal Services DLL Path;18136e38-0530-49b2-b309-eed173787471;False;2 +persistence;T1505.005;powershell;['windows'];Simulate Patching termsrv.dll;0b2eadeb-4a64-4449-9d43-3d999f4a317b;True;1 +persistence;T1505.005;powershell;['windows'];Modify Terminal Services DLL Path;18136e38-0530-49b2-b309-eed173787471;True;2 persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome/Chromium (Developer Mode);3ecd790d-2617-4abf-9a8c-4e8d47da9ee1;False;1 persistence;T1176;manual;['linux', 'windows', 'macos'];Chrome/Chromium (Chrome Web Store);4c83940d-8ca5-4bb2-8100-f46dc914bc3f;False;2 persistence;T1176;manual;['linux', 'windows', 'macos'];Firefox;cb790029-17e6-4c43-b96f-002ce5f10938;False;3 @@ -1097,7 +1097,7 @@ persistence;T1546.012;powershell;['windows'];GlobalFlags in Image File Execution persistence;T1546.008;powershell;['windows'];Attaches Command Prompt as a Debugger to a List of Target Processes;3309f53e-b22b-4eb6-8fd2-a6cf58b355a9;True;1 persistence;T1546.008;command_prompt;['windows'];Replace binary of sticky keys;934e90cf-29ca-48b3-863c-411737ad44e3;True;2 persistence;T1546.008;command_prompt;['windows'];Create Symbolic Link From osk.exe to cmd.exe;51ef369c-5e87-4f33-88cd-6d61be63edf2;True;3 -persistence;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;False;4 +persistence;T1546.008;command_prompt;['windows'];Atbroker.exe (AT) Executes Arbitrary Command via Registry Key;444ff124-4c83-4e28-8df6-6efd3ece6bd4;True;4 persistence;T1136.002;command_prompt;['windows'];Create a new Windows domain admin user;fcec2963-9951-4173-9bfa-98d8b7834e62;True;1 persistence;T1136.002;command_prompt;['windows'];Create a new account similar to ANONYMOUS LOGON;dc7726d2-8ccb-4cc6-af22-0d5afb53a548;True;2 persistence;T1136.002;powershell;['windows'];Create a new Domain Account using PowerShell;5a3497a4-1568-4663-b12a-d4a5ed70c7d7;True;3 diff --git a/sigma_rule.csv b/sigma_rule.csv index a86ab9f0..fc1dd70e 100644 --- a/sigma_rule.csv +++ b/sigma_rule.csv @@ -1580,7 +1580,7 @@ proc_creation_win_appvlp_uncommon_child_process.yml;False proc_creation_win_aspnet_compiler_exectuion.yml;False proc_creation_win_aspnet_compiler_susp_child_process.yml;False proc_creation_win_aspnet_compiler_susp_paths.yml;False -proc_creation_win_atbroker_uncommon_ats_execution.yml;False +proc_creation_win_atbroker_uncommon_ats_execution.yml;True proc_creation_win_attrib_hiding_files.yml;True proc_creation_win_attrib_system_susp_paths.yml;False proc_creation_win_at_interactive_execution.yml;True @@ -2111,7 +2111,7 @@ proc_creation_win_powershell_run_script_from_input_stream.yml;False proc_creation_win_powershell_sam_access.yml;True proc_creation_win_powershell_script_engine_parent.yml;True proc_creation_win_powershell_service_dacl_modification_set_service.yml;False -proc_creation_win_powershell_set_acl.yml;False +proc_creation_win_powershell_set_acl.yml;True proc_creation_win_powershell_set_acl_susp_location.yml;False proc_creation_win_powershell_set_policies_to_unsecure_level.yml;True proc_creation_win_powershell_set_service_disabled.yml;False @@ -2349,10 +2349,10 @@ proc_creation_win_sc_create_service.yml;True proc_creation_win_sc_disable_service.yml;False proc_creation_win_sc_new_kernel_driver.yml;False proc_creation_win_sc_query_interesting_services.yml;False -proc_creation_win_sc_sdset_allow_service_changes.yml;False +proc_creation_win_sc_sdset_allow_service_changes.yml;True proc_creation_win_sc_sdset_deny_service_access.yml;True proc_creation_win_sc_sdset_hide_sevices.yml;True -proc_creation_win_sc_sdset_modification.yml;False +proc_creation_win_sc_sdset_modification.yml;True proc_creation_win_sc_service_path_modification.yml;True proc_creation_win_sc_service_tamper_for_persistence.yml;True proc_creation_win_sc_stop_service.yml;True @@ -2692,7 +2692,7 @@ registry_event_shell_open_keys_manipulation.yml;True registry_event_silentprocessexit_lsass.yml;False registry_event_ssp_added_lsa_config.yml;True registry_event_stickykey_like_backdoor.yml;True -registry_event_susp_atbroker_change.yml;False +registry_event_susp_atbroker_change.yml;True registry_event_susp_download_run_key.yml;False registry_event_susp_lsass_dll_load.yml;True registry_event_susp_mic_cam_access.yml;True diff --git a/yml/0b2eadeb-4a64-4449-9d43-3d999f4a317b.yml b/yml/0b2eadeb-4a64-4449-9d43-3d999f4a317b.yml index faad569d..e99d82df 100644 --- a/yml/0b2eadeb-4a64-4449-9d43-3d999f4a317b.yml +++ b/yml/0b2eadeb-4a64-4449-9d43-3d999f4a317b.yml @@ -17,5 +17,11 @@ description: | Simulates patching of termsrv.dll by making a benign change to the file and replacing it with the original afterwards. Before we can make the modifications we need to take ownership of the file and grant ourselves the necessary permissions. executor: powershell -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 + name: proc_creation_win_susp_copy_system_dir.yml + - id: bdeb2cff-af74-4094-8426-724dc937f20a + name: proc_creation_win_powershell_set_acl.yml + - id: 7047d730-036f-4f40-b9d8-1c63e36d5e62 + name: file_event_win_powershell_drop_binary_or_script.yml diff --git a/yml/18136e38-0530-49b2-b309-eed173787471.yml b/yml/18136e38-0530-49b2-b309-eed173787471.yml index 86561a65..11d9d892 100644 --- a/yml/18136e38-0530-49b2-b309-eed173787471.yml +++ b/yml/18136e38-0530-49b2-b309-eed173787471.yml @@ -16,5 +16,11 @@ os: description: This atomic test simulates the modification of the ServiceDll value in HKLM\System\CurrentControlSet\services\TermService\Parameters. This technique may be leveraged by adversaries to establish persistence by loading a patched version of the DLL containing malicious code. executor: powershell -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: bdeb2cff-af74-4094-8426-724dc937f20a + name: proc_creation_win_powershell_set_acl.yml + - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c + name: registry_set_terminal_server_tampering.yml + - id: 612e47e9-8a59-43a6-b404-f48683f45bd6 + name: registry_set_servicedll_hijack.yml diff --git a/yml/444ff124-4c83-4e28-8df6-6efd3ece6bd4.yml b/yml/444ff124-4c83-4e28-8df6-6efd3ece6bd4.yml index f311c9bd..efeda68b 100644 --- a/yml/444ff124-4c83-4e28-8df6-6efd3ece6bd4.yml +++ b/yml/444ff124-4c83-4e28-8df6-6efd3ece6bd4.yml @@ -28,5 +28,9 @@ description: 'Executes code specified in the registry for a new AT (Assistive Te ' executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: 9577edbb-851f-4243-8c91-1d5b50c1a39b + name: registry_event_susp_atbroker_change.yml + - id: f24bcaea-0cd1-11eb-adc1-0242ac120002 + name: proc_creation_win_atbroker_uncommon_ats_execution.yml diff --git a/yml/bf07f520-3909-4ef5-aa22-877a50f2f77b.yml b/yml/bf07f520-3909-4ef5-aa22-877a50f2f77b.yml index 314f2dad..219e40d2 100644 --- a/yml/bf07f520-3909-4ef5-aa22-877a50f2f77b.yml +++ b/yml/bf07f520-3909-4ef5-aa22-877a50f2f77b.yml @@ -16,5 +16,9 @@ os: description: "Modify permissions of Service Control Manager via SDSET. This allows any administrative user to escalate privilege and create a service with SYSTEM level privileges.Restart is required.\n\ [Blog](https://0xv1n.github.io/posts/scmanager/) \n" executor: command_prompt -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47 + name: proc_creation_win_sc_sdset_allow_service_changes.yml + - id: 98c5aeef-32d5-492f-b174-64a691896d25 + name: proc_creation_win_sc_sdset_modification.yml diff --git a/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml b/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml index f84266b7..b7949deb 100644 --- a/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml +++ b/yml/f7d38f47-c61b-47cc-a59d-fc0368f47ed0.yml @@ -24,5 +24,7 @@ description: | The payload source code is based on a blog post by stmxcsr: [https://stmxcsr.com/persistence/print-processor.html](https://stmxcsr.com/persistence/print-processor.html) executor: powershell -sigma: false -sigma_rule: [] +sigma: true +sigma_rule: + - id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e + name: registry_set_add_port_monitor.yml