{ "crowdsecurity/generic-freemarker-ssti": { "name": "crowdsecurity/generic-freemarker-ssti", "description": "Generic FreeMarker SSTI", "label": "Generic FreeMarker SSTI", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-28 17:01:19" }, "crowdsecurity/generic-wordpress-uploads-php": { "name": "crowdsecurity/generic-wordpress-uploads-php", "description": "Detect php execution in wordpress uploads directory", "label": "Detect Wordpress PHP execution in uploads directory", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-10-17 16:50:39" }, "crowdsecurity/vpatch-CVE-2002-1131": { "name": "crowdsecurity/vpatch-CVE-2002-1131", "description": "Detects XSS attempts in SquirrelMail 1.2.6/1.2.7 via unsanitized input in addressbook, options, search, and help modules.", "label": "SquirrelMail - XSS", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-04-24 18:39:04", "cves": [ "CVE-2002-1131" ], "cwes": [ "CWE-80" ] }, "crowdsecurity/vpatch-CVE-2007-0885": { "name": "crowdsecurity/vpatch-CVE-2007-0885", "description": "Detects XSS vulnerability in Jira Rainbow.Zen via the id parameter in BrowseProject.jspa.", "label": "Jira Rainbow.Zen - XSS", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 12:16:13", "cves": [ "CVE-2007-0885" ], "cwes": [ "CWE-79" ] }, "crowdsecurity/vpatch-CVE-2017-9841": { "name": "crowdsecurity/vpatch-CVE-2017-9841", "description": "PHPUnit RCE (CVE-2017-9841)", "label": "PHPUnit RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2017-9841" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2018-1000861": { "name": "crowdsecurity/vpatch-CVE-2018-1000861", "description": "Jenkins - RCE (CVE-2018-1000861)", "label": "Jenkins - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-17 15:59:53", "cves": [ "CVE-2018-1000861" ], "cwes": [ "CWE-502" ] }, "crowdsecurity/vpatch-CVE-2018-10562": { "name": "crowdsecurity/vpatch-CVE-2018-10562", "description": "Dasan GPON RCE (CVE-2018-10562)", "label": "Dasan GPON RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-08 10:24:18", "cves": [ "CVE-2018-10562" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2018-13379": { "name": "crowdsecurity/vpatch-CVE-2018-13379", "description": "Fortinet FortiOS - Credentials Disclosure (CVE-2018-13379)", "label": "Fortinet FortiOS - Credentials Disclosure", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2018-13379" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2018-20062": { "name": "crowdsecurity/vpatch-CVE-2018-20062", "description": "ThinkPHP - RCE (CVE-2018-20062)", "label": "ThinkPHP - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-10-25 09:33:36", "cves": [ "CVE-2018-20062" ] }, "crowdsecurity/vpatch-CVE-2019-1003030": { "name": "crowdsecurity/vpatch-CVE-2019-1003030", "description": "Jenkins - RCE (CVE-2019-1003030)", "label": "Jenkins - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-17 15:59:53", "cves": [ "CVE-2019-1003030" ], "cwes": [ "CWE-264" ] }, "crowdsecurity/vpatch-CVE-2019-12989": { "name": "crowdsecurity/vpatch-CVE-2019-12989", "description": "Citrix SQLi (CVE-2019-12989)", "label": "Citrix SQLi", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2019-12989" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2019-18935": { "name": "crowdsecurity/vpatch-CVE-2019-18935", "description": "Telerik - RCE (CVE-2019-18935)", "label": "Telerik - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2019-18935" ], "cwes": [ "CWE-502" ] }, "crowdsecurity/vpatch-CVE-2020-11738": { "name": "crowdsecurity/vpatch-CVE-2020-11738", "description": "Wordpress Snap Creek Duplicator - Path Traversal (CVE-2020-11738)", "label": "Wordpress Snap Creek Duplicator", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2020-11738" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2020-17496": { "name": "crowdsecurity/vpatch-CVE-2020-17496", "description": "vBulletin RCE (CVE-2020-17496)", "label": "vBulletin RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-22 12:09:51", "cves": [ "CVE-2020-17496" ], "cwes": [ "CWE-74" ] }, "crowdsecurity/vpatch-CVE-2020-5902": { "name": "crowdsecurity/vpatch-CVE-2020-5902", "description": "F5 BIG-IP TMUI - RCE (CVE-2020-5902)", "label": "F5 BIG-IP TMUI - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2020-5902" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2020-9054": { "name": "crowdsecurity/vpatch-CVE-2020-9054", "description": "Detects pre-authentication command injection in Zyxel NAS devices via weblogin.cgi", "label": "Zyxel NAS - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-31 19:08:27", "cves": [ "CVE-2020-9054" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2021-22941": { "name": "crowdsecurity/vpatch-CVE-2021-22941", "description": "Citrix RCE (CVE-2021-22941)", "label": "Citrix RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2021-22941" ], "cwes": [ "CWE-284" ] }, "crowdsecurity/vpatch-CVE-2021-26086": { "name": "crowdsecurity/vpatch-CVE-2021-26086", "description": "Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086)", "label": "Atlassian Jira Server/Data Center 8.4.0 File Read", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-10-25 09:33:36", "cves": [ "CVE-2021-26086" ] }, "crowdsecurity/vpatch-CVE-2021-26294": { "name": "crowdsecurity/vpatch-CVE-2021-26294", "description": "Detects unauthorized access to AfterLogic Aurora/WebMail Pro WebDAV endpoint using default caldav_public_user credentials and path traversal.", "label": "AfterLogic Aurora/WebMail Pro - Info Disclosure", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0006:T1040" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-04-25 08:54:32", "cves": [ "CVE-2021-26294" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2021-3129": { "name": "crowdsecurity/vpatch-CVE-2021-3129", "description": "Laravel with Ignition Debug Mode RCE (CVE-2021-3129)", "label": "Laravel with Ignition Debug Mode RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2021-3129" ], "cwes": [ "CWE-98" ] }, "crowdsecurity/vpatch-CVE-2021-43798": { "name": "crowdsecurity/vpatch-CVE-2021-43798", "description": "Grafana Arbitrary File Read (CVE-2021-43798)", "label": "Grafana - LFI", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-31 18:14:54", "cves": [ "CVE-2021-43798" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2021-44529": { "name": "crowdsecurity/vpatch-CVE-2021-44529", "description": "Detects code injection in Ivanti EPM CSA via cookie manipulation (CVE-2021-44529)", "label": "Ivanti EPM CSA - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-31 19:08:27", "cves": [ "CVE-2021-44529" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2022-1388": { "name": "crowdsecurity/vpatch-CVE-2022-1388", "description": "Detects F5 BIG-IP iControl REST authentication bypass and RCE via crafted POST to /mgmt/tm/util/bash with X-F5-Auth-Token header.", "label": "F5 BIG-IP iControl REST - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 12:04:11", "cves": [ "CVE-2022-1388" ], "cwes": [ "CWE-306" ] }, "crowdsecurity/vpatch-CVE-2022-22954": { "name": "crowdsecurity/vpatch-CVE-2022-22954", "description": "VMWare Workspace ONE Access RCE (CVE-2022-22954)", "label": "VMWare Workspace ONE RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-19 09:32:53", "cves": [ "CVE-2022-22954" ] }, "crowdsecurity/vpatch-CVE-2022-22965": { "name": "crowdsecurity/vpatch-CVE-2022-22965", "description": "Spring4Shell - RCE (CVE-2022-22965)", "label": "Spring4Shell - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-17 15:59:53", "cves": [ "CVE-2022-22965" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2022-25488": { "name": "crowdsecurity/vpatch-CVE-2022-25488", "description": "Atom CMS - SQLi (CVE-2022-25488)", "label": "Atom CMS - SQLi", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-26 15:44:30", "cves": [ "CVE-2022-25488" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2022-26134": { "name": "crowdsecurity/vpatch-CVE-2022-26134", "description": "Confluence - RCE (CVE-2022-26134)", "label": "Confluence - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2022-26134" ], "cwes": [ "CWE-917" ] }, "crowdsecurity/vpatch-CVE-2022-27926": { "name": "crowdsecurity/vpatch-CVE-2022-27926", "description": "Zimbra Collaboration XSS (CVE-2022-27926)", "label": "Zimbra Collaboration (ZCS) - XSS", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2022-27926" ], "cwes": [ "CWE-79" ] }, "crowdsecurity/vpatch-CVE-2022-35914": { "name": "crowdsecurity/vpatch-CVE-2022-35914", "description": "GLPI RCE (CVE-2022-35914)", "label": "GLPI RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2022-35914" ], "cwes": [ "CWE-74" ] }, "crowdsecurity/vpatch-CVE-2022-41082": { "name": "crowdsecurity/vpatch-CVE-2022-41082", "description": "Microsoft Exchange - RCE (CVE-2022-41082)", "label": "Microsoft Exchange - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2022-41082" ], "cwes": [ "CWE-502" ] }, "crowdsecurity/vpatch-CVE-2022-44877": { "name": "crowdsecurity/vpatch-CVE-2022-44877", "description": "CentOS Web Panel 7 RCE (CVE-2022-44877)", "label": "CentOS Web Panel 7 RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2022-44877" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2022-46169": { "name": "crowdsecurity/vpatch-CVE-2022-46169", "description": "Cacti RCE (CVE-2022-46169)", "label": "Cacti <=1.2.22 - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2022-46169" ], "cwes": [ "CWE-74", "CWE-77", "CWE-78", "CWE-863" ] }, "crowdsecurity/vpatch-CVE-2023-0297": { "name": "crowdsecurity/vpatch-CVE-2023-0297", "description": "Detects pre-auth remote code execution in PyLoad via code injection in the \"jk\" parameter of /flash/addcrypted2.", "label": "PyLoad - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-04-24 18:35:30", "cves": [ "CVE-2023-0297" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2023-0600": { "name": "crowdsecurity/vpatch-CVE-2023-0600", "description": "WP Visitor Statistics - SQL Injection (CVE-2023-0600)", "label": "WP Visitor Statistics - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-0600" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-0900": { "name": "crowdsecurity/vpatch-CVE-2023-0900", "description": "AP Pricing Tables Lite - SQL Injection (CVE-2023-0900)", "label": "AP Pricing Tables Lite - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-0900" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-1389": { "name": "crowdsecurity/vpatch-CVE-2023-1389", "description": "TP-Link Archer AX21 - RCE (CVE-2023-1389)", "label": "TP-Link Archer AX21 - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-16 11:54:35", "cves": [ "CVE-2023-1389" ], "cwes": [ "CWE-77" ] }, "crowdsecurity/vpatch-CVE-2023-2009": { "name": "crowdsecurity/vpatch-CVE-2023-2009", "description": "Pretty Url - XSS (CVE-2023-2009)", "label": "Pretty Url - XSS", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-2009" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-20198": { "name": "crowdsecurity/vpatch-CVE-2023-20198", "description": "CISCO IOS XE Account Creation (CVE-2023-20198)", "label": "CISCO IOS XE account creation", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-20198" ], "cwes": [ "CWE-287" ] }, "crowdsecurity/vpatch-CVE-2023-22515": { "name": "crowdsecurity/vpatch-CVE-2023-22515", "description": "Atlassian Confluence Privesc (CVE-2023-22515)", "label": "Atlassian Confluence Privesc", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-22515" ], "cwes": [ "CWE-284" ] }, "crowdsecurity/vpatch-CVE-2023-22527": { "name": "crowdsecurity/vpatch-CVE-2023-22527", "description": "RCE using SSTI in Confluence (CVE-2023-22527)", "label": "Confluence RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-05 16:54:31", "cves": [ "CVE-2023-22527" ] }, "crowdsecurity/vpatch-CVE-2023-23488": { "name": "crowdsecurity/vpatch-CVE-2023-23488", "description": "Wordpress Paid Memberships Pro Blind SQLi (CVE-2023-23488)", "label": "Wordpress Paid Memberships Pro Blind SQLi", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-23488" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-23489": { "name": "crowdsecurity/vpatch-CVE-2023-23489", "description": "WordPress Easy Digital Downloads plugin SQL injection (CVE-2023-23489)", "label": "WordPress Easy Digital Downloads plugin SQL injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-23489" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-23752": { "name": "crowdsecurity/vpatch-CVE-2023-23752", "description": "Joomla! Webservice - Password Disclosure (CVE-2023-23752)", "label": "Joomla! Webservice - Password Disclosure", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-17 15:59:53", "cves": [ "CVE-2023-23752" ], "cwes": [ "CWE-284", "CWE-266" ] }, "crowdsecurity/vpatch-CVE-2023-24489": { "name": "crowdsecurity/vpatch-CVE-2023-24489", "description": "Citrix ShareFile RCE (CVE-2023-24489)", "label": "Citrix ShareFile RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-24489" ], "cwes": [ "CWE-284" ] }, "crowdsecurity/vpatch-CVE-2023-28121": { "name": "crowdsecurity/vpatch-CVE-2023-28121", "description": "WooCommerce auth bypass (CVE-2023-28121)", "label": "WooCommerce auth bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-16 14:28:14", "cves": [ "CVE-2023-28121" ], "cwes": [ "CWE-287" ] }, "crowdsecurity/vpatch-CVE-2023-33617": { "name": "crowdsecurity/vpatch-CVE-2023-33617", "description": "Atlassian Confluence Privesc (CVE-2023-33617)", "label": "Atlassian Confluence Privesc", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-33617" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2023-34362": { "name": "crowdsecurity/vpatch-CVE-2023-34362", "description": "MOVEit Transfer RCE (CVE-2023-34362)", "label": "MOVEit Transfer RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-34362" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-35078": { "name": "crowdsecurity/vpatch-CVE-2023-35078", "description": "MobileIron Core Remote Unauthenticated API Access (CVE-2023-35078)", "label": "MobileIron Core API", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:28:50", "cves": [ "CVE-2023-35078" ] }, "crowdsecurity/vpatch-CVE-2023-35082": { "name": "crowdsecurity/vpatch-CVE-2023-35082", "description": "MobileIron Core Remote Unauthenticated API Access (CVE-2023-35082)", "label": "MobileIron Core API", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:28:50", "cves": [ "CVE-2023-35082" ] }, "crowdsecurity/vpatch-CVE-2023-3519": { "name": "crowdsecurity/vpatch-CVE-2023-3519", "description": "Citrix RCE (CVE-2023-3519)", "label": "Citrix RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-3519" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2023-38205": { "name": "crowdsecurity/vpatch-CVE-2023-38205", "description": "Adobe ColdFusion Access Control Bypass (CVE-2023-38205)", "label": "Adobe ColdFusion Access Control Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-38205" ], "cwes": [ "CWE-284" ] }, "crowdsecurity/vpatch-CVE-2023-40044": { "name": "crowdsecurity/vpatch-CVE-2023-40044", "description": "WS_FTP .NET deserialize RCE (CVE-2023-40044)", "label": "WS_FTP .NET deserialize RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-40044" ], "cwes": [ "CWE-502" ] }, "crowdsecurity/vpatch-CVE-2023-42793": { "name": "crowdsecurity/vpatch-CVE-2023-42793", "description": "JetBrains Teamcity Auth Bypass (CVE-2023-42793)", "label": "JetBrains Teamcity Auth Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 17:47:20", "cves": [ "CVE-2023-42793" ], "cwes": [ "CWE-288" ] }, "crowdsecurity/vpatch-CVE-2023-4634": { "name": "crowdsecurity/vpatch-CVE-2023-4634", "description": "Media Library Assistant - RCE 2023 4634", "label": "Media Library Assistant RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-4634" ], "cwes": [ "CWE-73" ] }, "crowdsecurity/vpatch-CVE-2023-46805": { "name": "crowdsecurity/vpatch-CVE-2023-46805", "description": "Ivanti Connect Auth Bypass (CVE-2023-46805)", "label": "Ivanti Connect Auth Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-18 17:00:09", "cves": [ "CVE-2023-46805", "CVE-2024-21887" ], "cwes": [ "CWE-287", "CWE-77" ] }, "crowdsecurity/vpatch-CVE-2023-47218": { "name": "crowdsecurity/vpatch-CVE-2023-47218", "description": "QNAP QTS - RCE (CVE-2023-47218)", "label": "QNAP QTS - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-07-19 10:46:32", "cves": [ "CVE-2023-47218" ], "cwes": [ "CWE-78", "CWE-77" ] }, "crowdsecurity/vpatch-CVE-2023-49070": { "name": "crowdsecurity/vpatch-CVE-2023-49070", "description": "Apache OFBiz - RCE (CVE-2023-49070)", "label": "Apache OFBiz - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-17 15:59:53", "cves": [ "CVE-2023-49070" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2023-50164": { "name": "crowdsecurity/vpatch-CVE-2023-50164", "description": "Apache Struts2 Path Traversal (CVE-2023-50164)", "label": "Apache Struts2 Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-22 12:08:24", "cves": [ "CVE-2023-50164" ], "cwes": [ "CWE-552" ] }, "crowdsecurity/vpatch-CVE-2023-6360": { "name": "crowdsecurity/vpatch-CVE-2023-6360", "description": "WordPress My Calendar - SQL Injection (CVE-2023-6360)", "label": "WordPress My Calendar - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-6360" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-6553": { "name": "crowdsecurity/vpatch-CVE-2023-6553", "description": "Backup Migration plugin for WordPress RCE (CVE-2023-6553)", "label": "Backup Migration plugin for WordPress RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-08 10:42:56", "cves": [ "CVE-2023-6553" ], "cwes": [ "CWE-287" ] }, "crowdsecurity/vpatch-CVE-2023-6567": { "name": "crowdsecurity/vpatch-CVE-2023-6567", "description": "LearnPress - SQL Injection (CVE-2023-6567)", "label": "LearnPress - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-6567" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2023-6623": { "name": "crowdsecurity/vpatch-CVE-2023-6623", "description": "Wordpress Essential Blocks plugin LFI (CVE-2023-6623)", "label": "Wordpress Essential Blocks plugin LFI", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0005:T1211", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2023-3519" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2023-7028": { "name": "crowdsecurity/vpatch-CVE-2023-7028", "description": "Gitlab Password Reset Account Takeover (CVE-2023-7028)", "label": "Gitlab Password Reset Account Takeover", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-01-17 11:39:13", "cves": [ "CVE-2023-7028" ] }, "crowdsecurity/vpatch-CVE-2024-0012": { "name": "crowdsecurity/vpatch-CVE-2024-0012", "description": "PanOS - Authentication Bypass (CVE-2024-0012)", "label": "PanOS - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-20 15:53:39", "cves": [ "CVE-2024-0012" ], "cwes": [ "CWE-306" ] }, "crowdsecurity/vpatch-CVE-2024-1061": { "name": "crowdsecurity/vpatch-CVE-2024-1061", "description": "WordPress HTML5 Video Player - SQL Injection (CVE-2024-1061)", "label": "WordPress HTML5 Video Player - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2024-1061" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2024-1071": { "name": "crowdsecurity/vpatch-CVE-2024-1071", "description": "WordPress Ultimate Member - SQL Injection (CVE-2024-1071)", "label": "WordPress Ultimate Member - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-14 18:04:42", "cves": [ "CVE-2024-1071" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2024-1212": { "name": "crowdsecurity/vpatch-CVE-2024-1212", "description": "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)", "label": "LoadMaster UCI", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-26 09:21:36", "cves": [ "CVE-2024-1212" ] }, "crowdsecurity/vpatch-CVE-2024-22024": { "name": "crowdsecurity/vpatch-CVE-2024-22024", "description": "Ivanti Connect Secure - XXE (CVE-2024-22024)", "label": "Ivanti Connect Secure - XXE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-26 11:14:34", "cves": [ "CVE-2024-22024" ], "cwes": [ "CWE-611" ] }, "crowdsecurity/vpatch-CVE-2024-23897": { "name": "crowdsecurity/vpatch-CVE-2024-23897", "description": "Jenkins CLI RCE (CVE-2024-23897)", "label": "Jenkins CLI RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-26 10:00:56", "cves": [ "CVE-2024-23897" ], "cwes": [ "CWE-552" ] }, "crowdsecurity/vpatch-CVE-2024-27198": { "name": "crowdsecurity/vpatch-CVE-2024-27198", "description": "Teamcity - Authentication Bypass (CVE-2024-27198)", "label": "Teamcity - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-07-19 15:56:16", "cves": [ "CVE-2024-27198" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2024-27292": { "name": "crowdsecurity/vpatch-CVE-2024-27292", "description": "Local File Inclusion - Docassemble", "label": "Docassemble - LFI", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1592" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-31 19:08:27", "cves": [ "CVE-2024-27292" ], "cwes": [ "CWE-706" ] }, "crowdsecurity/vpatch-CVE-2024-27348": { "name": "crowdsecurity/vpatch-CVE-2024-27348", "description": "Apache HugeGraph-Server - RCE (CVE-2024-27348)", "label": "Apache HugeGraph-Server - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-08-22 17:02:07", "cves": [ "CVE-2024-27348" ], "cwes": [ "CWE-77" ] }, "crowdsecurity/vpatch-CVE-2024-27564": { "name": "crowdsecurity/vpatch-CVE-2024-27564", "description": "Detects SSRF attack via pictureproxy.php in ChatGPT application", "label": "ChatGPT - SSRF", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-31 19:08:27", "cves": [ "CVE-2024-27564" ], "cwes": [ "CWE-918" ] }, "crowdsecurity/vpatch-CVE-2024-27954": { "name": "crowdsecurity/vpatch-CVE-2024-27954", "description": "WP Automatic - Path Traversal (CVE-2024-27954)", "label": "WP Automatic - Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-13 17:19:55", "cves": [ "CVE-2024-27954" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2024-27956": { "name": "crowdsecurity/vpatch-CVE-2024-27956", "description": "WordPress Automatic Plugin - SQLi (CVE-2024-27956)", "label": "WordPress Automatic Plugin - SQLi", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-13 17:19:55", "cves": [ "CVE-2024-27956" ], "cwes": [ "CWE-502" ] }, "crowdsecurity/vpatch-CVE-2024-28255": { "name": "crowdsecurity/vpatch-CVE-2024-28255", "description": "OpenMetadata - Authentication Bypass (CVE-2024-28255)", "label": "OpenMetadata - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-07-31 11:07:41", "cves": [ "CVE-2024-28255" ], "cwes": [ "CWE-94" ] }, "crowdsecurity/vpatch-CVE-2024-28987": { "name": "crowdsecurity/vpatch-CVE-2024-28987", "description": "SolarWinds WHD Hardcoded Credentials (CVE-2024-28987)", "label": "SolarWinds WHD Hardcoded Credentials", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-10-25 09:33:36", "cves": [ "CVE-2024-28987" ], "cwes": [ "CWE-798" ] }, "crowdsecurity/vpatch-CVE-2024-29824": { "name": "crowdsecurity/vpatch-CVE-2024-29824", "description": "Ivanti EPM - SQLi (CVE-2024-29824)", "label": "Ivanti EPM - SQLi", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-08-22 17:02:07", "cves": [ "CVE-2024-29824" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2024-29849": { "name": "crowdsecurity/vpatch-CVE-2024-29849", "description": "Veeam Backup Enterprise Manager - Authentication Bypass (CVE-2024-29849)", "label": "Veeam Backup Enterprise Manager - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-06-19 16:51:07", "cves": [ "CVE-2024-29849" ] }, "crowdsecurity/vpatch-CVE-2024-29973": { "name": "crowdsecurity/vpatch-CVE-2024-29973", "description": "Zyxel - RCE (CVE-2024-29973)", "label": "Zyxel - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2024-29973" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2024-32113": { "name": "crowdsecurity/vpatch-CVE-2024-32113", "description": "Apache OFBiz - Path Traversal (CVE-2024-32113)", "label": "Apache OFBiz - Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-07-19 15:56:16", "cves": [ "CVE-2024-32113" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2024-3272": { "name": "crowdsecurity/vpatch-CVE-2024-3272", "description": " D-Link NAS - RCE (CVE-2024-3272)", "label": " D-Link NAS - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-07-19 15:56:16", "cves": [ "CVE-2024-3272" ], "cwes": [ "CWE-287" ] }, "crowdsecurity/vpatch-CVE-2024-3273": { "name": "crowdsecurity/vpatch-CVE-2024-3273", "description": "D-LINK NAS Command Injection (CVE-2024-3273)", "label": "D-LINK NAS Command Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-05-08 15:12:35", "cves": [ "CVE-2024-3273" ] }, "crowdsecurity/vpatch-CVE-2024-32870": { "name": "crowdsecurity/vpatch-CVE-2024-32870", "description": "Detects unauthorized access to iTop Hub Connector information disclosure endpoint.", "label": "ITop - Information Disclosure", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1592" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 11:41:10", "cves": [ "CVE-2024-32870" ], "cwes": [ "CWE-200" ] }, "crowdsecurity/vpatch-CVE-2024-34102": { "name": "crowdsecurity/vpatch-CVE-2024-34102", "description": "Adobe Commerce & Magento - XXE (CVE-2024-34102)", "label": "Adobe Commerce & Magento - XXE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-12 18:08:34", "cves": [ "CVE-2024-34102" ], "cwes": [ "CWE-611" ] }, "crowdsecurity/vpatch-CVE-2024-38816": { "name": "crowdsecurity/vpatch-CVE-2024-38816", "description": "Spring - Path Traversal (CVE-2024-38816)", "label": "Spring - Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-21 15:51:45", "cves": [ "CVE-2024-38816" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2024-38856": { "name": "crowdsecurity/vpatch-CVE-2024-38856", "description": "Apache OFBiz Incorrect Authorization (CVE-2024-38856)", "label": "Apache OFBiz Incorrect Authorization", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-10-25 09:33:36", "cves": [ "CVE-2024-38856" ], "cwes": [ "CWE-853" ] }, "crowdsecurity/vpatch-CVE-2024-41713": { "name": "crowdsecurity/vpatch-CVE-2024-41713", "description": "Mitel MiCollab - Path Traversal (CVE-2024-41713)", "label": "Mitel MiCollab - Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-21 17:30:59", "cves": [ "CVE-2024-41713" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2024-4577": { "name": "crowdsecurity/vpatch-CVE-2024-4577", "description": "PHP CGI Command Injection - CVE-2024-4577", "label": "PHP CGI Command Injection - CVE-2024-4577", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190", "TA0002:T1059" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-06-10 17:43:47", "cves": [ "CVE-2024-4577" ], "cwes": [ "CWE-74", "CWE-88", "CWE-707" ] }, "crowdsecurity/vpatch-CVE-2024-51378": { "name": "crowdsecurity/vpatch-CVE-2024-51378", "description": "Cyberpanel - RCE (CVE-2024-51378)", "label": "Cyberpanel - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-21 16:48:37", "cves": [ "CVE-2024-51378" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2024-51567": { "name": "crowdsecurity/vpatch-CVE-2024-51567", "description": "CyberPanel RCE (CVE-2024-51567)", "label": "CyberPanel RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-13 16:49:31", "cves": [ "CVE-2024-51567" ], "cwes": [ "CWE-306", "CWE-276" ] }, "crowdsecurity/vpatch-CVE-2024-52301": { "name": "crowdsecurity/vpatch-CVE-2024-52301", "description": "Laravel - Parameter Injection (CVE-2024-52301)", "label": "Laravel - Parameter Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-21 09:54:14", "cves": [ "CVE-2024-52301" ], "cwes": [ "CWE-88" ] }, "crowdsecurity/vpatch-CVE-2024-57727": { "name": "crowdsecurity/vpatch-CVE-2024-57727", "description": "Detects unauthenticated path traversal attempts targeting SimpleHelp <= 5.5.7", "label": "SimpleHelp - Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-04-02 15:24:15", "cves": [ "CVE-2024-57727" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2024-6205": { "name": "crowdsecurity/vpatch-CVE-2024-6205", "description": "PayPlus Payment Gateway WordPress plugin - SQL Injection (CVE-2024-6205)", "label": "PayPlus Payment Gateway WordPress plugin - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-02-03 14:11:18", "cves": [ "CVE-2024-6205" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2024-7593": { "name": "crowdsecurity/vpatch-CVE-2024-7593", "description": "Ivanti vTM - Authentication Bypass (CVE-2024-7593)", "label": "Ivanti vTM - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-20 15:31:41", "cves": [ "CVE-2024-7593" ], "cwes": [ "CWE-287", "CWE-303" ] }, "crowdsecurity/vpatch-CVE-2024-8190": { "name": "crowdsecurity/vpatch-CVE-2024-8190", "description": "Ivanti Cloud Services Appliance - RCE (CVE-2024-8190)", "label": "Ivanti Cloud Services Appliance - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-09-23 15:35:04", "cves": [ "CVE-2024-8190" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2024-8963": { "name": "crowdsecurity/vpatch-CVE-2024-8963", "description": "Ivanti CSA - Path Traversal (CVE-2024-8963)", "label": "Ivanti CSA - Path Traversal", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-27 16:54:59", "cves": [ "CVE-2024-8963" ], "cwes": [ "CWE-22" ] }, "crowdsecurity/vpatch-CVE-2024-9465": { "name": "crowdsecurity/vpatch-CVE-2024-9465", "description": "Palo Alto Expedition - SQL Injection (CVE-2024-9465)", "label": "Palo Alto Expedition - SQL Injection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-21 16:48:37", "cves": [ "CVE-2024-9465" ], "cwes": [ "CWE-89" ] }, "crowdsecurity/vpatch-CVE-2024-9474": { "name": "crowdsecurity/vpatch-CVE-2024-9474", "description": "PanOS - Privilege Escalation (CVE-2024-9474)", "label": "PanOS - Privilege Escalation (CVE-2024-9474)", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-11-20 15:53:39", "cves": [ "CVE-2024-9474" ], "cwes": [ "CWE-78" ] }, "crowdsecurity/vpatch-CVE-2025-24893": { "name": "crowdsecurity/vpatch-CVE-2025-24893", "description": "Detects arbitrary remote code execution vulnerability in XWiki via SolrSearch.", "label": "XWiki - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-04-02 15:17:39", "cves": [ "CVE-2025-24893" ], "cwes": [ "CWE-95" ] }, "crowdsecurity/vpatch-CVE-2025-28367": { "name": "crowdsecurity/vpatch-CVE-2025-28367", "description": "Detects directory traversal in mojoPortal BetterImageGallery API Controller (CVE-2025-28367)", "label": "MojoPortal - LFI", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0005:T1006" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 11:39:12", "cves": [ "CVE-2025-28367" ], "cwes": [ "CWE-284" ] }, "crowdsecurity/vpatch-CVE-2025-29927": { "name": "crowdsecurity/vpatch-CVE-2025-29927", "description": "Next.js Middleware Bypass - (CVE-2025-29927)", "label": "Next.js Middleware Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-24 09:57:28", "cves": [ "CVE-2025-29927" ], "cwes": [ "CWE-285" ] }, "crowdsecurity/vpatch-CVE-2025-31161": { "name": "crowdsecurity/vpatch-CVE-2025-31161", "description": "Detects authentication bypass in CrushFTP via crafted Authorization header and specific endpoint access.", "label": "CrushFTP - Authentication Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 12:41:54", "cves": [ "CVE-2025-31161" ], "cwes": [ "CWE-287" ] }, "crowdsecurity/vpatch-CVE-2025-31324": { "name": "crowdsecurity/vpatch-CVE-2025-31324", "description": "SAP NetWeaver - File Upload (CVE-2025-31324)", "label": "SAP NetWeaver - File Upload", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 13:00:23", "cves": [ "CVE-2025-31324" ], "cwes": [ "CWE-434" ] }, "crowdsecurity/vpatch-CVE-2025-3248": { "name": "crowdsecurity/vpatch-CVE-2025-3248", "description": "Detects unauthenticated remote code execution in Langflow via /api/v1/validate/code endpoint.", "label": "Langflow - RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-05-09 11:38:09", "cves": [ "CVE-2025-3248" ], "cwes": [ "CWE-306" ] }, "crowdsecurity/vpatch-connectwise-auth-bypass": { "name": "crowdsecurity/vpatch-connectwise-auth-bypass", "description": "Detect exploitation of auth bypass in ConnectWise ScreenConnect", "label": "ConnectWise ScreenConnect - Auth Bypass", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-13 16:49:19", "cves": [ "CVE-2024-1709" ] }, "crowdsecurity/vpatch-env-access": { "name": "crowdsecurity/vpatch-env-access", "description": "Detect access to .env files", "label": "Access to .env file", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-15 16:51:44" }, "crowdsecurity/vpatch-git-config": { "name": "crowdsecurity/vpatch-git-config", "description": "Detect access to .git files", "label": "Access to .git file", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-07-18 17:28:39" }, "crowdsecurity/vpatch-laravel-debug-mode": { "name": "crowdsecurity/vpatch-laravel-debug-mode", "description": "Detect bots exploiting laravel debug mode", "label": "Access to laravel debug mode", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-12-23 11:18:19", "cves": [ "CVE-2017-16894", "CVE-2021-41714", "CVE-2019-17050" ] }, "crowdsecurity/vpatch-symfony-profiler": { "name": "crowdsecurity/vpatch-symfony-profiler", "description": "Detect abuse of symfony profiler", "label": "Access to symfony profiler", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-02 15:29:31" }, "Dominic-Wagner/vaultwarden-bf": { "name": "Dominic-Wagner/vaultwarden-bf", "description": "Detect vaultwarden bruteforce", "label": "Vaultwarden Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vaultwarden", "created_at": "2023-10-06 15:17:26" }, "Dominic-Wagner/vaultwarden-bf_user-enum": { "name": "Dominic-Wagner/vaultwarden-bf_user-enum", "description": "Detect vaultwarden user enum bruteforce", "label": "Vaultwarden User Enumeration", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vaultwarden", "created_at": "2023-10-06 15:17:26" }, "LePresidente/adguardhome-bf": { "name": "LePresidente/adguardhome-bf", "description": "Detect AdGuardHome bruteforce attacks", "label": "AdGuardHome Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "adguardhome", "created_at": "2023-10-06 15:17:26" }, "LePresidente/authelia-bf": { "name": "LePresidente/authelia-bf", "description": "Detect authelia bruteforce", "label": "Authelia Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "authelia", "created_at": "2024-03-12 16:42:44" }, "LePresidente/authelia-bf_user-enum": { "name": "LePresidente/authelia-bf_user-enum", "description": "Detect authelia user enum bruteforce", "label": "Authelia User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "authelia", "created_at": "2024-03-12 16:42:44" }, "LePresidente/emby-bf": { "name": "LePresidente/emby-bf", "description": "Detect emby bruteforce", "label": "Emby Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "emby", "created_at": "2023-10-06 15:17:26" }, "LePresidente/gitea-bf": { "name": "LePresidente/gitea-bf", "description": "Detect gitea bruteforce", "label": "Gitea Bruteforce", "behaviors": [ "vcs:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "gitea", "created_at": "2023-10-06 15:17:26" }, "LePresidente/gitea-bf_user-enum": { "name": "LePresidente/gitea-bf_user-enum", "description": "Detect gitea user enum bruteforce", "label": "Gitea User Enumeration", "behaviors": [ "vcs:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "gitea", "created_at": "2023-10-06 15:17:26" }, "LePresidente/grafana-bf": { "name": "LePresidente/grafana-bf", "description": "Detect grafana bruteforce", "label": "Grafana Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "grafana", "created_at": "2024-03-14 11:06:51" }, "LePresidente/harbor-bf": { "name": "LePresidente/harbor-bf", "description": "Detect harbor bruteforce", "label": "Harbor Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "harbor", "created_at": "2023-10-06 15:17:26" }, "LePresidente/harbor-bf_user-enum": { "name": "LePresidente/harbor-bf_user-enum", "description": "Detect harbor user enum bruteforce", "label": "Harbor User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "harbor", "created_at": "2023-10-06 15:17:26" }, "LePresidente/jellyfin-bf": { "name": "LePresidente/jellyfin-bf", "description": "Detect jellyfin bruteforce", "label": "Jellyfin Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "jellyfin", "created_at": "2023-10-06 15:17:26" }, "LePresidente/jellyfin-bf_user-enum": { "name": "LePresidente/jellyfin-bf_user-enum", "description": "Detect jellyfin user enum bruteforce", "label": "Harbor User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "jellyfin", "created_at": "2023-10-06 15:17:26" }, "LePresidente/jellyseerr-bf": { "name": "LePresidente/jellyseerr-bf", "description": "Detect jellyseerr bruteforce", "label": "Jellyseerr Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "jellyseerr", "created_at": "2023-10-06 15:17:26" }, "LePresidente/jellyseerr-bf_user-enum": { "name": "LePresidente/jellyseerr-bf_user-enum", "description": "Detect jellyseerr user enum bruteforce", "label": "Jellyseerr User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "jellyseerr", "created_at": "2023-10-06 15:17:26" }, "LePresidente/ombi-bf": { "name": "LePresidente/ombi-bf", "description": "Detect Ombi bruteforce", "label": "Ombi Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ombi", "created_at": "2023-10-06 15:17:26" }, "LePresidente/overseerr-bf": { "name": "LePresidente/overseerr-bf", "description": "Detect overseerr bruteforce", "label": "Overseerr Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "overseerr", "created_at": "2024-02-09 15:06:46" }, "LePresidente/overseerr-bf_user-enum": { "name": "LePresidente/overseerr-bf_user-enum", "description": "Detect overseerr user enum bruteforce", "label": "Overseerr User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "overseerr", "created_at": "2024-02-09 15:06:46" }, "LePresidente/redmine-bf": { "name": "LePresidente/redmine-bf", "description": "Detect Redmine bruteforce attacks", "label": "Redmine Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "redmine", "created_at": "2023-10-06 