forked from zinint/OSCD_Sigma-ART_Layers
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsigma-navigator-layer-windows.json
975 lines (975 loc) · 43.4 KB
/
sigma-navigator-layer-windows.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
{
"domain": "mitre-enterprise",
"name": "Sigma rules coverage (Windows)",
"gradient": {
"colors": [
"#a0eab5",
"#0f480f"
],
"maxValue": 191,
"minValue": 0
},
"version": "4.3",
"techniques": [
{
"techniqueID": "T1071.001",
"score": 200,
"comment": "proxy_powershell_ua.yml\r\nwin_exfiltration_and_tunneling_tools_execution.yml"
},
{
"techniqueID": "T1047",
"score": 200,
"comment": "zeek_dce_rpc_mitre_bzar_execution.yml\r\nwin_susp_wmi_login.yml\r\nsysmon_susp_winword_wmidll_load.yml\r\nsysmon_wmi_module_load.yml\r\nwin_mal_blue_mockingbird.yml\r\nwin_defender_psexec_wmi_asr.yml\r\npowershell_wmimplant.yml\r\nwin_bypass_squiblytwo.yml\r\nwin_crime_maze_ransomware.yml\r\nwin_html_help_spawn.yml\r\nwin_impacket_lateralization.yml\r\nwin_susp_crackmapexec_execution.yml\r\nwin_susp_wmi_execution.yml\r\nwin_wmiprvse_spawning_process.yml\r\nwin_wmi_spwns_powershell.yml"
},
{
"techniqueID": "T1053.002",
"score": 200,
"comment": "zeek_dce_rpc_mitre_bzar_execution.yml\r\nzeek_smb_converted_win_atsvc_task.yml\r\nwin_atsvc_task.yml\r\nwin_interactive_at.yml"
},
{
"techniqueID": "T1569.002",
"score": 200,
"comment": "zeek_dce_rpc_mitre_bzar_execution.yml\r\nwin_hack_smbexec.yml\r\nwin_mal_creddumper.yml\r\nwin_mal_service_installs.yml\r\nwin_defender_psexec_wmi_asr.yml\r\nwin_tool_psexec.yml\r\nwin_exploit_cve_2020_1350.yml\r\nwin_psexesvc_start.yml\r\nwin_service_execution.yml"
},
{
"techniqueID": "T1547.004",
"score": 200,
"comment": "zeek_dce_rpc_mitre_bzar_persistence.yml\r\npowershell_winlogon_helper_dll.yml"
},
{
"techniqueID": "T1003.002",
"score": 200,
"comment": "zeek_smb_converted_win_impacket_secretdump.yml\r\nzeek_smb_converted_win_transferring_files_with_credential_data.yml\r\nwin_alert_mimikatz_keywords.yml\r\nwin_impacket_secretdump.yml\r\nwin_mal_creddumper.yml\r\nwin_quarkspwdump_clearing_hive_access_history.yml\r\nwin_susp_sam_dump.yml\r\nwin_transferring_files_with_credential_data_via_network_shares.yml\r\nsysmon_cred_dump_tools_dropped_files.yml\r\nsysmon_quarkspw_filedump.yml\r\nav_password_dumper.yml\r\nwin_copying_sensitive_files_with_credential_data.yml\r\nwin_grabbing_sensitive_hives_via_reg.yml\r\nwin_mimikatz_command_line.yml\r\nwin_shadow_copies_access_symlink.yml\r\nwin_shadow_copies_creation.yml\r\nsysmon_cred_dump_tools_named_pipes.yml"
},
{
"techniqueID": "T1003.004",
"score": 200,
"comment": "zeek_smb_converted_win_impacket_secretdump.yml\r\nwin_alert_mimikatz_keywords.yml\r\nwin_dpapi_domain_backupkey_extraction.yml\r\nwin_dpapi_domain_masterkey_backup_attempt.yml\r\nwin_impacket_secretdump.yml\r\nwin_mal_creddumper.yml\r\nsysmon_cred_dump_tools_dropped_files.yml\r\nwin_grabbing_sensitive_hives_via_reg.yml\r\nwin_mimikatz_command_line.yml\r\nsysmon_cred_dump_tools_named_pipes.yml"
},
{
"techniqueID": "T1003.003",
"score": 200,
"comment": "zeek_smb_converted_win_impacket_secretdump.yml\r\nzeek_smb_converted_win_transferring_files_with_credential_data.yml\r\nwin_impacket_secretdump.yml\r\nwin_transferring_files_with_credential_data_via_network_shares.yml\r\nsysmon_cred_dump_tools_dropped_files.yml\r\nwin_apt_bear_activity_gtr19.yml\r\nwin_copying_sensitive_files_with_credential_data.yml\r\nwin_shadow_copies_access_symlink.yml\r\nwin_shadow_copies_creation.yml\r\nwin_susp_ditsnap.yml\r\nwin_susp_ntdsutil.yml"
},
{
"techniqueID": "T1021.002",
"score": 200,
"comment": "zeek_smb_converted_win_lm_namedpipe.yml\r\nzeek_smb_converted_win_susp_psexec.yml\r\nwin_admin_share_access.yml\r\nwin_hack_smbexec.yml\r\nwin_lm_namedpipe.yml\r\nwin_metasploit_authentication.yml\r\nwin_protected_storage_service_access.yml\r\nwin_susp_psexec.yml\r\nwin_svcctl_remote_service.yml\r\nwin_apt_turla_commands.yml\r\nwin_susp_copy_lateral_movement.yml\r\nwin_susp_net_execution.yml"
},
{
"techniqueID": "T1003.001",
"score": 200,
"comment": "zeek_smb_converted_win_transferring_files_with_credential_data.yml\r\nwin_alert_lsass_access.yml\r\nwin_alert_mimikatz_keywords.yml\r\nwin_lsass_access_non_system_account.yml\r\nwin_mal_creddumper.yml\r\nwin_susp_lsass_dump.yml\r\nwin_susp_lsass_dump_generic.yml\r\nwin_transferring_files_with_credential_data_via_network_shares.yml\r\nsysmon_cred_dump_tools_dropped_files.yml\r\nsysmon_ghostpack_safetykatz.yml\r\nsysmon_hack_dumpert.yml\r\nsysmon_lsass_memory_dump_file_creation.yml\r\nsysmon_suspicious_dbghelp_dbgcore_load.yml\r\nsysmon_unsigned_image_loaded_into_lsass.yml\r\nav_password_dumper.yml\r\nsysmon_cred_dump_lsass_access.yml\r\nsysmon_lazagne_cred_dump_lsass_access.yml\r\nsysmon_lsass_memdump.yml\r\nsysmon_mimikatz_trough_winrm.yml\r\nsysmon_hack_wce.yml\r\nwin_apt_judgement_panda_gtr19.yml\r\nwin_hktl_createminidump.yml\r\nwin_lsass_dump.yml\r\nwin_malware_notpetya.yml\r\nwin_mimikatz_command_line.yml\r\nwin_process_dump_rundll32_comsvcs.yml\r\nwin_susp_comsvcs_procdump.yml\r\nwin_susp_procdump.yml\r\nsysmon_hack_wce_reg.yml\r\nsysmon_cred_dump_tools_named_pipes.yml\r\nsysmon_password_dumper_lsass.yml"
},
{
"techniqueID": "T1547.001",
"score": 200,
"comment": "apt_silence_downloader_v3.yml\r\nwin_malware_ryuk.yml\r\nwin_susp_direct_asep_reg_keys_modification.yml\r\nsysmon_apt_leviathan.yml\r\nsysmon_asep_reg_keys_modification.yml\r\nsysmon_narrator_feedback_persistance.yml\r\nsysmon_susp_download_run_key.yml\r\nsysmon_susp_reg_persist_explorer_run.yml\r\nsysmon_susp_run_key_img_folder.yml"
},
{
"techniqueID": "T1057",
"score": 200,
"comment": "apt_silence_downloader_v3.yml"
},
{
"techniqueID": "T1082",
"score": 200,
"comment": "apt_silence_downloader_v3.yml\r\nwin_susp_commands_recon_activity.yml"
},
{
"techniqueID": "T1016",
"score": 200,
"comment": "apt_silence_downloader_v3.yml"
},
{
"techniqueID": "T1033",
"score": 200,
"comment": "apt_silence_downloader_v3.yml\r\nwin_local_system_owner_account_discovery.yml\r\nwin_malware_dridex.yml\r\nwin_susp_whoami.yml\r\nwin_whoami_as_system.yml"
},
{
"techniqueID": "T1059.001",
"score": 200,
"comment": "apt_silence_eda.yml\r\nwin_applocker_file_was_not_allowed_to_run.yml\r\nwin_remote_powershell_session.yml\r\nsysmon_powershell_exploit_scripts.yml\r\nsysmon_in_memory_powershell.yml\r\nsysmon_powershell_execution_moduleload.yml\r\nsysmon_powershell_network_connection.yml\r\nsysmon_remote_powershell_session_network.yml\r\npowershell_alternate_powershell_hosts.yml\r\npowershell_create_local_user.yml\r\npowershell_dnscat_execution.yml\r\npowershell_downgrade_attack.yml\r\npowershell_exe_calling_ps.yml\r\npowershell_invoke_obfuscation_obfuscated_iex.yml\r\npowershell_malicious_commandlets.yml\r\npowershell_malicious_keywords.yml\r\npowershell_nishang_malicious_commandlets.yml\r\npowershell_ntfs_ads_access.yml\r\npowershell_prompt_credentials.yml\r\npowershell_psattack.yml\r\npowershell_remote_powershell_session.yml\r\npowershell_shellcode_b64.yml\r\npowershell_suspicious_download.yml\r\npowershell_suspicious_invocation_generic.yml\r\npowershell_suspicious_invocation_specific.yml\r\npowershell_suspicious_keywords.yml\r\npowershell_wmimplant.yml\r\npowershell_xor_commandline.yml\r\nwin_powershell_web_request.yml\r\nsysmon_mimikatz_trough_winrm.yml\r\nwin_apt_apt29_thinktanks.yml\r\nwin_apt_babyshark.yml\r\nwin_apt_greenbug_may20.yml\r\nwin_apt_tropictrooper.yml\r\nwin_apt_turla_comrat_may20.yml\r\nwin_apt_wocao.yml\r\nwin_encoded_frombase64string.yml\r\nwin_encoded_iex.yml\r\nwin_exploit_cve_2020_10189.yml\r\nwin_exploit_cve_2020_1048.yml\r\nwin_hack_bloodhound.yml\r\nwin_html_help_spawn.yml\r\nwin_invoke_obfuscation_obfuscated_iex_commandline.yml\r\nwin_malware_emotet.yml\r\nwin_non_interactive_powershell.yml\r\nwin_powershell_downgrade_attack.yml\r\nwin_powershell_download.yml\r\nwin_powershell_frombase64string.yml\r\nwin_powershell_suspicious_parameter_variation.yml\r\nwin_powershell_xor_commandline.yml\r\nwin_powersploit_empire_schtasks.yml\r\nwin_remote_powershell_session_process.yml\r\nwin_shell_spawn_susp_program.yml\r\nwin_susp_cmd_http_appdata.yml\r\nwin_susp_covenant.yml\r\nwin_susp_crackmapexec_execution.yml\r\nwin_susp_crackmapexec_powershell_obfuscation.yml\r\nwin_susp_powershell_empire_launch.yml\r\nwin_susp_powershell_encoded_param.yml\r\nwin_susp_powershell_enc_cmd.yml\r\nwin_susp_powershell_hidden_b64_cmd.yml\r\nwin_susp_powershell_parent_combo.yml\r\nwin_susp_powershell_parent_process.yml\r\nwin_susp_ps_appdata.yml\r\nwin_susp_ps_downloadfile.yml\r\nwin_wmi_spwns_powershell.yml\r\nsysmon_alternate_powershell_hosts_pipe.yml\r\nsysmon_susp_powershell_rundll32.yml"
},
{
"techniqueID": "T1071.004",
"score": 200,
"comment": "apt_silence_eda.yml\r\nsysmon_apt_muddywater_dnstunnel.yml\r\nwin_apt_chafer_mar18.yml\r\nwin_dnscat2_powershell_implementation.yml\r\nwin_dns_exfiltration_tools_execution.yml"
},
{
"techniqueID": "T1572",
"score": 200,
"comment": "apt_silence_eda.yml\r\nsysmon_rdp_reverse_tunnel.yml\r\nwin_exfiltration_and_tunneling_tools_execution.yml"
},
{
"techniqueID": "T1529",
"score": 200,
"comment": "apt_silence_eda.yml"
},
{
"techniqueID": "T1098",
"score": 200,
"comment": "win_account_backdoor_dcsync_rights.yml\r\nwin_alert_active_directory_user_control.yml\r\nwin_alert_ad_user_backdoors.yml\r\nwin_susp_dsrm_password_change.yml\r\nwin_user_added_to_local_administrators.yml"
},
{
"techniqueID": "T1087.002",
"score": 200,
"comment": "win_account_discovery.yml\r\nwin_ad_user_enumeration.yml\r\nwin_global_catalog_enumeration.yml\r\nwin_susp_net_recon_activity.yml\r\nwin_hack_bloodhound.yml\r\nwin_susp_net_execution.yml\r\nwin_susp_recon_activity.yml"