15:17:26" }, "LePresidente/redmine-bf_user-enum": { "name": "LePresidente/redmine-bf_user-enum", "description": "Detect Redmine user enum bruteforce", "label": "Redmine Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "redmine", "created_at": "2023-10-06 15:17:26" }, "lepresidente/ssh-bad-keyexchange-bf": { "name": "lepresidente/ssh-bad-keyexchange-bf", "description": "Detect ssh bad key exchange", "label": "SSH Bad Key Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2023-10-06 15:17:26" }, "LearningSpot/baserow-bf": { "name": "LearningSpot/baserow-bf", "description": "Detect failed login for Baserow", "label": "Baserow Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "baserow", "created_at": "2025-05-02 09:01:36" }, "LearningSpot/dockge-bf": { "name": "LearningSpot/dockge-bf", "description": "Detect Dockge Bruteforce", "label": "Dockge Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "dockge", "created_at": "2025-03-24 17:00:57" }, "LearningSpot/dockge_bf_user_enum": { "name": "LearningSpot/dockge_bf_user_enum", "description": "Detect Dockge User Enumeration Bruteforce", "label": "Dockge User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "dockge", "created_at": "2025-03-24 17:00:57" }, "LearningSpot/hestiacp-bf": { "name": "LearningSpot/hestiacp-bf", "description": "Detect Hestiacp Bruteforce", "label": "hestiacp Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "hestiacp", "created_at": "2025-05-01 18:24:27" }, "LearningSpot/hestiacp-bf-user-enum": { "name": "LearningSpot/hestiacp-bf-user-enum", "description": "Detect Hestiacp User Enumeration Bruteforce", "label": "Hestiacp User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "hestiacp", "created_at": "2025-05-01 18:24:27" }, "LearningSpot/litellm-bf": { "name": "LearningSpot/litellm-bf", "description": "Detect bruteforce attempts to Litellm", "label": "Litellm Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "litellm", "created_at": "2025-05-01 19:03:17" }, "MariuszKociubinski/bitwarden-bf": { "name": "MariuszKociubinski/bitwarden-bf", "description": "Detect bitwarden bruteforce", "label": "Bitwarden User Enumeration", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "bitwarden", "created_at": "2023-10-06 15:17:26" }, "MrShippeR/filebrowser-bf": { "name": "MrShippeR/filebrowser-bf", "description": "Detect FileBrowser bruteforce login attempts", "label": "Filebrowser bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "filebrowser", "created_at": "2025-05-01 12:29:44" }, "a1ad/meshcentral-bf": { "name": "a1ad/meshcentral-bf", "description": "Detect meshcentral bruteforce", "label": "MeshCentral Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "meshcentral", "created_at": "2023-10-06 15:17:26" }, "a1ad/meshcentral-bf_user-enum": { "name": "a1ad/meshcentral-bf_user-enum", "description": "Detect meshcentral user enum bruteforce", "label": "MeshCentral User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "meshcentral", "created_at": "2023-10-06 15:17:26" }, "a1ad/mikrotik-bf": { "name": "a1ad/mikrotik-bf", "description": "Detect Mikrotik bruteforce", "label": "Mikrotik Bruteforce", "behaviors": [ "iot:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mikrotik", "created_at": "2023-10-06 15:17:26" }, "a1ad/mikrotik-bf_user-enum": { "name": "a1ad/mikrotik-bf_user-enum", "description": "Detect mikrotik user enum bruteforce", "label": "Mikrotik User Enumeration", "behaviors": [ "iot:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mikrotik", "created_at": "2023-10-06 15:17:26" }, "a1ad/mikrotik-scan-multi_ports": { "name": "a1ad/mikrotik-scan-multi_ports", "description": "Detect port scanning from single ip on MikroTik router", "label": "MikroTik Port Scanning", "behaviors": [ "tcp:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0007:T1018", "TA0007:T1046" ], "confidence": 1, "spoofable": 2, "cti": true, "service": "mikrotik", "created_at": "2024-02-09 15:06:46" }, "aidalinfo/couchdb-slow-bf": { "name": "aidalinfo/couchdb-slow-bf", "description": "Detect slow Couchdb bruteforce/enum", "label": "Couchdb low Bruteforce", "behaviors": [], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "couchdb", "created_at": "2024-02-05 15:43:52" }, "aidalinfo/couchdb-bf": { "name": "aidalinfo/couchdb-bf", "description": "Detect Couchdb bruteforce/enum", "label": "Couchdb Bruteforce", "behaviors": [], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "couchdb", "created_at": "2024-02-05 15:43:52" }, "aidalinfo/couchdb-crawl": { "name": "aidalinfo/couchdb-crawl", "description": "Detect aggressive crawl on CouchDB", "label": "CouchDB Crawl", "behaviors": [ "http:crawl" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "couchdb", "created_at": "2024-02-09 15:06:46" }, "aidalinfo/tcpudp-flood-traefik": { "name": "aidalinfo/tcpudp-flood-traefik", "description": "Detect TCP/UDP flood", "label": "UDP or TCP Flood Traefik", "behaviors": [], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 0, "cti": true, "service": null, "created_at": "2024-01-18 09:01:59" }, "andreasbrett/baikal-bf": { "name": "andreasbrett/baikal-bf", "description": "Detect Baikal bruteforce attacks", "label": "Baikal Bruteforce Attacks", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "baikal", "created_at": "2023-10-06 15:17:26" }, "andreasbrett/baikal-bf_user-enum": { "name": "andreasbrett/baikal-bf_user-enum", "description": "Detect Baikal user enum bruteforce", "label": "Baikal User Enum Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "baikal", "created_at": "2023-10-06 15:17:26" }, "andreasbrett/paperless-ngx-bf": { "name": "andreasbrett/paperless-ngx-bf", "description": "Detect Paperless-ngx bruteforce attacks", "label": "Paperless-ngx Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "paperless-ngx", "created_at": "2023-10-06 18:53:50" }, "andreasbrett/paperless-ngx-bf_user-enum": { "name": "andreasbrett/paperless-ngx-bf_user-enum", "description": "Detect Paperless-ngx user enum bruteforce", "label": "Paperless-ngx User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "paperless-ngx", "created_at": "2023-10-06 18:53:50" }, "andreasbrett/webmin-bf": { "name": "andreasbrett/webmin-bf", "description": "Detect Webmin bruteforce attacks", "label": "Webmin Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "webmin", "created_at": "2023-10-06 15:17:26" }, "andreasbrett/webmin-bf_user-enum": { "name": "andreasbrett/webmin-bf_user-enum", "description": "Detect Webmin user enum bruteforce", "label": "Webmin Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "webmin", "created_at": "2023-10-06 15:17:26" }, "barnoux/crs-anomaly-score": { "name": "barnoux/crs-anomaly-score", "description": "Web exploitation detected via Core Rule Set inbound anomaly scoring set by the user in crs-setup.conf", "label": "CRS Anomaly Alert", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-02-03 22:29:58" }, "baudneo/gotify-bf": { "name": "baudneo/gotify-bf", "description": "Detect bruteforce", "label": "Gotify Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "gotify", "created_at": "2023-12-28 09:51:49" }, "baudneo/zoneminder-bf": { "name": "baudneo/zoneminder-bf", "description": "Detect ZoneMinder user enumeration", "label": "Zoneminder user enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zoneminder", "created_at": "2023-10-06 15:17:26" }, "baudneo/zoneminder_cve-2022-39285": { "name": "baudneo/zoneminder_cve-2022-39285", "description": "Detect cve-2022-39285 exploitation attempts", "label": "Zoneminder CVE-2022-39285", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zoneminder", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-39285" ] }, "baudneo/zoneminder_cve-2022-39290": { "name": "baudneo/zoneminder_cve-2022-39290", "description": "Detect cve-2022-39290 exploitation attempts", "label": "Zoneminder CVE-2022-39290", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zoneminder", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-39290" ] }, "baudneo/zoneminder_cve-2022-39291": { "name": "baudneo/zoneminder_cve-2022-39291", "description": "Detect cve-2022-39291 exploitation attempts", "label": "Zoneminder CVE-2022-39291", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zoneminder", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-39291" ] }, "bouddha-fr/opensearch-dashboard-bf": { "name": "bouddha-fr/opensearch-dashboard-bf", "description": "Detect bruteforce attempts on OpenSearch web interface", "label": "OpenSearch Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "opensearch", "created_at": "2025-03-19 18:14:43" }, "corvese/apache-guacamole_bf": { "name": "corvese/apache-guacamole_bf", "description": "Detect Apache Guacamole user bruteforce", "label": "Apache Guacamole Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache-guacamole", "created_at": "2023-10-06 15:17:26" }, "corvese/apache-guacamole_user_enum": { "name": "corvese/apache-guacamole_user_enum", "description": "Detect Apache Guacamole user enum bruteforce", "label": "Apache Guacamole User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache-guacamole", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/CVE-2017-9841": { "name": "crowdsecurity/CVE-2017-9841", "description": "Detect CVE-2017-9841 exploits", "label": "PHP Unit Test Framework CVE-2017-9841", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "PHP", "created_at": "2024-02-26 10:45:44", "cves": [ "CVE-2017-9841" ] }, "crowdsecurity/CVE-2019-18935": { "name": "crowdsecurity/CVE-2019-18935", "description": "Detect Telerik CVE-2019-18935 exploitation attempts", "label": "Telerik CVE-2019-18935", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "telerik", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2019-18935" ] }, "crowdsecurity/CVE-2021-4034": { "name": "crowdsecurity/CVE-2021-4034", "description": "Detect CVE-2021-4034 exploits", "label": "`pkexec` CVE-2021-4034", "behaviors": [ "generic:exploit" ], "mitre_attacks": [ "TA0004:T1548" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2021-4034" ] }, "crowdsecurity/CVE-2022-26134": { "name": "crowdsecurity/CVE-2022-26134", "description": "Detect CVE-2022-26134 exploits", "label": "Confluence CVE-2022-26134", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "atlassian-confluence", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-26134" ] }, "crowdsecurity/CVE-2022-35914": { "name": "crowdsecurity/CVE-2022-35914", "description": "Detect CVE-2022-35914 exploits", "label": "GLPI CVE-2022-35914", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "glpi", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-35914" ] }, "crowdsecurity/CVE-2022-37042": { "name": "crowdsecurity/CVE-2022-37042", "description": "Detect CVE-2022-37042 exploits", "label": "ZCS CVE-2022-37042", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zimbra", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-37042" ] }, "crowdsecurity/fortinet-cve-2022-40684": { "name": "crowdsecurity/fortinet-cve-2022-40684", "description": "Detect cve-2022-40684 exploitation attempts", "label": "Fortinet CVE-2022-40684", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0004:T1548" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "fortinet", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-40684" ] }, "crowdsecurity/CVE-2022-41082": { "name": "crowdsecurity/CVE-2022-41082", "description": "Detect CVE-2022-41082 exploits", "label": "Microsoft Exchange CVE-2022-41082", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "exchange", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-41082" ] }, "crowdsecurity/CVE-2022-41697": { "name": "crowdsecurity/CVE-2022-41697", "description": "Detect CVE-2022-41697 enumeration", "label": "Ghost CVE-2022-41697", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ghost", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-41697" ] }, "crowdsecurity/CVE-2022-42889": { "name": "crowdsecurity/CVE-2022-42889", "description": "Detect CVE-2022-42889 exploits (Text4Shell)", "label": "Text4Shell CVE-2022-42889", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-42889" ] }, "crowdsecurity/CVE-2022-44877": { "name": "crowdsecurity/CVE-2022-44877", "description": "Detect CVE-2022-44877 exploits", "label": "Centos Webpanel CVE-2022-44877", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "centos", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-44877" ] }, "crowdsecurity/CVE-2022-46169-bf": { "name": "crowdsecurity/CVE-2022-46169-bf", "description": "Detect CVE-2022-46169 brute forcing", "label": "Cacti CVE-2022-46169", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1592" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "cacti", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-46169" ] }, "crowdsecurity/CVE-2022-46169-cmd": { "name": "crowdsecurity/CVE-2022-46169-cmd", "description": "Detect CVE-2022-46169 cmd injection", "label": "Cacti CVE-2022-46169", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "cacti", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-46169" ] }, "crowdsecurity/CVE-2023-22515": { "name": "crowdsecurity/CVE-2023-22515", "description": "Detect CVE-2023-22515 exploitation", "label": "Confluence CVE-2023-22515", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "confluence", "created_at": "2023-10-06 15:39:30", "cves": [ "CVE-2023-22515" ] }, "crowdsecurity/CVE-2023-22518": { "name": "crowdsecurity/CVE-2023-22518", "description": "Detect CVE-2023-22518 exploits", "label": "Atlassian Confluence Server CVE-2023-22518", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "Atlassian Confluence", "created_at": "2023-11-06 10:42:38", "cves": [ "CVE-2023-22518" ] }, "crowdsecurity/CVE-2023-23397": { "name": "crowdsecurity/CVE-2023-23397", "description": "Detect CVE-2023-23397 from sysmon events", "label": "Microsoft Outlook CVE-2023-23397", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0004:T1068" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2023-23397" ] }, "crowdsecurity/CVE-2023-49103": { "name": "crowdsecurity/CVE-2023-49103", "description": "Detect owncloud CVE-2023-49103 exploitation attempts", "label": "ownCloud CVE-2023-49103", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 1, "cti": true, "service": "owncloud", "created_at": "2024-02-09 15:06:46", "cves": [ "CVE-2023-49103" ] }, "crowdsecurity/CVE-2023-4911": { "name": "crowdsecurity/CVE-2023-4911", "description": "exploitation of CVE-2023-4911: segfaulting in dynamic loader", "label": "CVE-2023-4911", "behaviors": [ "linux:exploitation" ], "mitre_attacks": [ "TA0004:T1548" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 18:53:50" }, "crowdsecurity/CVE-2024-0012": { "name": "crowdsecurity/CVE-2024-0012", "description": "Detect CVE-2024-0012 exploitation attempts", "label": "CVE-2024-0012", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "panos", "created_at": "2024-11-20 15:53:39", "cves": [ "CVE-2024-0012" ] }, "crowdsecurity/CVE-2024-38475": { "name": "crowdsecurity/CVE-2024-38475", "description": "Detect CVE-2024-38475 exploitation attempts", "label": "CVE-2024-38475", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache", "created_at": "2024-08-22 15:15:02", "cves": [ "CVE-2024-38475" ] }, "crowdsecurity/CVE-2024-9474": { "name": "crowdsecurity/CVE-2024-9474", "description": "Detect CVE-2024-9474 exploitation attempts", "label": "CVE-2024-9474", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "panos", "created_at": "2024-11-20 15:53:39", "cves": [ "CVE-2024-9474" ] }, "crowdsecurity/amavis-blocked": { "name": "crowdsecurity/amavis-blocked", "description": "Ban IPs that are blocked by amavis", "label": "Infected Email", "behaviors": [], "mitre_attacks": [ "TA0002:T1203", "TA0002:T1204" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "amavis", "created_at": "2024-03-26 09:37:46" }, "crowdsecurity/apache_log4j2_cve-2021-44228": { "name": "crowdsecurity/apache_log4j2_cve-2021-44228", "description": "Detect cve-2021-44228 exploitation attemps", "label": "Log4j CVE-2021-44228", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache", "created_at": "2024-03-18 10:53:46", "cves": [ "CVE-2021-44228" ] }, "crowdsecurity/appsec-native": { "name": "crowdsecurity/appsec-native", "description": "Identify attacks flagged by CrowdSec AppSec via native rules", "label": "Blocked by CrowdSec AppSec", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-02-28 09:34:04" }, "crowdsecurity/appsec-vpatch": { "name": "crowdsecurity/appsec-vpatch", "description": "Identify attacks flagged by CrowdSec AppSec", "label": "Blocked by CrowdSec AppSec", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-02-28 09:34:04" }, "crowdsecurity/asterisk_bf": { "name": "crowdsecurity/asterisk_bf", "description": "Detect Asterisk user bruteforce", "label": "Asterisk Bruteforce", "behaviors": [ "sip:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "asterisk", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/asterisk_user_enum": { "name": "crowdsecurity/asterisk_user_enum", "description": "Detect Asterisk user enumeration bruteforce", "label": "Asterisk User Enumeration", "behaviors": [ "sip:bruteforce" ], "mitre_attacks": [ "TA0007:T1087", "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "asterisk", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/auditd-base64-exec-behavior": { "name": "crowdsecurity/auditd-base64-exec-behavior", "description": "Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)", "label": "Post Exploitation command execution from base64 encoded payload", "behaviors": [ "linux:post-exploitation" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/auditd-postexploit-exec-from-net": { "name": "crowdsecurity/auditd-postexploit-exec-from-net", "description": "Detect post-exploitation behaviour : curl/wget and exec", "label": "Post Exploitation command execution from Internet", "behaviors": [ "linux:post-exploitation" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/auditd-postexploit-pkill": { "name": "crowdsecurity/auditd-postexploit-pkill", "description": "Detect post-exploitation behaviour : pkill execve bursts", "label": "Post Exploitation command execution", "behaviors": [ "linux:post-exploitation" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/auditd-postexploit-rm": { "name": "crowdsecurity/auditd-postexploit-rm", "description": "Detect post-exploitation behaviour : rm execve bursts", "label": "Post Exploitation command execution", "behaviors": [ "linux:post-exploitation" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/auditd-suid-crash": { "name": "crowdsecurity/auditd-suid-crash", "description": "Detect root suid process crashing", "label": "Suspicious suid process crash", "behaviors": [ "linux:exploitation" ], "mitre_attacks": [ "TA0004:T1548" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 18:53:50" }, "crowdsecurity/auditd-sus-exec": { "name": "crowdsecurity/auditd-sus-exec", "description": "Detect