},
{
"techniqueID": "T1078.001",
"score": 200,
"comment": "win_admin_rdp_login.yml"
},
{
"techniqueID": "T1078.002",
"score": 200,
"comment": "win_admin_rdp_login.yml"
},
{
"techniqueID": "T1078.003",
"score": 200,
"comment": "win_admin_rdp_login.yml"
},
{
"techniqueID": "T1222.001",
"score": 200,
"comment": "win_ad_object_writedac_access.yml\r\nwin_malware_wannacry.yml"
},
{
"techniqueID": "T1003.006",
"score": 200,
"comment": "win_ad_replication_non_machine_account.yml\r\nwin_alert_mimikatz_keywords.yml\r\nwin_dcsync.yml\r\nwin_mal_creddumper.yml\r\nwin_mimikatz_command_line.yml"
},
{
"techniqueID": "T1562.001",
"score": 200,
"comment": "win_alert_enable_weak_encryption.yml\r\nwin_net_ntlm_downgrade.yml\r\nwin_susp_msmpeng_crash.yml\r\nwin_user_driver_loaded.yml\r\nsysmon_susp_procexplorer_driver_created_in_tmp_folder.yml\r\nwin_defender_bypass.yml\r\nwin_defender_disabled.yml\r\nwin_apt_ke3chang_regadd.yml\r\nwin_powershell_amsi_bypass.yml\r\nwin_susp_disable_ie_features.yml\r\nsysmon_disable_security_events_logging_adding_reg_key_minint.yml\r\nsysmon_susp_service_installed.yml"
},
{
"techniqueID": "T1087",
"score": 200,
"comment": "win_alert_ruler.yml\r\nwin_susp_commands_recon_activity.yml"
},
{
"techniqueID": "T1114",
"score": 200,
"comment": "win_alert_ruler.yml"
},
{
"techniqueID": "T1059",
"score": 200,
"comment": "win_alert_ruler.yml\r\nwin_apt_turla_commands.yml\r\nwin_susp_outlook.yml\r\nwin_susp_rasdial_activity.yml"
},
{
"techniqueID": "T1550.002",
"score": 200,
"comment": "win_alert_ruler.yml\r\nwin_overpass_the_hash.yml\r\nwin_pass_the_hash.yml\r\nwin_pass_the_hash_2.yml\r\nwin_susp_ntlm_auth.yml"
},
{
"techniqueID": "T1204.002",
"score": 200,
"comment": "win_applocker_file_was_not_allowed_to_run.yml\r\nsysmon_susp_office_dotnet_assembly_dll_load.yml\r\nsysmon_susp_office_dotnet_clr_dll_load.yml\r\nsysmon_susp_office_dotnet_gac_dll_load.yml\r\nsysmon_susp_office_dsparse_dll_load.yml\r\nsysmon_susp_office_kerberos_dll_load.yml\r\nsysmon_susp_winword_vbadll_load.yml\r\nwin_crime_maze_ransomware.yml\r\nwin_exploit_cve_2017_0261.yml\r\nwin_exploit_cve_2017_11882.yml\r\nwin_exploit_cve_2017_8759.yml\r\nwin_office_shell.yml\r\nwin_office_spawn_exe_from_users_directory.yml"
},
{
"techniqueID": "T1059.003",
"score": 200,
"comment": "win_applocker_file_was_not_allowed_to_run.yml\r\nwin_apt_babyshark.yml\r\nwin_apt_elise.yml\r\nwin_apt_sofacy.yml\r\nwin_apt_zxshell.yml\r\nwin_commandline_path_traversal.yml\r\nwin_exploit_cve_2019_1378.yml\r\nwin_exploit_cve_2020_10189.yml\r\nwin_hack_koadic.yml\r\nwin_html_help_spawn.yml\r\nwin_hwp_exploits.yml\r\nwin_redmimicry_winnti_proc.yml\r\nwin_susp_cmd_http_appdata.yml\r\nwin_susp_crackmapexec_execution.yml"
},
{
"techniqueID": "T1059.005",
"score": 200,
"comment": "win_applocker_file_was_not_allowed_to_run.yml\r\nwin_apt_cloudhopper.yml\r\nwin_bypass_squiblytwo.yml\r\nwin_hack_koadic.yml\r\nwin_html_help_spawn.yml\r\nwin_malware_qbot.yml\r\nwin_malware_script_dropper.yml\r\nwin_mal_adwind.yml\r\nwin_shell_spawn_susp_program.yml\r\nwin_susp_bginfo.yml\r\nwin_susp_csc.yml\r\nwin_susp_script_execution.yml\r\nsysmon_cactustorch.yml\r\nsysmon_wmi_susp_scripting.yml"
},
{
"techniqueID": "T1059.006",
"score": 200,
"comment": "win_applocker_file_was_not_allowed_to_run.yml\r\nwin_susp_file_characteristics.yml"
},
{
"techniqueID": "T1059.007",
"score": 200,
"comment": "win_applocker_file_was_not_allowed_to_run.yml\r\nwin_bypass_squiblytwo.yml\r\nwin_hack_koadic.yml\r\nwin_html_help_spawn.yml\r\nwin_malware_script_dropper.yml\r\nwin_mal_adwind.yml\r\nwin_susp_csc.yml\r\nwin_susp_script_execution.yml\r\nsysmon_cactustorch.yml"
},
{
"techniqueID": "T1543.003",
"score": 200,
"comment": "win_apt_apt29_tor.yml\r\nwin_apt_carbonpaper_turla.yml\r\nwin_apt_stonedrill.yml\r\nwin_apt_turla_service_png.yml\r\nwin_mal_service_installs.yml\r\nwin_rare_service_installs.yml\r\nsysmon_susp_driver_load.yml\r\nwin_apt_chafer_mar18.yml\r\nwin_new_service_creation.yml\r\nwin_susp_service_path_modification.yml"
},
{
"techniqueID": "T1203",
"score": 200,
"comment": "win_audit_cve.yml\r\nav_exploiting.yml\r\nwin_exploit_cve_2017_0261.yml\r\nwin_exploit_cve_2017_11882.yml\r\nwin_exploit_cve_2017_8759.yml\r\nwin_hwp_exploits.yml"
},
{
"techniqueID": "T1562.002",
"score": 200,
"comment": "sysmon_invoke_phantom.yml"
},
{
"techniqueID": "T1068",
"score": 200,
"comment": "win_audit_cve.yml\r\nwin_apt_hurricane_panda.yml\r\nwin_exploit_cve_2019_1378.yml\r\nwin_exploit_cve_2019_1388.yml\r\nwin_kernel_and_3rd_party_drivers_exploits_token_stealing.yml"
},
{
"techniqueID": "T1211",
"score": 200,
"comment": "win_audit_cve.yml\r\nwin_susp_msmpeng_crash.yml"
},
{
"techniqueID": "T1212",
"score": 200,
"comment": "win_audit_cve.yml\r\nwin_susp_kerberos_manipulation.yml\r\nwin_susp_samr_pwset.yml"
},
{
"techniqueID": "T1210",
"score": 200,