post-exploitation behaviour : exec from suspicious locations", "label": "Post Exploitation command execution", "behaviors": [ "linux:post-exploitation" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "linux", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cloudtrail-bf-console-login": { "name": "crowdsecurity/aws-cloudtrail-bf-console-login", "description": "Detect console login bruteforce", "label": "AWS bruteforce", "behaviors": [ "cloud:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-cloudtrail-config-change": { "name": "crowdsecurity/aws-cis-benchmark-cloudtrail-config-change", "description": "Detect AWS CloudTrail configuration change", "label": "AWS CloudTrail indicator removal", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1070" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-config-config-change": { "name": "crowdsecurity/aws-cis-benchmark-config-config-change", "description": "Detect AWS Config configuration change", "label": "AWS Config indicator removal", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1070" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-console-auth-fail": { "name": "crowdsecurity/aws-cis-benchmark-console-auth-fail", "description": "Detect AWS console authentication failure", "label": "AWS bruteforce", "behaviors": [ "cloud:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-iam-policy-change": { "name": "crowdsecurity/aws-cis-benchmark-iam-policy-change", "description": "Detect AWS IAM policy change", "label": "AWS IAM persistent access", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0003:T1098" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-kms-deletion": { "name": "crowdsecurity/aws-cis-benchmark-kms-deletion", "description": "Detect AWS KMS key deletion", "label": "AWS KMS indicator removal", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0040:T1485" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-login-no-mfa": { "name": "crowdsecurity/aws-cis-benchmark-login-no-mfa", "description": "Detect login without MFA to the AWS console", "label": "AWS Credential misuse", "behaviors": [ "cloud:unusual-activity" ], "mitre_attacks": [ "TA0006:T1552", "TA0003:T1078" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-nacl-change": { "name": "crowdsecurity/aws-cis-benchmark-nacl-change", "description": "Detect AWS NACL change", "label": "AWS NACL change", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1578" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-ngw-change": { "name": "crowdsecurity/aws-cis-benchmark-ngw-change", "description": "Detect AWS Network Gateway change", "label": "AWS Network Gateway change", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1578" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-root-usage": { "name": "crowdsecurity/aws-cis-benchmark-root-usage", "description": "Detect AWS root account usage", "label": "AWS root account usage", "behaviors": [ "cloud:unusual-activity" ], "mitre_attacks": [ "TA0003:T1078", "TA0003:T1098" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-route-table-change": { "name": "crowdsecurity/aws-cis-benchmark-route-table-change", "description": "Detect AWS route table change", "label": "AWS route table change", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1578" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-s3-policy-change": { "name": "crowdsecurity/aws-cis-benchmark-s3-policy-change", "description": "Detect AWS S3 bucket policy change", "label": "AWS S3 bucket policy change", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1578" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-security-group-change": { "name": "crowdsecurity/aws-cis-benchmark-security-group-change", "description": "Detect AWS Security Group change", "label": "AWS Security Group change", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1578" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-unauthorized-call": { "name": "crowdsecurity/aws-cis-benchmark-unauthorized-call", "description": "Detect AWS API unauthorized calls", "label": "AWS API unauthorized calls", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0006:T1212" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cis-benchmark-vpc-change": { "name": "crowdsecurity/aws-cis-benchmark-vpc-change", "description": "Detect AWS VPC change", "label": "AWS VPC change", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0005:T1578" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cloudtrail-postexploit": { "name": "crowdsecurity/aws-cloudtrail-postexploit", "description": "postexploitation detection (noisy)", "label": "AWS post-exploitation detection", "behaviors": [ "cloud:audit" ], "mitre_attacks": [ "TA0007:T1087", "TA0007:T1526" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/aws-cloudtrail-nwo-nwd-console-login": { "name": "crowdsecurity/aws-cloudtrail-nwo-nwd-console-login", "description": "Detect console login outside of office hours", "label": "AWS bruteforce", "behaviors": [ "cloud:unusual-activity" ], "mitre_attacks": [ "TA0003:T1078" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "aws", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/configserver-lfd-bf": { "name": "crowdsecurity/configserver-lfd-bf", "description": "Detects SSH bruteforce attempts blocked by ConfigServer.", "label": "SSH Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2024-01-05 10:54:29" }, "crowdsecurity/cpanel-bf-attempt": { "name": "crowdsecurity/cpanel-bf-attempt", "description": "Detect bruteforce attempt on cpanel login", "label": "cPanel Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "cpanel", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/cpanel-bf": { "name": "crowdsecurity/cpanel-bf", "description": "Detect bruteforce on cpanel login", "label": "cPanel Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "cpanel", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/crowdsec-appsec-inband": { "name": "crowdsecurity/crowdsec-appsec-inband", "description": "IP has triggered multiples InBand CrowdSec appsec rules", "label": "Triggered multiple InBand CrowdSec AppSec rules", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/crowdsec-appsec-outofband": { "name": "crowdsecurity/crowdsec-appsec-outofband", "description": "IP has made more than 5 requests that triggered out-of-band appsec rules", "label": "Triggered multiple OutOfBand CrowdSec AppSec rules", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-02-13 12:00:35" }, "crowdsecurity/dovecot-spam": { "name": "crowdsecurity/dovecot-spam", "description": "detect errors on dovecot", "label": "Dovecot Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "dovecot", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/endlessh-bf": { "name": "crowdsecurity/endlessh-bf", "description": "Detect SSH bruteforce caught by Endlessh", "label": "Endlessh Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "endlessh", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/exchange-bf": { "name": "crowdsecurity/exchange-bf", "description": "Detect Exchange bruteforce (SMTP,IMAP,POP3)", "label": "Microsoft Exchange Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "exchange", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/exim-bf": { "name": "crowdsecurity/exim-bf", "description": "Detect Exim brute force", "label": "Exim Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "smtp", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/exim-user-bf": { "name": "crowdsecurity/exim-user-bf", "description": "Detect Exim user email brute force", "label": "Exim Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "smtp", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/f5-big-ip-cve-2020-5902": { "name": "crowdsecurity/f5-big-ip-cve-2020-5902", "description": "Detect cve-2020-5902 exploitation attemps", "label": "CVE-2020-5902", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "f5", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2020-5902" ] }, "crowdsecurity/fortinet-cve-2018-13379": { "name": "crowdsecurity/fortinet-cve-2018-13379", "description": "Detect cve-2018-13379 exploitation attemps", "label": "CVE-2018-13379", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "fortinet", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2018-13379" ] }, "crowdsecurity/fortinet-vpn-bruteforce": { "name": "crowdsecurity/fortinet-vpn-bruteforce", "description": "Detect fortinet VPN bruteforce", "label": "Fortinet VPN Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "fortinet", "created_at": "2024-10-23 16:07:50" }, "crowdsecurity/freeswitch-acl-reject": { "name": "crowdsecurity/freeswitch-acl-reject", "description": "Detect freeswitch acl rejects", "label": "CVE-2018-13379", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "freeswitch", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/freeswitch-bf": { "name": "crowdsecurity/freeswitch-bf", "description": "Detect freeswitch auth bruteforce", "label": "Freeswitch Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "freeswitch", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/freeswitch-slow-bf": { "name": "crowdsecurity/freeswitch-slow-bf", "description": "Detect freeswitch auth bruteforce", "label": "Freeswitch Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "freeswitch", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/freeswitch-user-enumeration": { "name": "crowdsecurity/freeswitch-user-enumeration", "description": "Detect freeswitch user enumeration", "label": "Freeswitch User Enumeration", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "freeswitch", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/grafana-cve-2021-43798": { "name": "crowdsecurity/grafana-cve-2021-43798", "description": "Detect cve-2021-43798 exploitation attemps", "label": "CVE-2021-43798", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "grafana", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2021-43798" ] }, "crowdsecurity/home-assistant-bf": { "name": "crowdsecurity/home-assistant-bf", "description": "Detect Home Assistant bruteforce", "label": "Home Assistant Bruteforce", "behaviors": [ "iot:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "home-assistant", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-admin-interface-probing": { "name": "crowdsecurity/http-admin-interface-probing", "description": "Detect generic HTTP admin interface probing", "label": "HTTP Admin Interface Probing", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/http-apiscp-bf": { "name": "crowdsecurity/http-apiscp-bf", "description": "detect apisCP dashboard bruteforce", "label": "apisCP bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apisCP", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/http-backdoors-attempts": { "name": "crowdsecurity/http-backdoors-attempts", "description": "Detect attempt to common backdoors", "label": "Scanning for backdoors", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/http-bad-user-agent": { "name": "crowdsecurity/http-bad-user-agent", "description": "Detect usage of bad User Agent", "label": "Bad User Agent", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/http-bf-wordpress_bf": { "name": "crowdsecurity/http-bf-wordpress_bf", "description": "Detect WordPress bruteforce on admin interface", "label": "WordPress Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "wordpress", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-bf-wordpress_bf_xmlrpc": { "name": "crowdsecurity/http-bf-wordpress_bf_xmlrpc", "description": "Detect WordPress bruteforce on XML-RPC endpoint", "label": "WP XMLRPC bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "wordpress", "created_at": "2024-11-13 16:49:31" }, "crowdsecurity/http-crawl-non_statics": { "name": "crowdsecurity/http-crawl-non_statics", "description": "Detect aggressive crawl on non static resources", "label": "Aggressive Crawl", "behaviors": [ "http:crawl" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-cve-2021-41773": { "name": "crowdsecurity/http-cve-2021-41773", "description": "Apache - Path Traversal (CVE-2021-41773)", "label": "CVE-2021-41773", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache", "created_at": "2024-12-03 16:08:15", "cves": [ "CVE-2021-41773" ] }, "crowdsecurity/http-cve-2021-42013": { "name": "crowdsecurity/http-cve-2021-42013", "description": "Apache - Path Traversal (CVE-2021-42013)", "label": "CVE-2021-42013", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "apache", "created_at": "2024-12-03 16:08:15", "cves": [ "CVE-2021-42013" ] }, "crowdsecurity/http-cve-probing": { "name": "crowdsecurity/http-cve-probing", "description": "Detect generic HTTP cve probing", "label": "HTTP CVE Probing", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-03-05 09:21:45" }, "crowdsecurity/http-dos-bypass-cache": { "name": "crowdsecurity/http-dos-bypass-cache", "description": "Detect DoS tools bypassing cache every request", "label": "HTTP DOS with cache bypass", "behaviors": [ "http:dos" ], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-dos-invalid-http-versions": { "name": "crowdsecurity/http-dos-invalid-http-versions", "description": "Detect DoS tools using invalid HTTP versions", "label": "HTTP DOS with invalid HTTP version", "behaviors": [ "http:dos" ], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-dos-random-uri": { "name": "crowdsecurity/http-dos-random-uri", "description": "Detect DoS tools using random uri", "label": "HTTP DOS via random URI", "behaviors": [ "http:dos" ], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-dos-swithcing-ua": { "name": "crowdsecurity/http-dos-swithcing-ua", "description": "Detect DoS tools switching user-agent too fast", "label": "HTTP DOS with varying UA", "behaviors": [ "http:dos" ], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-generic-bf": { "name": "crowdsecurity/http-generic-bf", "description": "Detect generic http brute force", "label": "HTTP Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-22 18:56:16" }, "LePresidente/http-generic-401-bf": { "name": "LePresidente/http-generic-401-bf", "description": "Detect generic 401 Authorization error brute force", "label": "HTTP Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-22 18:56:16" }, "LePresidente/http-generic-403-bf": { "name": "LePresidente/http-generic-403-bf", "description": "Detect generic 403 Forbidden (Authorization) error brute force", "label": "HTTP Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2025-01-22 18:56:16" }, "crowdsecurity/http-magento-bf": { "name": "crowdsecurity/http-magento-bf", "description": "Detect bruteforce on Magento admin interface", "label": "Magento Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "magento", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-magento-ccs-by-as": { "name": "crowdsecurity/http-magento-ccs-by-as", "description": "Detect distributed credit card stuffing from same AS", "label": "Magento Credit Card Stuffing By AS", "behaviors": [ "ecommerce:fraud" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 1, "spoofable": 3, "cti": true, "service": "magento", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/http-magento-ccs-by-country": { "name": "crowdsecurity/http-magento-ccs-by-country", "description": "Detect distributed credit card stuffing from same country", "label": "Magento Credit Card Stuffing By Country", "behaviors": [ "ecommerce:fraud" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 1, "spoofable": 3, "cti": true, "service": "magento", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/http-magento-ccs": { "name": "crowdsecurity/http-magento-ccs", "description": "Detect credit card stuffing from a single IP", "label": "Magento Credit Card Stuffing", "behaviors": [ "ecommerce:fraud" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "magento", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/http-open-proxy": { "name": "crowdsecurity/http-open-proxy", "description": "Detect scan for open proxy", "label": "HTTP Open Proxy Probing", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-01 12:40:11" }, "crowdsecurity/http-path-traversal-probing": { "name": "crowdsecurity/http-path-traversal-probing", "description": "Detect path traversal attempt", "label": "HTTP Path Traversal Exploit", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/http-probing": { "name": "crowdsecurity/http-probing", "description": "Detect site scanning/probing from a single ip", "label": "HTTP Probing", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-04-22 09:58:44" }, "crowdsecurity/http-sensitive-files": { "name": "crowdsecurity/http-sensitive-files", "description": "Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)", "label": "Access to sensitive files over HTTP", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/http-sqli-probbing-detection": { "name": "crowdsecurity/http-sqli-probbing-detection", "description": "A scenario that detects SQL injection probing with minimal false positives", "label": "SQL Injection Attempt", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/http-wordpress-scan": { "name": "crowdsecurity/http-wordpress-scan", "description": "Detect WordPress scan: vuln hunting", "label": "WordPress Vuln Hunting", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "wordpress", "created_at": "2024-04-24 12:40:07" }, "crowdsecurity/http-wordpress_user-enum": { "name": "crowdsecurity/http-wordpress_user-enum", "description": "Detect WordPress probing: authors enumeration", "label": "WordPress User Enumeration", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "wordpress", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-wordpress_wpconfig": { "name": "crowdsecurity/http-wordpress_wpconfig", "description": "Detect WordPress probing: variations around wp-config.php by wpscan", "label": "Access to WordPress wp-config.php", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "wordpress", "created_at": "2024-02-09 15:06:46" }, "crowdsecurity/http-xss-probbing": { "name": "crowdsecurity/http-xss-probbing", "description": "A scenario that detects XSS probing with minimal false positives", "label": "XSS Attempt", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-03-18 10:53:46" }, "crowdsecurity/impossible-travel-user": { "name": "crowdsecurity/impossible-travel-user", "description": "impossible travel user", "label": "Impossible travel", "behaviors": [], "mitre_attacks": [ "TA0003:T1078" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "authentication", "created_at": "2023-12-12 09:27:38" }, "crowdsecurity/impossible-travel": { "name": "crowdsecurity/impossible-travel", "description": "Detect Impossible Travel", "label": "Impossible travel", "behaviors": [], "mitre_attacks": [ "TA0003:T1078" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "authentication", "created_at": "2024-11-13 16:49:31" }, "crowdsecurity/iptables-scan-multi_ports": { "name": "crowdsecurity/iptables-scan-multi_ports", "description": "Detect aggressive