"comment": "win_audit_cve.yml\r\nwin_rdp_bluekeep_poc_scanner.yml\r\nwin_rdp_potential_cve-2019-0708.yml\r\nwin_malware_wannacry.yml\r\nwin_termserv_proc_spawn.yml"
},
{
"techniqueID": "T1499.004",
"score": 200,
"comment": "win_audit_cve.yml"
},
{
"techniqueID": "T1562.006",
"score": 200,
"comment": "win_disable_event_logging.yml"
},
{
"techniqueID": "T1112",
"score": 200,
"comment": "win_etw_modification.yml\r\nwin_net_ntlm_downgrade.yml\r\nwin_remote_registry_management_using_reg_utility.yml\r\nmal_azorult_reg.yml\r\nwin_mal_blue_mockingbird.yml\r\nwin_mal_flowcloud.yml\r\nwin_mal_ursnif.yml\r\nwin_apt_chafer_mar18.yml\r\nsysmon_apt_oceanlotus_registry.yml\r\nsysmon_cve-2020-1048.yml\r\nsysmon_dhcp_calloutdll.yml\r\nsysmon_disable_security_events_logging_adding_reg_key_minint.yml\r\nsysmon_dns_serverlevelplugindll.yml\r\nsysmon_etw_disabled.yml\r\nsysmon_rdp_registry_modification.yml\r\nsysmon_rdp_settings_hijack.yml\r\nsysmon_redmimicry_winnti_reg.yml\r\nsysmon_reg_office_security.yml"
},
{
"techniqueID": "T1091",
"score": 200,
"comment": "win_external_device.yml"
},
{
"techniqueID": "T1200",
"score": 200,
"comment": "win_external_device.yml\r\nwin_usb_device_plugged.yml"
},
{
"techniqueID": "T1053.005",
"score": 200,
"comment": "win_GPO_scheduledtasks.yml\r\nwin_rare_schtasks_creations.yml\r\nwin_rare_schtask_creation.yml\r\nwin_apt_chafer_mar18.yml\r\nwin_apt_turla_comrat_may20.yml\r\nwin_apt_wocao.yml\r\nwin_powersploit_empire_schtasks.yml\r\nwin_susp_schtask_creation.yml\r\nwin_win10_sched_task_0day.yml"
},
{
"techniqueID": "T1027",
"score": 200,
"comment": "win_invoke_obfuscation_obfuscated_iex_services.yml\r\nsysmon_redmimicry_winnti_filedrop.yml\r\npowershell_invoke_obfuscation_obfuscated_iex.yml\r\nwin_apt_turla_comrat_may20.yml\r\nwin_apt_wocao.yml\r\nwin_invoke_obfuscation_obfuscated_iex_commandline.yml\r\nwin_malware_emotet.yml\r\nwin_powershell_b64_shellcode.yml\r\nwin_powershell_frombase64string.yml\r\nwin_powershell_xor_commandline.yml\r\nwin_susp_certutil_encode.yml\r\nwin_susp_ping_hex_ip.yml\r\nwin_susp_powershell_encoded_param.yml"
},
{
"techniqueID": "T1003.005",
"score": 200,
"comment": "win_mal_creddumper.yml\r\nsysmon_cred_dump_tools_dropped_files.yml\r\nwin_cmdkey_recon.yml\r\nwin_grabbing_sensitive_hives_via_reg.yml\r\nwin_mimikatz_command_line.yml\r\nsysmon_cred_dump_tools_named_pipes.yml"
},
{
"techniqueID": "T1003",
"score": 200,
"comment": "win_mal_service_installs.yml\r\nwin_mal_wceaux_dll.yml\r\nsysmon_mimikatz_detection_lsass.yml\r\nwin_susp_vssadmin_ntds_activity.yml\r\nsysmon_mimikatz_inmemory_detection.yml\r\nav_password_dumper.yml\r\nsysmon_mimikatz_trough_winrm.yml\r\nwin_hack_rubeus.yml\r\nwin_shadow_copies_creation.yml"
},
{
"techniqueID": "T1134.001",
"score": 200,
"comment": "win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml\r\nwin_meterpreter_or_cobaltstrike_getsystem_service_start.yml"
},
{
"techniqueID": "T1134.002",
"score": 200,
"comment": "win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml\r\nwin_meterpreter_or_cobaltstrike_getsystem_service_start.yml\r\nwin_possible_privilege_escalation_using_rotten_potato.yml"
},
{
"techniqueID": "T1021.003",
"score": 200,
"comment": "win_mmc20_lateral_movement.yml\r\nwin_impacket_lateralization.yml\r\nwin_mmc_spawn_shell.yml"
},
{
"techniqueID": "T1036",
"score": 200,
"comment": "win_new_or_renamed_user_account_with_dollar_sign.yml\r\nwin_process_dump_rundll32_comsvcs.yml\r\nwin_susp_calc.yml\r\nwin_susp_execution_path.yml\r\nwin_susp_exec_folder.yml\r\nwin_susp_explorer_break_proctree.yml\r\nwin_susp_findstr_lnk.yml\r\nwin_susp_procdump.yml\r\nwin_susp_prog_location_process_starts.yml\r\nwin_susp_renamed_dctask64.yml\r\nwin_susp_run_locations.yml\r\nwin_susp_taskmgr_localsystem.yml\r\nwin_susp_taskmgr_parent.yml\r\nwin_system_exe_anomaly.yml"
},
{
"techniqueID": "T1021.001",
"score": 200,
"comment": "win_not_allowed_rdp_access.yml\r\nwin_rdp_localhost_login.yml\r\nwin_rdp_reverse_tunnel.yml\r\nsysmon_rdp_reverse_tunnel.yml\r\nsysmon_susp_rdp.yml"
},
{
"techniqueID": "T1207",
"score": 200,
"comment": "win_possible_dc_shadow.yml"
},
{
"techniqueID": "T1090.001",
"score": 200,
"comment": "win_rdp_reverse_tunnel.yml"
},
{
"techniqueID": "T1090.002",
"score": 200,
"comment": "win_rdp_reverse_tunnel.yml"
},
{
"techniqueID": "T1558.003",
"score": 200,
"comment": "win_register_new_logon_process_by_rubeus.yml\r\nwin_suspicious_outbound_kerberos_connection.yml\r\nwin_susp_rc4_kerberos.yml\r\nwin_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml\r\nwin_hack_rubeus.yml\r\nwin_spn_enum.yml"
},
{
"techniqueID": "T1012",
"score": 200,
"comment": "win_remote_registry_management_using_reg_utility.yml\r\nwin_sam_registry_hive_handle_request.yml\r\nwin_syskey_registry_access.yml\r\nwin_apt_babyshark.yml\r\nwin_apt_wocao.yml\r\nwin_query_registry.yml"
},
{
"techniqueID": "T1552.002",
"score": 200,
"comment": "win_remote_registry_management_using_reg_utility.yml\r\nwin_sam_registry_hive_handle_request.yml"
},
{
"techniqueID": "T1134.005",
"score": 200,
"comment": "win_susp_add_sid_history.yml"
},
{
"techniqueID": "T1070.004",
"score": 200,
"comment": "win_susp_backup_delete.yml\r\nwin_susp_sdelete.yml"
},
{
"techniqueID": "T1027.001",
"score": 200,
"comment": "win_susp_codeintegrity_check_failure.yml"
},
{
"techniqueID": "T1574.002",
"score": 200,
"comment": "win_susp_dhcp_config.yml\r\nwin_susp_dhcp_config_failed.yml\r\nwin_susp_dns_config.yml\r\nsysmon_susp_fax_dll.yml\r\nsysmon_susp_image_load.yml\r\nsysmon_svchost_dll_search_order_hijack.yml\r\nwin_apt_emissarypanda_sep19.yml\r\nwin_apt_winnti_mal_hk_jan20.yml\r\nwin_apt_winnti_pipemon.yml\r\nwin_plugx_susp_exe_locations.yml\r\nwin_susp_gup.yml\r\nwin_task_folder_evasion.yml\r\nsysmon_dhcp_calloutdll.yml\r\nsysmon_dns_serverlevelplugindll.yml\r\nsysmon_abusing_azure_browser_sso.yml"
},
{
"techniqueID": "T1070.001",
"score": 200,
"comment": "win_susp_eventlog_cleared.yml\r\nwin_susp_security_eventlog_cleared.yml\r\nwin_malware_notpetya.yml\r\nwin_susp_eventlog_clear.yml"
},
{
"techniqueID": "T1078",
"score": 200,
"comment": "win_susp_failed_logons_single_source.yml\r\nwin_susp_failed_logon_reasons.yml\r\nwin_susp_failed_logon_source.yml\r\nwin_susp_interactive_logons.yml\r\nwin_user_added_to_local_administrators.yml"
},
{
"techniqueID": "T1190",
"score": 200,
"comment": "win_susp_failed_logon_source.yml\r\nwin_vul_cve_2020_0688.yml\r\nwin_exploit_cve_2020_10189.yml\r\nwin_exploit_cve_2020_1350.yml\r\nwin_termserv_proc_spawn.yml"
},
{
"techniqueID": "T1133",
"score": 200,
"comment": "win_susp_failed_logon_source.yml"
},
{
"techniqueID": "T1001.003",
"score": 200,
"comment": "win_susp_ldap_dataexchange.yml\r\nsysmon_susp_adsi_cache_usage.yml\r\nwin_dnscat2_powershell_implementation.yml"
},
{
"techniqueID": "T1136.001",
"score": 200,
"comment": "win_susp_local_anon_logon_created.yml\r\nwin_user_creation.yml\r\npowershell_create_local_user.yml\r\nwin_net_user_add.yml"
},
{
"techniqueID": "T1136.002",
"score": 200,
"comment": "win_susp_local_anon_logon_created.yml"
},
{
"techniqueID": "T1140",
"score": 200,
"comment": "win_susp_mshta_execution.yml\r\nwin_encoded_frombase64string.yml\r\nwin_powershell_frombase64string.yml\r\nwin_powershell_xor_commandline.yml\r\nwin_susp_certutil_command.yml\r\nwin_susp_cli_escape.yml\r\nwin_susp_ping_hex_ip.yml"
},
{
"techniqueID": "T1218.005",
"score": 200,
"comment": "win_susp_mshta_execution.yml\r\nwin_apt_babyshark.yml\r\nwin_lethalhta.yml\r\nwin_mshta_javascript.yml\r\nwin_mshta_spawn_shell.yml\r\nwin_possible_applocker_bypass.yml\r\nwin_susp_csc.yml\r\nsysmon_cactustorch.yml"
},
{
"techniqueID": "T1069.002",
"score": 200,
"comment": "win_susp_net_recon_activity.yml\r\nwin_hack_bloodhound.yml\r\nwin_susp_net_execution.yml"
},
{
"techniqueID": "T1219",
"score": 200,
"comment": "win_susp_ntlm_rdp.yml\r\nav_exploiting.yml\r\nwin_susp_tscon_localsystem.yml"
},
{
"techniqueID": "T1039",
"score": 200,
"comment": "win_susp_raccess_sensitive_fext.yml"
},
{
"techniqueID": "T1557.001",
"score": 200,
"comment": "win_susp_rottenpotato.yml"
},
{
"techniqueID": "T1027.005",
"score": 200,
"comment": "win_susp_sdelete.yml\r\nwin_susp_crackmapexec_powershell_obfuscation.yml"
},
{
"techniqueID": "T1485",
"score": 200,
"comment": "win_susp_sdelete.yml"
},
{
"techniqueID": "T1553.002",
"score": 200,
"comment": "win_susp_sdelete.yml"
},
{
"techniqueID": "T1070.006",
"score": 200,
"comment": "win_susp_time_modification.yml"
},
{
"techniqueID": "T1048",
"score": 200,
"comment": "win_tap_driver_installation.yml\r\npowershell_dnscat_execution.yml\r\nwin_tap_installer_execution.yml"
},
{
"techniqueID": "T1218",
"score": 200,
"comment": "win_susp_esentutl_activity.yml\r\nsysmon_dllhost_net_connections.yml\r\nwin_mavinject_proc_inj.yml\r\nwin_possible_applocker_bypass.yml\r\nwin_shell_spawn_susp_program.yml\r\nwin_susp_bginfo.yml\r\nwin_susp_cdb.yml\r\nwin_susp_curl_start_combo.yml\r\nwin_susp_devtoolslauncher.yml\r\nwin_susp_dnx.yml\r\nwin_susp_dxcap.yml\r\nwin_susp_openwith.yml\r\nwin_susp_renamed_dctask64.yml\r\nwin_susp_squirrel_lolbin.yml"
},
{
"techniqueID": "T1036.005",
"score": 200,
"comment": "sysmon_creation_system_file.yml\r\nwin_apt_greenbug_may20.yml\r\nwin_apt_lazarus_session_highjack.yml\r\nwin_exploit_cve_2015_1641.yml\r\nwin_proc_wrong_parent.yml\r\nwin_susp_msiexec_cwd.yml\r\nwin_susp_svchost.yml"
},
{
"techniqueID": "T1137.006",
"score": 200,
"comment": "sysmon_office_persistence.yml"
},
{
"techniqueID": "T1547.009",
"score": 200,
"comment": "sysmon_susp_desktop_ini.yml"
},
{
"techniqueID": "T1505.003",
"score": 200,