portscans", "label": "TCP Port Scan", "behaviors": [ "tcp:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0007:T1018", "TA0007:T1046" ], "confidence": 1, "spoofable": 3, "cti": true, "service": null, "created_at": "2024-11-13 16:49:31" }, "crowdsecurity/jira_cve-2021-26086": { "name": "crowdsecurity/jira_cve-2021-26086", "description": "Detect Atlassian Jira CVE-2021-26086 exploitation attemps", "label": "Jira CVE-2021-26086 exploitation", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "jira", "created_at": "2024-03-18 10:53:46", "cves": [ "CVE-2021-26086" ] }, "crowdsecurity/k8s-audit-anonymous-access": { "name": "crowdsecurity/k8s-audit-anonymous-access", "description": "Detect allowed anonymous access to the K8S API", "label": "Kubernetes API anonymous access", "behaviors": [ "k8s:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/k8s-audit-api-server-bruteforce": { "name": "crowdsecurity/k8s-audit-api-server-bruteforce", "description": "Detect bruteforce attempts against K8S API server", "label": "Kubernetes API Bruteforce", "behaviors": [ "k8s:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/k8s-audit-pod-exec": { "name": "crowdsecurity/k8s-audit-pod-exec", "description": "Detect execution (via kubectl exec) in pods", "label": "Kubernetes Exec Into Pod", "behaviors": [ "k8s:audit" ], "mitre_attacks": [ "TA0002:T1609" ], "confidence": 3, "spoofable": 0, "cti": false, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/k8s-audit-pod-host-network": { "name": "crowdsecurity/k8s-audit-pod-host-network", "description": "Detect pods started with host networking", "label": "Kubernetes Pod Start With Host Networking", "behaviors": [ "k8s:audit" ], "mitre_attacks": [ "TA0002:T1610" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/k8s-audit-pod-host-path-volume": { "name": "crowdsecurity/k8s-audit-pod-host-path-volume", "description": "Detect pods mounting a sensitive host folder", "label": "Kubernetes Pod Start With Host Path", "behaviors": [ "k8s:audit" ], "mitre_attacks": [ "TA0002:T1610" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/k8s-audit-privileged-pod-creation": { "name": "crowdsecurity/k8s-audit-privileged-pod-creation", "description": "Detect privileged pod creation", "label": "Kubernetes Privileged Pod Creation", "behaviors": [ "k8s:audit" ], "mitre_attacks": [ "TA0002:T1610" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/k8s-audit-service-account-access-denied": { "name": "crowdsecurity/k8s-audit-service-account-access-denied", "description": "Detect unauthorized requests from service accounts", "label": "Kubernetes Service Account Denied Request", "behaviors": [ "k8s:scan" ], "mitre_attacks": [ "TA0003:T1078", "TA0007:T1069" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "k8s", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/kasm-bruteforce": { "name": "crowdsecurity/kasm-bruteforce", "description": "Detect kasm login bruteforce", "label": "KASM Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "kasm", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/litespeed-admin-bf": { "name": "crowdsecurity/litespeed-admin-bf", "description": "Detect bruteforce against litespeed admin UI", "label": "LiteSpeed Admin Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "litespeed", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/mariadb-bf": { "name": "crowdsecurity/mariadb-bf", "description": "Detect mariadb bruteforce", "label": "MariaDB Bruteforce", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mariadb", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/modsecurity": { "name": "crowdsecurity/modsecurity", "description": "Web exploitation via modsecurity", "label": "Modsecurity Alert", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2024-02-01 12:40:11" }, "crowdsecurity/mssql-bf": { "name": "crowdsecurity/mssql-bf", "description": "Detect mssql bruteforce", "label": "MSSQL Bruteforce", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mssql", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/mysql-bf": { "name": "crowdsecurity/mysql-bf", "description": "Detect mysql bruteforce", "label": "MySQL Bruteforce", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mysql", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/naxsi-exploit-vpatch": { "name": "crowdsecurity/naxsi-exploit-vpatch", "description": "Detect custom blacklist triggered in naxsi", "label": "Custom Blacklist Triggered IN Naxsi", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/netgear_rce": { "name": "crowdsecurity/netgear_rce", "description": "Detect Netgear RCE DGN1000/DGN220 exploitation attempts", "label": "Netgear RCE", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "netgear", "created_at": "2025-01-17 15:28:11", "cves": [ "CVE-2024-12847" ] }, "crowdsecurity/nextcloud-bf": { "name": "crowdsecurity/nextcloud-bf", "description": "Detect Nextcloud bruteforce", "label": "NextCloud Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "nextcloud", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/nextcloud-bf_user_enum": { "name": "crowdsecurity/nextcloud-bf_user_enum", "description": "Detect Nextcloud user enum bruteforce", "label": "NextCloud Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "nextcloud", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/nextcloud-bf_domain_error": { "name": "crowdsecurity/nextcloud-bf_domain_error", "description": "Detect Nextcloud domain error", "label": "NextCloud Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "nextcloud", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/nginx-req-limit-exceeded": { "name": "crowdsecurity/nginx-req-limit-exceeded", "description": "Detects IPs which violate nginx's user set request limit.", "label": "Nginx request limit exceeded", "behaviors": [ "http:dos" ], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 2, "cti": true, "service": "http", "created_at": "2023-10-10 16:55:33" }, "crowdsecurity/odoo-bf": { "name": "crowdsecurity/odoo-bf", "description": "Detect bruteforce on odoo web interface", "label": "Odoo Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "odoo", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/odoo_user-enum": { "name": "crowdsecurity/odoo_user-enum", "description": "Detect odoo user enum", "label": "Odoo Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "odoo", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/opnsense-gui-bf": { "name": "crowdsecurity/opnsense-gui-bf", "description": "Detect bruteforce on opnsense web interface", "label": "OPNsense GUI Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "opnsense", "created_at": "2023-10-31 12:54:38" }, "crowdsecurity/pfsense-gui-bf": { "name": "crowdsecurity/pfsense-gui-bf", "description": "Detect bruteforce on pfsense web interface", "label": "pfSense GUI Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pfsense", "created_at": "2023-10-31 12:54:38" }, "crowdsecurity/pgsql-bf": { "name": "crowdsecurity/pgsql-bf", "description": "Detect PgSQL bruteforce", "label": "Postgres Bruteforce", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pgsql", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/pgsql-user-enum": { "name": "crowdsecurity/pgsql-user-enum", "description": "Detect postgresql user enumeration", "label": "Postgres Bruteforce", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0006:T1110", "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pgsql", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/postfix-helo-rejected": { "name": "crowdsecurity/postfix-helo-rejected", "description": "Detect HELO rejections", "label": "Postfix Helo Rejected", "behaviors": [ "smtp:spam" ], "mitre_attacks": [ "TA0043:T1595", "TA0043:T1592" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "postfix", "created_at": "2024-09-02 10:43:16" }, "crowdsecurity/postfix-non-smtp-command": { "name": "crowdsecurity/postfix-non-smtp-command", "description": "Detect scanning of postfix service through non-SMTP commands", "label": "Postfix Non-SMTP Command", "behaviors": [ "generic:scan" ], "mitre_attacks": [], "confidence": 3, "spoofable": 0, "cti": true, "service": "postfix", "created_at": "2024-10-31 13:38:47" }, "crowdsecurity/postfix-relay-denied": { "name": "crowdsecurity/postfix-relay-denied", "description": "Detect multiple open relay attempts", "label": "Postfix Relay Denied", "behaviors": [ "smtp:spam" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "postfix", "created_at": "2024-09-02 10:43:16" }, "crowdsecurity/proftpd-bf": { "name": "crowdsecurity/proftpd-bf", "description": "Detect proftpd bruteforce", "label": "Proftpd Bruteforce", "behaviors": [ "ftp:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "proftpd", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/proftpd-bf_user-enum": { "name": "crowdsecurity/proftpd-bf_user-enum", "description": "Detect proftpd user enum bruteforce", "label": "Proftpd Bruteforce", "behaviors": [ "ftp:bruteforce" ], "mitre_attacks": [ "TA0006:T1110", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "proftpd", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/pulse-secure-sslvpn-cve-2019-11510": { "name": "crowdsecurity/pulse-secure-sslvpn-cve-2019-11510", "description": "Detect cve-2019-11510 exploitation attemps", "label": "Pulse Secure CVE-2019-11510", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pulse-secure", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2019-11510" ] }, "crowdsecurity/sabnzbd-bf": { "name": "crowdsecurity/sabnzbd-bf", "description": "Detect sabnzbd bruteforce", "label": "Sabnzbd Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sabnzbd", "created_at": "2024-07-22 12:40:20" }, "crowdsecurity/sabnzbd-slow-bf": { "name": "crowdsecurity/sabnzbd-slow-bf", "description": "Detect sabnzbd slow bruteforce", "label": "Sabnzbd Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sabnzbd", "created_at": "2024-07-22 12:40:20" }, "crowdsecurity/smb-bf": { "name": "crowdsecurity/smb-bf", "description": "Detect smb bruteforce", "label": "SMB Bruteforce", "behaviors": [ "smb:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "smb", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/spring4shell_cve-2022-22965": { "name": "crowdsecurity/spring4shell_cve-2022-22965", "description": "Detect cve-2022-22965 probing", "label": "Spring4shell CVE-2022-22965", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "spring", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-22965" ] }, "crowdsecurity/ssh-bf": { "name": "crowdsecurity/ssh-bf", "description": "Detect ssh bruteforce", "label": "SSH Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2023-10-30 17:02:26" }, "crowdsecurity/ssh-bf_user-enum": { "name": "crowdsecurity/ssh-bf_user-enum", "description": "Detect ssh user enum bruteforce", "label": "SSH User Enumeration", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2023-10-30 17:02:26" }, "crowdsecurity/ssh-cve-2024-6387": { "name": "crowdsecurity/ssh-cve-2024-6387", "description": "Detect exploitation attempt of CVE-2024-6387", "label": "SSH CVE-2024-6387", "behaviors": [ "ssh:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2024-07-05 13:47:08", "cves": [ "CVE-2024-6387" ] }, "crowdsecurity/ssh-slow-bf": { "name": "crowdsecurity/ssh-slow-bf", "description": "Detect slow ssh bruteforce", "label": "SSH Slow Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2023-10-30 17:02:26" }, "crowdsecurity/ssh-slow-bf_user-enum": { "name": "crowdsecurity/ssh-slow-bf_user-enum", "description": "Detect slow ssh user enum bruteforce", "label": "SSH Slow User Enumeration", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ssh", "created_at": "2023-10-30 17:02:26" }, "crowdsecurity/stirling-pdf-bf": { "name": "crowdsecurity/stirling-pdf-bf", "description": "Detect stirling pdf bruteforce", "label": "Stirling PDF Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "stirling-pdf", "created_at": "2024-10-23 14:40:37" }, "crowdsecurity/suricata-major-severity": { "name": "crowdsecurity/suricata-major-severity", "description": "Detect exploit attempts via emerging threat rules", "label": "Suricata Severity 1 Event", "behaviors": [ "generic:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 1, "spoofable": 3, "cti": true, "service": "suricata", "created_at": "2024-12-30 15:38:35" }, "crowdsecurity/suricata-high-medium-severity": { "name": "crowdsecurity/suricata-high-medium-severity", "description": "Detect exploit attempts via emerging threat rules", "label": "Suricata Severity 2 Event", "behaviors": [ "generic:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 1, "spoofable": 3, "cti": true, "service": "suricata", "created_at": "2024-12-30 15:38:35" }, "crowdsecurity/synology-dsm-bf": { "name": "crowdsecurity/synology-dsm-bf", "description": "Detect Synology DSM web auth bruteforce", "label": "Synology DSM Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "synology_dsm", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/teamspeak3-bf": { "name": "crowdsecurity/teamspeak3-bf", "description": "detect teamspeak3 server bruteforce", "label": "TeamSpeak3 Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "teamspeak3", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/teleport-bf": { "name": "crowdsecurity/teleport-bf", "description": "detect teleport bruteforce", "label": "Teleport Bruteforce", "behaviors": [], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "teleport", "created_at": "2024-01-29 13:40:10" }, "crowdsecurity/teleport-slow-bf": { "name": "crowdsecurity/teleport-slow-bf", "description": "detect slow teleport bruteforce", "label": "Teleport Bruteforce", "behaviors": [], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "teleport", "created_at": "2024-01-29 13:40:10" }, "crowdsecurity/telnet-bf": { "name": "crowdsecurity/telnet-bf", "description": "detect telnet bruteforce", "label": "Telnet Bruteforce", "behaviors": [ "telnet:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "telnet", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/thehive-bf": { "name": "crowdsecurity/thehive-bf", "description": "Detect bruteforce on Thehive web interface", "label": "The Hive Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/thinkphp-cve-2018-20062": { "name": "crowdsecurity/thinkphp-cve-2018-20062", "description": "Detect ThinkPHP CVE-2018-20062 exploitation attemps", "label": "ThinkPHP CVE-2018-20062", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "thinkphp", "created_at": "2024-03-18 10:53:46", "cves": [ "CVE-2018-20062" ] }, "crowdsecurity/vmware-cve-2022-22954": { "name": "crowdsecurity/vmware-cve-2022-22954", "description": "Detect Vmware CVE-2022-22954 exploitation attempts", "label": "VMWARE CVE-2022-22954", "behaviors": [ "vm-management:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vmware", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-22954" ] }, "crowdsecurity/vmware-vcenter-vmsa-2021-0027": { "name": "crowdsecurity/vmware-vcenter-vmsa-2021-0027", "description": "Detect VMSA-2021-0027 exploitation attemps", "label": "VMWARE VCenter VMSA CVE-2021-0027", "behaviors": [ "vm-management:exploit" ], "mitre_attacks": [ "TA0001:T1190", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vmware", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2021-0027" ] }, "crowdsecurity/vsftpd-bf": { "name": "crowdsecurity/vsftpd-bf", "description": "Detect FTP bruteforce (vsftpd)", "label": "VSFTPD Bruteforce", "behaviors": [ "ftp:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vsftpd", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/CVE-2022-30190-msdt": { "name": "crowdsecurity/CVE-2022-30190-msdt", "description": "Detect CVE-2022-30190 from sysmon events", "label": "CVE-2022-30190", "behaviors": [ "windows:rce" ], "mitre_attacks": [ "TA0002:T1059", "TA0002:T1203" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2023-10-06 15:17:26", "cves": [ "CVE-2022-30190" ] }, "crowdsecurity/windows-bf": { "name": "crowdsecurity/windows-bf", "description": "Detect windows auth bruteforce", "label": "Windows Bruteforce", "behaviors": [ "windows:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2023-10-06 15:17:26" }, "crowdsecurity/wireguard-auth": { "name": "crowdsecurity/wireguard-auth", "description": "Detects rejected connections attempts and unauthorized packets through wireguard tunnels", "label": "Wireguard Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "wireguard", "created_at": "2023-10-06 15:17:26" }, "darkclip/charon-ipsec-bf": { "name": "darkclip/charon-ipsec-bf", "description": "Detect Charon IPsec slow bruteforce", "label": "Charon IPsec Slow Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "charon_ipsec", "created_at": "2024-02-26 22:13:43" }, "firewallservices/lemonldap-ng-bf": { "name": "firewallservices/lemonldap-ng-bf", "description": "Detect Lemonldap::NG bruteforce", "label": "LemonLDAP Bruteforce", "behaviors": [ "ldap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ldap", "created_at": "2023-10-06 15:17:26" }, "firewallservices/lemonldap-ng-user-enum": { "name": "firewallservices/lemonldap-ng-user-enum", "description": "Detect Lemonldap::NG user enum bruteforce", "label": "LemonLDAP User Enum Bruteforce", "behaviors": [ "ldap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ldap", "created_at": "2023-10-06 15:17:26" }, "firewallservices/pf-scan-multi_ports": { "name": "firewallservices/pf-scan-multi_ports", "description": "Detect aggressive portscans (pf)", "label": "PF Scan Multi Ports", "behaviors": [ "tcp:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0007:T1018", "TA0007:T1046" ], "confidence": 1, "spoofable": 3, "cti": true, "service": "tcp", "created_at": "2024-11-13 16:49:31" }, "firewallservices/zimbra-bf": { "name": "firewallservices/zimbra-bf", "description": "Detect Zimbra bruteforce", "label": "Zimbra Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zimbra", "created_at": "2023-10-06 15:17:26" }, "firewallservices/zimbra-user-enum": { "name": "firewallservices/zimbra-user-enum", "description": "Detect Zimbra user enum bruteforce", "label": "Zimbra Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "zimbra", "created_at": "2023-10-06 15:17:26" }, "firix/authentik-bf": { "name": "firix/authentik-bf", "description": "Detect authentik bruteforce", "label": "Authentik Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "authentik", "created_at": "2023-10-20 01:05:42" }, "firix/authentik-bf_user-enum": { "name": "firix/authentik-bf_user-enum", "description": "Detect authentik user enum bruteforce", "label": "Authentik User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "authentik", "created_at": "2023-10-20 01:05:42" }, "fulljackz/proxmox-bf": { "name": "fulljackz/proxmox-bf", "description": "Detect proxmox bruteforce", "label": "PveDaemon Bruteforce", "behaviors": [ "vm-management:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vm-management", "created_at": "2023-10-06 