"comment": "sysmon_webshell_creation_detect.yml\r\nav_webshell.yml\r\nwin_susp_execution_path_webserver.yml\r\nwin_susp_iss_module_install.yml\r\nwin_webshell_detection.yml\r\nwin_webshell_recon_detection.yml\r\nwin_webshell_spawn.yml"
},
{
"techniqueID": "T1546.003",
"score": 200,
"comment": "sysmon_wmi_persistence_script_event_consumer_write.yml\r\nsysmon_wmi_persistence_commandline_event_consumer.yml\r\nwin_wmi_persistence.yml\r\nwin_wmi_backdoor_exchange_transport_agent.yml\r\nwin_wmi_persistence_script_event_consumer.yml\r\nsysmon_wmi_event_subscription.yml"
},
{
"techniqueID": "T1105",
"score": 200,
"comment": "win_susp_desktopimgdownldr_file.yml\r\nsysmon_win_binary_github_com.yml\r\nsysmon_win_binary_susp_com.yml\r\nwin_apt_greenbug_may20.yml\r\nwin_susp_certutil_command.yml\r\nwin_susp_cmd_http_appdata.yml\r\nwin_susp_copy_lateral_movement.yml\r\nwin_susp_curl_download.yml\r\nwin_susp_curl_start_combo.yml\r\nwin_susp_desktopimgdownldr.yml\r\nwin_susp_msiexec_web_install.yml\r\nwin_susp_msoffice.yml\r\nwin_susp_ps_downloadfile.yml\r\nsysmon_apt_pandemic.yml"
},
{
"techniqueID": "T1574.001",
"score": 200,
"comment": "sysmon_susp_fax_dll.yml\r\nsysmon_svchost_dll_search_order_hijack.yml\r\nsysmon_registry_persistence_search_order.yml"
},
{
"techniqueID": "T1558",
"score": 200,
"comment": "av_password_dumper.yml\r\nsysmon_suspicious_outbound_kerberos_connection.yml"
},
{
"techniqueID": "T1100",
"score": 200,
"comment": "av_webshell.yml"
},
{
"techniqueID": "T1195",
"score": 200,
"comment": "win_mal_octopus_scanner.yml"
},
{
"techniqueID": "T1195.001",
"score": 200,
"comment": "win_mal_octopus_scanner.yml"
},
{
"techniqueID": "T1559.001",
"score": 200,
"comment": "sysmon_dllhost_net_connections.yml\r\nsysmon_regsvr32_network_activity.yml\r\nsysmon_cmstp_execution.yml"
},
{
"techniqueID": "T1571",
"score": 200,
"comment": "sysmon_malware_backconnect_ports.yml"
},
{
"techniqueID": "T1055",
"score": 200,
"comment": "sysmon_notepad_network_connection.yml\r\npowershell_shellcode_b64.yml\r\nsysmon_malware_verclsid_shellcode.yml\r\nwin_malware_dridex.yml\r\nwin_susp_svchost_no_cli.yml\r\nsysmon_mal_namedpipes.yml\r\nsysmon_suspicious_remote_thread.yml"
},
{
"techniqueID": "T1218.010",
"score": 200,
"comment": "sysmon_regsvr32_network_activity.yml\r\nwin_apt_bluemashroom.yml\r\nwin_apt_empiremonkey.yml\r\nwin_html_help_spawn.yml\r\nwin_susp_mpcmdrun_download.yml\r\nwin_susp_regsvr32_anomalies.yml\r\nwin_susp_regsvr32_flags_anomaly.yml"
},
{
"techniqueID": "T1021.006",
"score": 200,
"comment": "sysmon_remote_powershell_session_network.yml\r\npowershell_remote_powershell_session.yml\r\nsysmon_mimikatz_trough_winrm.yml"
},
{
"techniqueID": "T1218.011",
"score": 200,
"comment": "sysmon_rundll32_net_connections.yml\r\nwin_apt_equationgroup_dll_u_load.yml\r\nwin_apt_evilnum_jul20.yml\r\nwin_apt_sofacy.yml\r\nwin_apt_unidentified_nov_18.yml\r\nwin_apt_zxshell.yml\r\nwin_crime_fireball.yml\r\nwin_html_help_spawn.yml\r\nwin_malware_notpetya.yml\r\nwin_powershell_dll_execution.yml\r\nwin_redmimicry_winnti_proc.yml\r\nwin_susp_comsvcs_procdump.yml\r\nwin_susp_control_dll_load.yml\r\nwin_susp_rundll32_activity.yml\r\nwin_susp_rundll32_by_ordinal.yml\r\nsysmon_susp_powershell_rundll32.yml"
},
{
"techniqueID": "T1550.003",
"score": 200,
"comment": "sysmon_suspicious_outbound_kerberos_connection.yml\r\nwin_hack_rubeus.yml"
},
{
"techniqueID": "T1567.001",
"score": 200,
"comment": "sysmon_win_binary_github_com.yml"
},
{
"techniqueID": "T1570",
"score": 200,
"comment": "win_defender_psexec_wmi_asr.yml"
},
{
"techniqueID": "T1569",
"score": 200,
"comment": "win_defender_psexec_wmi_asr.yml"
},
{
"techniqueID": "T1040",
"score": 200,
"comment": "win_pcap_drivers.yml\r\nwin_netsh_packet_capture.yml\r\nwin_netsh_wifi_credential_harvesting.yml\r\nwin_network_sniffing.yml"
},
{
"techniqueID": "T1070.003",
"score": 200,
"comment": "powershell_clear_powershell_history.yml"
},
{
"techniqueID": "T1560",
"score": 200,
"comment": "powershell_data_compressed.yml"
},
{
"techniqueID": "T1086",
"score": 200,
"comment": "powershell_invoke_obfuscation_obfuscated_iex.yml\r\npowershell_malicious_commandlets.yml\r\npowershell_malicious_keywords.yml\r\npowershell_nishang_malicious_commandlets.yml\r\npowershell_psattack.yml\r\npowershell_remote_powershell_session.yml\r\npowershell_shellcode_b64.yml\r\npowershell_suspicious_download.yml\r\npowershell_suspicious_invocation_generic.yml\r\npowershell_suspicious_invocation_specific.yml\r\npowershell_suspicious_keywords.yml\r\npowershell_wmimplant.yml\r\npowershell_xor_commandline.yml\r\nwin_powershell_web_request.yml\r\nsysmon_mimikatz_trough_winrm.yml\r\nwin_apt_greenbug_may20.yml\r\nwin_exploit_cve_2020_1048.yml\r\nwin_invoke_obfuscation_obfuscated_iex_commandline.yml"
},
{
"techniqueID": "T1564.004",
"score": 200,
"comment": "powershell_ntfs_ads_access.yml\r\nwin_run_powershell_script_from_ads.yml\r\nsysmon_ads_executable.yml"
},
{