15:17:26" }, "fulljackz/proxmox-bf-user-enum": { "name": "fulljackz/proxmox-bf-user-enum", "description": "Detect proxmox wrong username", "label": "PveDaemon User Enum Bruteforce", "behaviors": [ "vm-management:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "vm-management", "created_at": "2023-10-06 15:17:26" }, "fulljackz/pureftpd-bf": { "name": "fulljackz/pureftpd-bf", "description": "Detect pureftpd bruteforce", "label": "PureFTPD Bruteforce", "behaviors": [ "ftp:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "ftp", "created_at": "2023-10-06 15:17:26" }, "gauth-fr/immich-bf": { "name": "gauth-fr/immich-bf", "description": "Detect immich bruteforce", "label": "Immich Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "immich", "created_at": "2023-10-06 15:17:26" }, "gauth-fr/immich-bf_user-enum": { "name": "gauth-fr/immich-bf_user-enum", "description": "Detect immich user enum bruteforce", "label": "Immich Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "immich", "created_at": "2023-10-06 15:17:26" }, "hitech95/email-generic-bf": { "name": "hitech95/email-generic-bf", "description": "Detect generic email brute force", "label": "POP3/IMAP Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pop3/imap", "created_at": "2023-10-06 15:17:26" }, "hitech95/email-user-bf": { "name": "hitech95/email-user-bf", "description": "Detect specific user email brute force", "label": "Mail User Enum Bruteforce", "behaviors": [ "pop3/imap:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pop3/imap", "created_at": "2023-10-06 15:17:26" }, "inherent-io/keycloak-bf": { "name": "inherent-io/keycloak-bf", "description": "Detect keycloak bruteforce", "label": "Keycloak Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "keycloak", "created_at": "2024-05-10 13:58:25" }, "inherent-io/keycloak-user-enum-bf": { "name": "inherent-io/keycloak-user-enum-bf", "description": "Detect keycloak user enum bruteforce", "label": "Keycloak Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "keycloak", "created_at": "2024-05-10 13:58:25" }, "inherent-io/keycloak-slow-bf": { "name": "inherent-io/keycloak-slow-bf", "description": "Detect keycloak bruteforce", "label": "Keycloak Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "keycloak", "created_at": "2024-05-10 13:58:25" }, "inherent-io/keycloak-user-enum-slow-bf": { "name": "inherent-io/keycloak-user-enum-slow-bf", "description": "Detect keycloak user enum bruteforce", "label": "Keycloak Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "keycloak", "created_at": "2024-05-10 13:58:25" }, "jbowdre/miniflux-bf": { "name": "jbowdre/miniflux-bf", "description": "Detect miniflux bruteforce", "label": "Miniflux Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "miniflux", "created_at": "2024-01-16 04:54:20" }, "jbowdre/miniflux-bf_user-enum": { "name": "jbowdre/miniflux-bf_user-enum", "description": "Detect miniflux user enum bruteforce", "label": "Miniflux Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "miniflux", "created_at": "2024-01-16 04:54:20" }, "jusabatier/apereo-cas-bf": { "name": "jusabatier/apereo-cas-bf", "description": "Detect CAS bruteforce", "label": "CAS Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "jusabatier/apereo-cas-bf_user-enum": { "name": "jusabatier/apereo-cas-bf_user-enum", "description": "Detect CAS user enum bruteforce", "label": "CAS User Enum Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "jusabatier/cas-slow-bf": { "name": "jusabatier/cas-slow-bf", "description": "Detect slow CAS bruteforce", "label": "CAS Slow Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "jusabatier/cas-slow-bf_user-enum": { "name": "jusabatier/cas-slow-bf_user-enum", "description": "Detect slow CAS user enum bruteforce", "label": "CAS Slow User Enum Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "jusabatier/apereo-cas-slow-bf": { "name": "jusabatier/apereo-cas-slow-bf", "description": "Detect slow CAS bruteforce", "label": "Apereo CAS Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "jusabatier/apereo-cas-slow-bf_user-enum": { "name": "jusabatier/apereo-cas-slow-bf_user-enum", "description": "Detect slow CAS user enum bruteforce", "label": "Apereo CAS Slow User Enum Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110", "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "lourys/pterodactyl-wings-bf": { "name": "lourys/pterodactyl-wings-bf", "description": "Detect invalid_username_or_password ssh bruteforce", "label": "Pterodactyl Wing Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "pterodactyl", "created_at": "2024-08-23 14:31:08" }, "ltsich/http-w00tw00t": { "name": "ltsich/http-w00tw00t", "description": "detect w00tw00t", "label": "w00t w00t Scanner", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "mstilkerich/bind9-refused": { "name": "mstilkerich/bind9-refused", "description": "Act on queries / zone transfers denied by bind9 policy", "label": "Domain transfer attempt", "behaviors": [ "generic:scan" ], "mitre_attacks": [ "TA0043:T1590" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "domain", "created_at": "2023-10-06 15:17:26" }, "mwinters-stuff/mailu-admin-bf": { "name": "mwinters-stuff/mailu-admin-bf", "description": "Detect mailu admin bruteforce", "label": "Mailu web admin authentication attempt", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-bot-protection": { "name": "openappsec/openappsec-bot-protection", "description": "Detect openappsec 'prevent' securityActions on 'Bot Protection' events (when waf blocks malicious request)", "label": "Openappsec 'Bot Protection' detection", "behaviors": [ "http:spam" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-cross-site-redirect": { "name": "openappsec/openappsec-cross-site-redirect", "description": "Detect openappsec 'prevent' securityActions on 'Cross Site Redirect' events (when waf blocks malicious request)", "label": "Openappsec 'cross site redirect' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1566" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-csrf": { "name": "openappsec/openappsec-csrf", "description": "Detect openappsec 'prevent' securityActions on 'Cross Site Request Forgery' events (when waf blocks malicious request)", "label": "Openappsec 'cross site request forgery' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1189" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-error-disclosure": { "name": "openappsec/openappsec-error-disclosure", "description": "Detect openappsec 'prevent' securityActions on 'Error Disclosure' events (when waf blocks malicious request)", "label": "Openappsec 'error disclosure' detection", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 1, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-error-limit": { "name": "openappsec/openappsec-error-limit", "description": "Detect openappsec 'prevent' securityActions on 'Error Limit' events (when waf blocks malicious request)", "label": "Openappsec 'error limit' detection", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 1, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-evasion-techniques": { "name": "openappsec/openappsec-evasion-techniques", "description": "Detect openappsec 'prevent' securityActions on 'Evasion Techniques' events (when waf blocks malicious request)", "label": "Openappsec 'Evasion Techniques' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-general": { "name": "openappsec/openappsec-general", "description": "Detect openappsec 'prevent' securityActions on 'General' events (when waf blocks malicious request)", "label": "Openappsec 'general' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-http-limit-violation": { "name": "openappsec/openappsec-http-limit-violation", "description": "Detect openappsec 'prevent' securityActions on 'Http limit violation' events (when waf blocks malicious request)", "label": "Openappsec 'http limit violation' detection", "behaviors": [ "http:spam" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-http-method-violation": { "name": "openappsec/openappsec-http-method-violation", "description": "Detect openappsec 'prevent' securityActions on 'Illegal http method violation' events (when waf blocks malicious request)", "label": "Openappsec 'illegal http method violation' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-ldap-injection": { "name": "openappsec/openappsec-ldap-injection", "description": "Detect openappsec 'prevent' securityActions on 'LDAP Injection' events (when waf blocks malicious request)", "label": "Openappsec 'ldap injection' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-open-redirect": { "name": "openappsec/openappsec-open-redirect", "description": "Detect openappsec 'prevent' securityActions on 'Open Redirect' events (when waf blocks malicious request)", "label": "Openappsec 'open redirect' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1189", "TA0001:T1566" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-path-traversal": { "name": "openappsec/openappsec-path-traversal", "description": "Detect openappsec 'prevent' securityActions on 'Path Traversal' events (when waf blocks malicious request)", "label": "Openappsec 'path traversal' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-probing": { "name": "openappsec/openappsec-probing", "description": "Detect openappsec 'prevent' securityActions on 'Vulnerability Scanning' events (when waf blocks malicious request)", "label": "Openappsec 'probing' detection", "behaviors": [ "http:scan" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-rce": { "name": "openappsec/openappsec-rce", "description": "Detect openappsec 'prevent' securityActions on 'Remote Code Execution' events (when waf blocks malicious request)", "label": "Openappsec 'rce' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-request-rate-limit": { "name": "openappsec/openappsec-request-rate-limit", "description": "Detect openappsec 'prevent' securityActions on 'Request Rate Limit' events (when waf blocks malicious request)", "label": "Openappsec 'request rate limit' detection", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0040:T1498" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-schema-validation": { "name": "openappsec/openappsec-schema-validation", "description": "Detect openappsec 'prevent' securityActions on 'Schema Validation' events (when waf blocks malicious request)", "label": "Openappsec 'schema validations' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1190" ], "confidence": 1, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-sql-injection": { "name": "openappsec/openappsec-sql-injection", "description": "Detect openappsec 'prevent' securityActions on 'SQL Injection' events (when waf blocks malicious request)", "label": "Openappsec 'SQL Injection' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-url-instead-of-file": { "name": "openappsec/openappsec-url-instead-of-file", "description": "Detect openappsec 'prevent' securityActions on 'URL instead of file' events (when waf blocks malicious request)", "label": "Openappsec 'url instead of file' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-xss": { "name": "openappsec/openappsec-xss", "description": "Detect openappsec 'prevent' securityActions on 'Cross Site Scripting' events (when waf blocks malicious request)", "label": "Openappsec 'XSS' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0001:T1189", "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "openappsec/openappsec-xxe": { "name": "openappsec/openappsec-xxe", "description": "Detect openappsec 'prevent' securityActions on 'XML External Entity' events (when waf blocks malicious request)", "label": "Openappsec 'XML External Entity' detection", "behaviors": [ "http:exploit" ], "mitre_attacks": [ "TA0043:T1595", "TA0001:T1190" ], "confidence": 2, "spoofable": 0, "cti": true, "service": "http", "created_at": "2023-10-06 15:17:26" }, "plague-doctor/audiobookshelf-bf": { "name": "plague-doctor/audiobookshelf-bf", "description": "Detect Audiobookshelf bruteforce attacks", "label": "Audiobookshelf Bruteforce Attacks", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "audiobookshelf", "created_at": "2024-11-15 09:28:37" }, "pserranoa/openvpn-bf": { "name": "pserranoa/openvpn-bf", "description": "Detect openvpn bruteforce", "label": "OpenVPN Bruteforce", "behaviors": [], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "openvpn", "created_at": "2024-12-18 14:09:30" }, "schiz0phr3ne/prowlarr-bf": { "name": "schiz0phr3ne/prowlarr-bf", "description": "Detect Prowlarr bruteforce", "label": "Prowlarr Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "prowlarr", "created_at": "2023-10-06 15:17:26" }, "schiz0phr3ne/prowlarr-bf_user-enum": { "name": "schiz0phr3ne/prowlarr-bf_user-enum", "description": "Detect Prowlarr user enum bruteforce", "label": "Prowlarr User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "prowlarr", "created_at": "2023-10-06 15:17:26" }, "schiz0phr3ne/radarr-bf": { "name": "schiz0phr3ne/radarr-bf", "description": "Detect Radarr bruteforce", "label": "Radarr Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "radarr", "created_at": "2023-10-06 15:17:26" }, "schiz0phr3ne/radarr-bf_user-enum": { "name": "schiz0phr3ne/radarr-bf_user-enum", "description": "Detect Radarr user enum bruteforce", "label": "Radarr User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "radarr", "created_at": "2023-10-06 15:17:26" }, "schiz0phr3ne/sonarr-bf": { "name": "schiz0phr3ne/sonarr-bf", "description": "Detect Sonarr bruteforce", "label": "Sonarr Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sonarr", "created_at": "2023-10-06 15:17:26" }, "schiz0phr3ne/sonarr-bf_user-enum": { "name": "schiz0phr3ne/sonarr-bf_user-enum", "description": "Detect Sonarr user enum bruteforce", "label": "Sonarr User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sonarr", "created_at": "2023-10-06 15:17:26" }, "sdwilsh/navidrome-bf": { "name": "sdwilsh/navidrome-bf", "description": "A scenario that detects excessive login attempts per unique IP", "label": "Navidrome Login Bruteforce", "behaviors": [ "generic:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "navidrome", "created_at": "2025-03-13 03:01:55" }, "sigmahq/proc_creation_win_addinutil_suspicious_cmdline": { "name": "sigmahq/proc_creation_win_addinutil_suspicious_cmdline", "description": "Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. \n", "label": "Suspicious AddinUtil.EXE CommandLine Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_adplus_memory_dump": { "name": "sigmahq/proc_creation_win_adplus_memory_dump", "description": "Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.\n", "label": "Potential Adplus.EXE Abuse", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_agentexecutor_susp_usage": { "name": "sigmahq/proc_creation_win_agentexecutor_susp_usage", "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument\n", "label": "Suspicious AgentExecutor PowerShell Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_aspnet_compiler_susp_child_process": { "name": "sigmahq/proc_creation_win_aspnet_compiler_susp_child_process", "description": "Detects potentially suspicious child processes of \"aspnet_compiler.exe\".\n", "label": "Suspicious Child Process of AspNetCompiler", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_aspnet_compiler_susp_paths": { "name": "sigmahq/proc_creation_win_aspnet_compiler_susp_paths", "description": "Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.\n", "label": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_at_interactive_execution": { "name": "sigmahq/proc_creation_win_at_interactive_execution", "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.\n", "label": "Interactive AT Job", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_attrib_system_susp_paths": { "name": "sigmahq/proc_creation_win_attrib_system_susp_paths", "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs \n", "label": "Set Suspicious Files as System Files Using Attrib.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_auditpol_nt_resource_kit_usage": { "name": "sigmahq/proc_creation_win_auditpol_nt_resource_kit_usage", "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. \n", "label": "Audit Policy Tampering Via NT Resource Kit Auditpol", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_auditpol_susp_execution": { "name": "sigmahq/proc_creation_win_auditpol_susp_execution", "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. \n", "label": "Audit Policy Tampering Via Auditpol", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_bcdedit_boot_conf_tamper": { "name": "sigmahq/proc_creation_win_bcdedit_boot_conf_tamper", "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.\n", "label": "Boot Configuration Tampering Via Bcdedit.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_bginfo_suspicious_child_process": { "name": "sigmahq/proc_creation_win_bginfo_suspicious_child_process", "description": "Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript\n", "label": "Suspicious Child Process Of BgInfo.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_bitsadmin_download_direct_ip": { "name": "sigmahq/proc_creation_win_bitsadmin_download_direct_ip", "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP\n", "label": "Suspicious Download From Direct IP Via Bitsadmin", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_bitsadmin_download_susp_extensions": { "name": "sigmahq/proc_creation_win_bitsadmin_download_susp_extensions", "description": "Detects usage of bitsadmin downloading a file with a suspicious extension\n", "label": "File With Suspicious Extension Downloaded Via Bitsadmin", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_bitsadmin_download_susp_targetfolder": { "name": "sigmahq/proc_creation_win_bitsadmin_download_susp_targetfolder", "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder\n", "label": "File Download Via Bitsadmin To A Suspicious Target Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_browsers_chromium_headless_debugging": { "name": "sigmahq/proc_creation_win_browsers_chromium_headless_debugging", "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control\n", "label": "Potential Data Stealing Via Chromium Headless Debugging", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_browsers_chromium_headless_file_download": { "name": "sigmahq/proc_creation_win_browsers_chromium_headless_file_download", "description": "Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files\n", "label": "File Download with Headless Browser", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_browsers_chromium_mockbin_abuse": { "name": "sigmahq/proc_creation_win_browsers_chromium_mockbin_abuse", "description": "Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).