"techniqueID": "T1028",
"score": 200,
"comment": "powershell_remote_powershell_session.yml\r\nsysmon_mimikatz_trough_winrm.yml"
},
{
"techniqueID": "T1546.013",
"score": 200,
"comment": "powershell_suspicious_profile_create.yml"
},
{
"techniqueID": "T1218.003",
"score": 200,
"comment": "sysmon_cmstp_execution.yml\r\nwin_cmstp_com_object_access.yml\r\nwin_uac_cmstp.yml\r\nsysmon_cmstp_execution.yml\r\nsysmon_cmstp_execution.yml"
},
{
"techniqueID": "T1055.001",
"score": 200,
"comment": "sysmon_in_memory_assembly_execution.yml\r\nwin_apt_taidoor.yml\r\nwin_mavinject_proc_inj.yml\r\nwin_susp_dctask64_proc_inject.yml\r\nwin_susp_renamed_dctask64.yml\r\nsysmon_cobaltstrike_process_injection.yml\r\nsysmon_createremotethread_loadlibrary.yml"
},
{
"techniqueID": "T1055.002",
"score": 200,
"comment": "sysmon_in_memory_assembly_execution.yml"
},
{
"techniqueID": "T1037.001",
"score": 200,
"comment": "sysmon_logon_scripts_userinitmprlogonscript_proc.yml\r\nsysmon_logon_scripts_userinitmprlogonscript_reg.yml"
},
{
"techniqueID": "T1046",
"score": 200,
"comment": "win_advanced_ip_scanner.yml"
},
{
"techniqueID": "T1552.001",
"score": 200,
"comment": "win_apt_bear_activity_gtr19.yml"
},
{
"techniqueID": "T1560.001",
"score": 200,
"comment": "win_apt_judgement_panda_gtr19.yml\r\nwin_data_compressed_with_rar.yml\r\nwin_susp_compression_params.yml\r\nwin_susp_rar_flags.yml"
},
{
"techniqueID": "T1036.003",
"score": 200,
"comment": "win_apt_ta17_293a_ps.yml\r\nwin_process_creation_bitsadmin_download.yml\r\nwin_proc_wrong_parent.yml\r\nwin_renamed_binary.yml\r\nwin_renamed_binary_highly_relevant.yml\r\nwin_renamed_jusched.yml\r\nwin_renamed_paexec.yml\r\nwin_renamed_powershell.yml\r\nwin_renamed_procdump.yml\r\nwin_renamed_psexec.yml\r\nwin_susp_copy_system32.yml"
},
{
"techniqueID": "T1083",
"score": 200,
"comment": "win_apt_turla_commands.yml\r\nwin_malware_wannacry.yml"
},
{
"techniqueID": "T1135",
"score": 200,
"comment": "win_apt_turla_commands.yml\r\nwin_malware_dridex.yml\r\nwin_susp_net_execution.yml"
},
{
"techniqueID": "T1036.004",
"score": 200,
"comment": "win_apt_wocao.yml"
},
{
"techniqueID": "T1564.001",
"score": 200,
"comment": "win_attrib_hiding_files.yml"
},
{
"techniqueID": "T1490",
"score": 200,
"comment": "win_bootconf_mod.yml\r\nwin_crime_maze_ransomware.yml\r\nwin_malware_wannacry.yml\r\nwin_shadow_copies_deletion.yml"
},
{
"techniqueID": "T1220",
"score": 200,
"comment": "win_bypass_squiblytwo.yml\r\nwin_xsl_script_processing.yml"
},
{
"techniqueID": "T1546.001",
"score": 200,
"comment": "win_change_default_file_association.yml"
},
{
"techniqueID": "T1548.002",
"score": 200,
"comment": "win_cmstp_com_object_access.yml\r\nwin_susp_powershell_empire_uac_bypass.yml\r\nwin_uac_cmstp.yml\r\nwin_uac_fodhelper.yml\r\nwin_uac_wsreset.yml\r\nwin_wsreset_uac_bypass.yml\r\nsysmon_uac_bypass_eventvwr.yml\r\nsysmon_uac_bypass_sdclt.yml"
},
{
"techniqueID": "T1218.002",
"score": 200,
"comment": "win_control_panel_item.yml"
},
{
"techniqueID": "T1546",
"score": 200,
"comment": "win_control_panel_item.yml"
},
{
"techniqueID": "T1204",
"score": 200,
"comment": "win_crime_snatch_ransomware.yml"
},
{
"techniqueID": "T1071",
"score": 200,
"comment": "win_dnscat2_powershell_implementation.yml"
},
{
"techniqueID": "T1041",
"score": 200,
"comment": "win_dnscat2_powershell_implementation.yml\r\nwin_exfiltration_and_tunneling_tools_execution.yml"
},
{
"techniqueID": "T1048.001",
"score": 200,
"comment": "win_dns_exfiltration_tools_execution.yml"
},
{
"techniqueID": "T1132.001",
"score": 200,
"comment": "win_dns_exfiltration_tools_execution.yml"
},
{
"techniqueID": "T1482",
"score": 200,
"comment": "win_dsquery_domain_trust_discovery.yml\r\nwin_hack_bloodhound.yml\r\nwin_malware_trickbot_recon_activity.yml\r\nwin_trust_discovery.yml"
},
{
"techniqueID": "T1562",
"score": 200,
"comment": "win_etw_modification_cmdline.yml\r\nwin_etw_trace_evasion.yml"
},
{
"techniqueID": "T1070",
"score": 200,
"comment": "win_etw_trace_evasion.yml\r\nwin_shadow_copies_deletion.yml\r\nwin_susp_bcdedit.yml\r\nwin_susp_fsutil_usage.yml\r\nwin_sysmon_driver_unload.yml"
},
{
"techniqueID": "T1566.001",
"score": 200,
"comment": "win_exploit_cve_2017_0261.yml\r\nwin_exploit_cve_2017_11882.yml\r\nwin_exploit_cve_2017_8759.yml\r\nwin_hwp_exploits.yml\r\nwin_susp_double_extension.yml\r\nwin_susp_outlook_temp.yml\r\nsysmon_registry_trust_record_modification.yml"
},
{
"techniqueID": "T1574",
"score": 200,
"comment": "win_exploit_cve_2019_1378.yml"
},
{
"techniqueID": "T1222",
"score": 200,
"comment": "win_file_permission_modifications.yml"
},
{
"techniqueID": "T1087.001",
"score": 200,
"comment": "win_hack_bloodhound.yml\r\nwin_local_system_owner_account_discovery.yml\r\nwin_susp_net_execution.yml\r\nwin_susp_recon_activity.yml"
},
{
"techniqueID": "T1069.001",
"score": 200,
"comment": "win_hack_bloodhound.yml\r\nwin_susp_net_execution.yml"
},
{
"techniqueID": "T1555",
"score": 200,
"comment": "win_hack_secutyxploded.yml"
},
{
"techniqueID": "T1218.001",
"score": 200,
"comment": "win_hh_chm.yml\r\nwin_html_help_spawn.yml"
},
{
"techniqueID": "T1202",
"score": 200,
"comment": "win_indirect_cmd.yml\r\nwin_susp_bginfo.yml\r\nwin_susp_findstr_lnk.yml\r\nwin_susp_outlook.yml\r\nwin_susp_renamed_dctask64.yml"
},
{
"techniqueID": "T1546.008",
"score": 200,
"comment": "win_install_reg_debugger_backdoor.yml\r\nsysmon_stickykey_like_backdoor.yml"
},
{
"techniqueID": "T1486",
"score": 200,
"comment": "win_malware_wannacry.yml"
},
{
"techniqueID": "T1056.002",
"score": 200,
"comment": "win_mouse_lock.yml"
},
{
"techniqueID": "T1562.004",
"score": 200,
"comment": "win_netsh_allow_port_rdp.yml\r\nwin_netsh_fw_add.yml\r\nwin_netsh_fw_add_susp_image.yml\r\nwin_susp_firewall_disable.yml"
},
{
"techniqueID": "T1090",
"score": 200,
"comment": "win_netsh_port_fwd.yml\r\nwin_netsh_port_fwd_3389.yml"
},
{
"techniqueID": "T1018",
"score": 200,
"comment": "win_net_enum.yml\r\nwin_susp_net_execution.yml"
},
{
"techniqueID": "T1218.004",
"score": 200,
"comment": "win_possible_applocker_bypass.yml"
},
{
"techniqueID": "T1218.009",
"score": 200,
"comment": "win_possible_applocker_bypass.yml"
},
{
"techniqueID": "T1127.001",
"score": 200,
"comment": "win_possible_applocker_bypass.yml"
},
{
"techniqueID": "T1123",
"score": 200,
"comment": "win_powershell_audio_capture.yml\r\nwin_soundrec_audio_capture.yml\r\nsysmon_susp_mic_cam_access.yml"
},
{
"techniqueID": "T1197",
"score": 200,
"comment": "win_powershell_bitsjob.yml\r\nwin_process_creation_bitsadmin_download.yml"
},
{
"techniqueID": "T1007",
"score": 200,
"comment": "win_query_registry.yml"
},
{
"techniqueID": "T1563.002",
"score": 200,
"comment": "win_rdp_hijack_shadowing.yml\r\nwin_susp_tscon_rdp_redirect.yml"
},
{
"techniqueID": "T1106",
"score": 200,
"comment": "win_redmimicry_winnti_proc.yml\r\nwin_susp_cdb.yml"
},
{
"techniqueID": "T1124",
"score": 200,
"comment": "win_remote_time_discovery.yml"
},
{
"techniqueID": "T1546.011",
"score": 200,
"comment": "win_sdbinst_shim_persistence.yml"
},
{
"techniqueID": "T1489",
"score": 200,
"comment": "win_service_stop.yml"
},
{
"techniqueID": "T1542.003",
"score": 200,
"comment": "win_susp_bcdedit.yml"
},
{
"techniqueID": "T1127",
"score": 200,
"comment": "win_susp_cdb.yml\r\nwin_susp_use_of_csharp_console.yml\r\nwin_workflow_compiler.yml"
},
{
"techniqueID": "T1053",
"score": 200,
"comment": "win_susp_crackmapexec_execution.yml"
},
{
"techniqueID": "T1500",
"score": 200,
"comment": "win_susp_csc.yml\r\nwin_susp_csc_folder.yml"
},
{
"techniqueID": "T1567",
"score": 200,
"comment": "win_susp_curl_fileupload.yml"
},
{
"techniqueID": "T1027.004",
"score": 200,
"comment": "win_susp_dnx.yml"
},
{
"techniqueID": "T1027.003",
"score": 200,
"comment": "win_susp_findstr_lnk.yml"
},
{
"techniqueID": "T1218.007",
"score": 200,
"comment": "win_susp_msiexec_web_install.yml"
},
{
"techniqueID": "T1546.007",
"score": 200,
"comment": "win_susp_netsh_dll_persistence.yml"
},
{
"techniqueID": "T1049",
"score": 200,
"comment": "win_susp_net_execution.yml"
},
{
"techniqueID": "T1201",
"score": 200,
"comment": "win_susp_net_execution.yml"
},
{
"techniqueID": "T1218.008",
"score": 200,
"comment": "win_susp_odbcconf.yml"
},
{
"techniqueID": "T1193",
"score": 200,
"comment": "win_susp_outlook_temp.yml"
},
{
"techniqueID": "T1113",
"score": 200,
"comment": "win_susp_psr_capture_screenshots.yml"
},
{
"techniqueID": "T1104",
"score": 200,
"comment": "win_susp_ps_downloadfile.yml"
},
{
"techniqueID": "T1552.006",
"score": 200,
"comment": "win_susp_sysvol_access.yml"
},
{
"techniqueID": "T1574.011",
"score": 200,
"comment": "win_using_sc_to_change_sevice_image_path_by_non_admin.yml\r\nsysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml"
},
{
"techniqueID": "T1546.009",
"score": 200,
"comment": "sysmon_new_dll_added_to_appcertdlls_registry_key.yml"
},
{
"techniqueID": "T1546.010",
"score": 200,
"comment": "sysmon_new_dll_added_to_appinit_dlls_registry_key.yml"
},
{
"techniqueID": "T1122",
"score": 200,
"comment": "sysmon_registry_persistence_key_linking.yml"
},
{
"techniqueID": "T1547.005",
"score": 200,
"comment": "sysmon_ssp_added_lsa_config.yml"
},
{
"techniqueID": "T1547.008",
"score": 200,
"comment": "sysmon_susp_lsass_dll_load.yml"
},
{
"techniqueID": "T1125",
"score": 200,
"comment": "sysmon_susp_mic_cam_access.yml"
},
{
"techniqueID": "T1546.012",
"score": 200,
"comment": "sysmon_win_reg_persistence.yml"
},
{
"techniqueID": "T1055.012",
"score": 200,
"comment": "sysmon_cactustorch.yml"
},
{
"techniqueID": "T1189",
"score": 200,
"comment": "sysmon_possible_dns_rebinding.yml"
},
{
"techniqueID": "T1006",
"score": 200,
"comment": "sysmon_raw_disk_access_using_illegitimate_tools.yml"
}
]
}