\n", "label": "Chromium Browser Headless Execution To Mockbin Like Site", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_browsers_chromium_susp_load_extension": { "name": "sigmahq/proc_creation_win_browsers_chromium_susp_load_extension", "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension\n", "label": "Suspicious Chromium Browser Instance Executed With Custom Extension", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_browsers_tor_execution": { "name": "sigmahq/proc_creation_win_browsers_tor_execution", "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks\n", "label": "Tor Client/Browser Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_calc_uncommon_exec": { "name": "sigmahq/proc_creation_win_calc_uncommon_exec", "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. \n", "label": "Suspicious Calculator Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_certoc_download_direct_ip": { "name": "sigmahq/proc_creation_win_certoc_download_direct_ip", "description": "Detects when a user downloads a file from an IP based URL using CertOC.exe\n", "label": "File Download From IP Based URL Via CertOC.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_certoc_load_dll_susp_locations": { "name": "sigmahq/proc_creation_win_certoc_load_dll_susp_locations", "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.\n", "label": "Suspicious DLL Loaded via CertOC.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_certutil_download_direct_ip": { "name": "sigmahq/proc_creation_win_certutil_download_direct_ip", "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.\n", "label": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_certutil_ntlm_coercion": { "name": "sigmahq/proc_creation_win_certutil_ntlm_coercion", "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag\n", "label": "Potential NTLM Coercion Via Certutil.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_citrix_trolleyexpress_procdump": { "name": "sigmahq/proc_creation_win_citrix_trolleyexpress_procdump", "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory\n", "label": "Process Access via TrolleyExpress Exclusion", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_assoc_tamper_exe_file_association": { "name": "sigmahq/proc_creation_win_cmd_assoc_tamper_exe_file_association", "description": "Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. \n", "label": "Change Default File Association To Executable Via Assoc", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_copy_dmp_from_share": { "name": "sigmahq/proc_creation_win_cmd_copy_dmp_from_share", "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share\n", "label": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_curl_download_exec_combo": { "name": "sigmahq/proc_creation_win_cmd_curl_download_exec_combo", "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.\n", "label": "Curl Download And Execute Combination", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_mklink_osk_cmd": { "name": "sigmahq/proc_creation_win_cmd_mklink_osk_cmd", "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.\n", "label": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_mklink_shadow_copies_access_symlink": { "name": "sigmahq/proc_creation_win_cmd_mklink_shadow_copies_access_symlink", "description": "Shadow Copies storage symbolic link creation using operating systems utilities\n", "label": "VolumeShadowCopy Symlink Creation Via Mklink", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_net_use_and_exec_combo": { "name": "sigmahq/proc_creation_win_cmd_net_use_and_exec_combo", "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files\n", "label": "Suspicious File Execution From Internet Hosted WebDav Share", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_no_space_execution": { "name": "sigmahq/proc_creation_win_cmd_no_space_execution", "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). \n", "label": "Cmd.EXE Missing Space Characters Execution Anomaly", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_ntdllpipe_redirect": { "name": "sigmahq/proc_creation_win_cmd_ntdllpipe_redirect", "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe\n", "label": "NtdllPipe Like Activity Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_path_traversal": { "name": "sigmahq/proc_creation_win_cmd_path_traversal", "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking\n", "label": "Potential CommandLine Path Traversal Via Cmd.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_ping_del_combined_execution": { "name": "sigmahq/proc_creation_win_cmd_ping_del_combined_execution", "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example\n", "label": "Suspicious Ping/Del Command Combination", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_shadowcopy_access": { "name": "sigmahq/proc_creation_win_cmd_shadowcopy_access", "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)\n", "label": "Copy From VolumeShadowCopy Via Cmd.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_sticky_key_like_backdoor_execution": { "name": "sigmahq/proc_creation_win_cmd_sticky_key_like_backdoor_execution", "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen\n", "label": "Sticky Key Like Backdoor Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmd_sticky_keys_replace": { "name": "sigmahq/proc_creation_win_cmd_sticky_keys_replace", "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are \"activated\" the privilleged shell is launched. \n", "label": "Persistence Via Sticky Key Backdoor", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmdkey_recon": { "name": "sigmahq/proc_creation_win_cmdkey_recon", "description": "Detects usage of cmdkey to look for cached credentials on the system\n", "label": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_cmstp_execution_by_creation": { "name": "sigmahq/proc_creation_win_cmstp_execution_by_creation", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution\n", "label": "CMSTP Execution Process Creation", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_conhost_path_traversal": { "name": "sigmahq/proc_creation_win_conhost_path_traversal", "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking\n", "label": "Conhost.exe CommandLine Path Traversal", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_control_panel_item": { "name": "sigmahq/proc_creation_win_control_panel_item", "description": "Detects the malicious use of a control panel item\n", "label": "Control Panel Items", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_createdump_lolbin_execution": { "name": "sigmahq/proc_creation_win_createdump_lolbin_execution", "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory\n", "label": "CreateDump Process Dump", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_csc_susp_parent": { "name": "sigmahq/proc_creation_win_csc_susp_parent", "description": "Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.\n", "label": "Csc.EXE Execution Form Potentially Suspicious Parent", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_csi_use_of_csharp_console": { "name": "sigmahq/proc_creation_win_csi_use_of_csharp_console", "description": "Detects the execution of CSharp interactive console by PowerShell\n", "label": "Suspicious Use of CSharp Interactive Console", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_curl_download_direct_ip_susp_extensions": { "name": "sigmahq/proc_creation_win_curl_download_direct_ip_susp_extensions", "description": "Detects potentially suspicious file downloads directly from IP addresses using curl.exe\n", "label": "Suspicious File Download From IP Via Curl.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_curl_susp_download": { "name": "sigmahq/proc_creation_win_curl_susp_download", "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file\n", "label": "Suspicious Curl.EXE Download", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dctask64_arbitrary_command_and_dll_execution": { "name": "sigmahq/proc_creation_win_dctask64_arbitrary_command_and_dll_execution", "description": "Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution. \n", "label": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_desktopimgdownldr_susp_execution": { "name": "sigmahq/proc_creation_win_desktopimgdownldr_susp_execution", "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet\n", "label": "Suspicious Desktopimgdownldr Command", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dism_enable_powershell_web_access_feature": { "name": "sigmahq/proc_creation_win_dism_enable_powershell_web_access_feature", "description": "Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse\n", "label": "PowerShell Web Access Feature Enabled Via DISM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dll_sideload_vmware_xfer": { "name": "sigmahq/proc_creation_win_dll_sideload_vmware_xfer", "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL\n", "label": "DLL Sideloading by VMware Xfer Utility", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dllhost_no_cli_execution": { "name": "sigmahq/proc_creation_win_dllhost_no_cli_execution", "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.\n", "label": "Dllhost.EXE Execution Anomaly", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dns_exfiltration_tools_execution": { "name": "sigmahq/proc_creation_win_dns_exfiltration_tools_execution", "description": "Well-known DNS Exfiltration tools execution\n", "label": "DNS Exfiltration and Tunneling Tools Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dns_susp_child_process": { "name": "sigmahq/proc_creation_win_dns_susp_child_process", "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)\n", "label": "Unusual Child Process of dns.exe", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dnscmd_install_new_server_level_plugin_dll": { "name": "sigmahq/proc_creation_win_dnscmd_install_new_server_level_plugin_dll", "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)\n", "label": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_driverquery_recon": { "name": "sigmahq/proc_creation_win_driverquery_recon", "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers\n", "label": "Potential Recon Activity Using DriverQuery.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dtrace_kernel_dump": { "name": "sigmahq/proc_creation_win_dtrace_kernel_dump", "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1\n", "label": "Suspicious Kernel Dump Using Dtrace", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dump64_defender_av_bypass_rename": { "name": "sigmahq/proc_creation_win_dump64_defender_av_bypass_rename", "description": "Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. \n", "label": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_dumpminitool_susp_execution": { "name": "sigmahq/proc_creation_win_dumpminitool_susp_execution", "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary\n", "label": "Suspicious DumpMinitool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_esentutl_sensitive_file_copy": { "name": "sigmahq/proc_creation_win_esentutl_sensitive_file_copy", "description": "Files with well-known filenames (sensitive files with credential data) copying\n", "label": "Copying Sensitive Files with Credential Data", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_eventvwr_susp_child_process": { "name": "sigmahq/proc_creation_win_eventvwr_susp_child_process", "description": "Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt\n", "label": "Potentially Suspicious Event Viewer Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_explorer_nouaccheck": { "name": "sigmahq/proc_creation_win_explorer_nouaccheck", "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks\n", "label": "Explorer NOUACCHECK Flag", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_findstr_gpp_passwords": { "name": "sigmahq/proc_creation_win_findstr_gpp_passwords", "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.\n", "label": "Findstr GPP Passwords", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_findstr_sysmon_discovery_via_default_altitude": { "name": "sigmahq/proc_creation_win_findstr_sysmon_discovery_via_default_altitude", "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).\n", "label": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_finger_execution": { "name": "sigmahq/proc_creation_win_finger_execution", "description": "Detects execution of the \"finger.exe\" utility. Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating. \n", "label": "Finger.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_fltmc_unload_driver_sysmon": { "name": "sigmahq/proc_creation_win_fltmc_unload_driver_sysmon", "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe\n", "label": "Sysmon Driver Unloaded Via Fltmc.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_forfiles_child_process_masquerading": { "name": "sigmahq/proc_creation_win_forfiles_child_process_masquerading", "description": "Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory. \n", "label": "Forfiles.EXE Child Process Masquerading", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_format_uncommon_filesystem_load": { "name": "sigmahq/proc_creation_win_format_uncommon_filesystem_load", "description": "Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs. \n", "label": "Uncommon FileSystem Load Attempt By Format.com", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_fsutil_usage": { "name": "sigmahq/proc_creation_win_fsutil_usage", "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). \n", "label": "Fsutil Suspicious Invocation", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_googleupdate_susp_child_process": { "name": "sigmahq/proc_creation_win_googleupdate_susp_child_process", "description": "Detects potentially suspicious child processes of \"GoogleUpdate.exe\"\n", "label": "Potentially Suspicious GoogleUpdate Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_gpg4win_susp_location": { "name": "sigmahq/proc_creation_win_gpg4win_susp_location", "description": "Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.\n", "label": "File Encryption/Decryption Via Gpg4win From Suspicious Locations", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_gup_download": { "name": "sigmahq/proc_creation_win_gup_download", "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.\n", "label": "File Download Using Notepad++ GUP Utility", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_gup_suspicious_execution": { "name": "sigmahq/proc_creation_win_gup_suspicious_execution", "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks\n", "label": "Suspicious GUP Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hh_html_help_susp_child_process": { "name": "sigmahq/proc_creation_win_hh_html_help_susp_child_process", "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)\n", "label": "HTML Help HH.EXE Suspicious Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hh_susp_execution": { "name": "sigmahq/proc_creation_win_hh_susp_execution", "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)\n", "label": "Suspicious HH.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_adcspwn": { "name": "sigmahq/proc_creation_win_hktl_adcspwn", "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service\n", "label": "HackTool - ADCSPwn Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_bloodhound_sharphound": { "name": "sigmahq/proc_creation_win_hktl_bloodhound_sharphound", "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools\n", "label": "HackTool - Bloodhound/Sharphound Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_c3_rundll32_pattern": { "name": "sigmahq/proc_creation_win_hktl_c3_rundll32_pattern", "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.\n", "label": "HackTool - F-Secure C3 Load by Rundll32", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_certify": { "name": "sigmahq/proc_creation_win_hktl_certify", "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.\n", "label": "HackTool - Certify Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_certipy": { "name": "sigmahq/proc_creation_win_hktl_certipy", "description": "Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. \n", "label": "HackTool - Certipy Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_cobaltstrike_bloopers_cmd": { "name": "sigmahq/proc_creation_win_hktl_cobaltstrike_bloopers_cmd", "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell\n", "label": "Operator Bloopers Cobalt Strike Commands", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_cobaltstrike_bloopers_modules": { "name": "sigmahq/proc_creation_win_hktl_cobaltstrike_bloopers_modules", "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell\n", "label": "Operator Bloopers Cobalt Strike Modules", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_cobaltstrike_load_by_rundll32": { "name": "sigmahq/proc_creation_win_hktl_cobaltstrike_load_by_rundll32", "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.\n", "label": "CobaltStrike Load by Rundll32", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_cobaltstrike_process_patterns": { "name": "sigmahq/proc_creation_win_hktl_cobaltstrike_process_patterns", "description": "Detects potential process patterns related to Cobalt Strike beacon activity\n", "label": "Potential CobaltStrike Process Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_covenant": { "name": "sigmahq/proc_creation_win_hktl_covenant", "description": "Detects suspicious command lines used in Covenant luanchers\n", "label": "HackTool - Covenant PowerShell Launcher", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_crackmapexec_execution": { "name": "sigmahq/proc_creation_win_hktl_crackmapexec_execution", "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.\n", "label": "HackTool - CrackMapExec Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_crackmapexec_execution_patterns": { "name": "sigmahq/proc_creation_win_hktl_crackmapexec_execution_patterns", "description": "Detects various execution patterns of the CrackMapExec pentesting framework\n", "label": "HackTool - CrackMapExec Execution Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_crackmapexec_patterns": { "name": "sigmahq/proc_creation_win_hktl_crackmapexec_patterns", "description": "Detects suspicious process patterns found in logs when CrackMapExec is used\n", "label": "HackTool - CrackMapExec Process Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_crackmapexec_powershell_obfuscation": { "name": "sigmahq/proc_creation_win_hktl_crackmapexec_powershell_obfuscation", "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.\n", "label": "HackTool - CrackMapExec PowerShell Obfuscation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_createminidump": { "name": "sigmahq/proc_creation_win_hktl_createminidump", "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine\n", "label": "HackTool - CreateMiniDump Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_dinjector": { "name": "sigmahq/proc_creation_win_hktl_dinjector", "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags\n", "label": "HackTool - DInjector PowerShell Cradle Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_dumpert": { "name": "sigmahq/proc_creation_win_hktl_dumpert", "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory\n", "label": "HackTool - Dumpert Process Dumper Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_edrsilencer": { "name": "sigmahq/proc_creation_win_hktl_edrsilencer", "description": "Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. \n", "label": "HackTool - EDRSilencer Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_empire_powershell_launch": { "name": "sigmahq/proc_creation_win_hktl_empire_powershell_launch", "description": "Detects suspicious powershell command line parameters used in Empire\n", "label": "HackTool - Empire PowerShell Launch Parameters", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_empire_powershell_uac_bypass": { "name": "sigmahq/proc_creation_win_hktl_empire_powershell_uac_bypass", "description": "Detects some Empire PowerShell UAC bypass methods\n", "label": "HackTool - Empire PowerShell UAC Bypass", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_execution_via_imphashes": { "name": "sigmahq/proc_creation_win_hktl_execution_via_imphashes", "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed\n", "label": "Hacktool Execution - Imphash", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_execution_via_pe_metadata": { "name": "sigmahq/proc_creation_win_hktl_execution_via_pe_metadata", "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed\n", "label": "Hacktool Execution - PE Metadata", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_gmer": { "name": "sigmahq/proc_creation_win_hktl_gmer", "description": "Detects the execution GMER tool based on image and hash fields.\n", "label": "HackTool - GMER Rootkit Detector and Remover Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_handlekatz": { "name": "sigmahq/proc_creation_win_hktl_handlekatz", "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same\n", "label": "HackTool - HandleKatz LSASS Dumper Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_hashcat": { "name": "sigmahq/proc_creation_win_hktl_hashcat", "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against\n", "label": "HackTool - Hashcat Password Cracker Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_htran_or_natbypass": { "name": "sigmahq/proc_creation_win_hktl_htran_or_natbypass", "description": "Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)\n", "label": "HackTool - Htran/NATBypass Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_hydra": { "name": "sigmahq/proc_creation_win_hktl_hydra", "description": "Detects command line parameters used by Hydra password guessing hack tool\n", "label": "HackTool - Hydra Password Bruteforce Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_impacket_lateral_movement": { "name": "sigmahq/proc_creation_win_hktl_impacket_lateral_movement", "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\n", "label": "HackTool - Potential Impacket Lateral Movement Activity", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_impacket_tools": { "name": "sigmahq/proc_creation_win_hktl_impacket_tools", "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)\n", "label": "HackTool - Impacket Tools Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_inveigh": { "name": "sigmahq/proc_creation_win_hktl_inveigh", "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool\n", "label": "HackTool - Inveigh Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_clip": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_clip", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell\n", "label": "Invoke-Obfuscation CLIP+ Launcher", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block\n", "label": "Invoke-Obfuscation Obfuscated IEX Invocation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_stdin": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_stdin", "description": "Detects Obfuscated use of stdin to execute PowerShell\n", "label": "Invoke-Obfuscation STDIN+ Launcher", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_var": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_var", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell\n", "label": "Invoke-Obfuscation VAR+ Launcher", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_stdin": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_stdin", "description": "Detects Obfuscated Powershell via Stdin in Scripts\n", "label": "Invoke-Obfuscation Via Stdin", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_use_clip": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_use_clip", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts\n", "label": "Invoke-Obfuscation Via Use Clip", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts\n", "label": "Invoke-Obfuscation Via Use MSHTA", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_var": { "name": "sigmahq/proc_creation_win_hktl_invoke_obfuscation_via_var", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER\n", "label": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_koadic": { "name": "sigmahq/proc_creation_win_hktl_koadic", "description": "Detects command line parameters used by Koadic hack tool\n", "label": "HackTool - Koadic Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_krbrelay": { "name": "sigmahq/proc_creation_win_hktl_krbrelay", "description": "Detects the use of KrbRelay, a Kerberos relaying tool\n", "label": "HackTool - KrbRelay Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_krbrelayup": { "name": "sigmahq/proc_creation_win_hktl_krbrelayup", "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced\n", "label": "HackTool - KrbRelayUp Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_localpotato": { "name": "sigmahq/proc_creation_win_hktl_localpotato", "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples\n", "label": "HackTool - LocalPotato Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_meterpreter_getsystem": { "name": "sigmahq/proc_creation_win_hktl_meterpreter_getsystem", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting\n", "label": "Potential Meterpreter/CobaltStrike Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_mimikatz_command_line": { "name": "sigmahq/proc_creation_win_hktl_mimikatz_command_line", "description": "Detection well-known mimikatz command line arguments\n", "label": "HackTool - Mimikatz Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_pchunter": { "name": "sigmahq/proc_creation_win_hktl_pchunter", "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff\n", "label": "HackTool - PCHunter Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_powersploit_empire_default_schtasks": { "name": "sigmahq/proc_creation_win_hktl_powersploit_empire_default_schtasks", "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\n", "label": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_powertool": { "name": "sigmahq/proc_creation_win_hktl_powertool", "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files\n", "label": "HackTool - PowerTool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_purplesharp_indicators": { "name": "sigmahq/proc_creation_win_hktl_purplesharp_indicators", "description": "Detects the execution of the PurpleSharp adversary simulation tool\n", "label": "HackTool - PurpleSharp Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_pypykatz": { "name": "sigmahq/proc_creation_win_hktl_pypykatz", "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored\n", "label": "HackTool - Pypykatz Credentials Dumping Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_quarks_pwdump": { "name": "sigmahq/proc_creation_win_hktl_quarks_pwdump", "description": "Detects usage of the Quarks PwDump tool via commandline arguments\n", "label": "HackTool - Quarks PwDump Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_redmimicry_winnti_playbook": { "name": "sigmahq/proc_creation_win_hktl_redmimicry_winnti_playbook", "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility\n", "label": "HackTool - RedMimicry Winnti Playbook Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_relay_attacks_tools": { "name": "sigmahq/proc_creation_win_hktl_relay_attacks_tools", "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation\n", "label": "Potential SMB Relay Attack Tool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_rubeus": { "name": "sigmahq/proc_creation_win_hktl_rubeus", "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters\n", "label": "HackTool - Rubeus Execution", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_safetykatz": { "name": "sigmahq/proc_creation_win_hktl_safetykatz", "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name\n", "label": "HackTool - SafetyKatz Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_secutyxploded": { "name": "sigmahq/proc_creation_win_hktl_secutyxploded", "description": "Detects the execution of SecurityXploded Tools\n", "label": "HackTool - SecurityXploded Execution", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_selectmyparent": { "name": "sigmahq/proc_creation_win_hktl_selectmyparent", "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent\n", "label": "HackTool - PPID Spoofing SelectMyParent Tool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharp_chisel": { "name": "sigmahq/proc_creation_win_hktl_sharp_chisel", "description": "Detects usage of the Sharp Chisel via the commandline arguments\n", "label": "HackTool - SharpChisel Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharp_impersonation": { "name": "sigmahq/proc_creation_win_hktl_sharp_impersonation", "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively\n", "label": "HackTool - SharpImpersonation Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharpersist": { "name": "sigmahq/proc_creation_win_hktl_sharpersist", "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms\n", "label": "HackTool - SharPersist Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharpevtmute": { "name": "sigmahq/proc_creation_win_hktl_sharpevtmute", "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs\n", "label": "HackTool - SharpEvtMute Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharpldapwhoami": { "name": "sigmahq/proc_creation_win_hktl_sharpldapwhoami", "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller\n", "label": "HackTool - SharpLdapWhoami Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharpup": { "name": "sigmahq/proc_creation_win_hktl_sharpup", "description": "Detects the use of SharpUp, a tool for local privilege escalation\n", "label": "HackTool - SharpUp PrivEsc Tool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sharpview": { "name": "sigmahq/proc_creation_win_hktl_sharpview", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems\n", "label": "HackTool - SharpView Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_silenttrinity_stager": { "name": "sigmahq/proc_creation_win_hktl_silenttrinity_stager", "description": "Detects SILENTTRINITY stager use via PE metadata\n", "label": "HackTool - SILENTTRINITY Stager Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sliver_c2_execution_pattern": { "name": "sigmahq/proc_creation_win_hktl_sliver_c2_execution_pattern", "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants\n", "label": "HackTool - Sliver C2 Implant Activity Pattern", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_stracciatella_execution": { "name": "sigmahq/proc_creation_win_hktl_stracciatella_execution", "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.\n", "label": "HackTool - Stracciatella Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_sysmoneop": { "name": "sigmahq/proc_creation_win_hktl_sysmoneop", "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120\n", "label": "HackTool - SysmonEOP Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_trufflesnout": { "name": "sigmahq/proc_creation_win_hktl_trufflesnout", "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.\n", "label": "HackTool - TruffleSnout Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_uacme": { "name": "sigmahq/proc_creation_win_hktl_uacme", "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata\n", "label": "HackTool - UACMe Akagi Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_wce": { "name": "sigmahq/proc_creation_win_hktl_wce", "description": "Detects the use of Windows Credential Editor (WCE)\n", "label": "HackTool - Windows Credential Editor (WCE) Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_winpeas": { "name": "sigmahq/proc_creation_win_hktl_winpeas", "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz\n", "label": "HackTool - winPEAS Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_winpwn": { "name": "sigmahq/proc_creation_win_hktl_winpwn", "description": "Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. \n", "label": "HackTool - WinPwn Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_wmiexec_default_powershell": { "name": "sigmahq/proc_creation_win_hktl_wmiexec_default_powershell", "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script\n", "label": "HackTool - Wmiexec Default Powershell Command", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hktl_xordump": { "name": "sigmahq/proc_creation_win_hktl_xordump", "description": "Detects suspicious use of XORDump process memory dumping utility\n", "label": "HackTool - XORDump Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_hwp_exploits": { "name": "sigmahq/proc_creation_win_hwp_exploits", "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation\n", "label": "Suspicious HWP Sub Processes", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_ieexec_download": { "name": "sigmahq/proc_creation_win_ieexec_download", "description": "Detects execution of the IEExec utility to download and execute files\n", "label": "File Download And Execution Via IEExec.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_iis_appcmd_http_logging": { "name": "sigmahq/proc_creation_win_iis_appcmd_http_logging", "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)\n", "label": "Disable Windows IIS HTTP Logging", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_iis_appcmd_service_account_password_dumped": { "name": "sigmahq/proc_creation_win_iis_appcmd_service_account_password_dumped", "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords\n", "label": "Microsoft IIS Service Account Password Dumped", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_iis_connection_strings_decryption": { "name": "sigmahq/proc_creation_win_iis_connection_strings_decryption", "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.\n", "label": "Microsoft IIS Connection Strings Decryption", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_iis_susp_module_registration": { "name": "sigmahq/proc_creation_win_iis_susp_module_registration", "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors\n", "label": "Suspicious IIS Module Registration", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_imagingdevices_unusual_parents": { "name": "sigmahq/proc_creation_win_imagingdevices_unusual_parents", "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity\n", "label": "ImagingDevices Unusual Parent/Child Processes", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_imewbdld_download": { "name": "sigmahq/proc_creation_win_imewbdld_download", "description": "Detects usage of \"IMEWDBLD.exe\" to download arbitrary files\n", "label": "Arbitrary File Download Via IMEWDBLD.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_java_keytool_susp_child_process": { "name": "sigmahq/proc_creation_win_java_keytool_susp_child_process", "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)\n", "label": "Suspicious Shells Spawn by Java Utility Keytool", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_java_manageengine_susp_child_process": { "name": "sigmahq/proc_creation_win_java_manageengine_susp_child_process", "description": "Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service\n", "label": "Suspicious Child Process Of Manage Engine ServiceDesk", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_kavremover_uncommon_execution": { "name": "sigmahq/proc_creation_win_kavremover_uncommon_execution", "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.\n", "label": "Kavremover Dropped Binary LOLBIN Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_logman_disable_eventlog": { "name": "sigmahq/proc_creation_win_logman_disable_eventlog", "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions\n", "label": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_devtoolslauncher": { "name": "sigmahq/proc_creation_win_lolbin_devtoolslauncher", "description": "The Devtoolslauncher.exe executes other binary\n", "label": "Devtoolslauncher.exe Executes Specified Binary", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_manage_bde": { "name": "sigmahq/proc_creation_win_lolbin_manage_bde", "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution\n", "label": "Potential Manage-bde.wsf Abuse To Proxy Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_mavinject_process_injection": { "name": "sigmahq/proc_creation_win_lolbin_mavinject_process_injection", "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag\n", "label": "Mavinject Inject DLL Into Running Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_mpiexec": { "name": "sigmahq/proc_creation_win_lolbin_mpiexec", "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary\n", "label": "MpiExec Lolbin", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_msdt_answer_file": { "name": "sigmahq/proc_creation_win_lolbin_msdt_answer_file", "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)\n", "label": "Execute MSDT Via Answer File", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_openwith": { "name": "sigmahq/proc_creation_win_lolbin_openwith", "description": "The OpenWith.exe executes other binary\n", "label": "OpenWith.exe Executes Specified Binary", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_pcwrun_follina": { "name": "sigmahq/proc_creation_win_lolbin_pcwrun_follina", "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability\n", "label": "Execute Pcwrun.EXE To Leverage Follina", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_printbrm": { "name": "sigmahq/proc_creation_win_lolbin_printbrm", "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.\n", "label": "PrintBrm ZIP Creation of Extraction", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_settingsynchost": { "name": "sigmahq/proc_creation_win_lolbin_settingsynchost", "description": "Detects using SettingSyncHost.exe to run hijacked binary\n", "label": "Using SettingSyncHost.exe as LOLBin", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_susp_certreq_download": { "name": "sigmahq/proc_creation_win_lolbin_susp_certreq_download", "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files\n", "label": "Suspicious Certreq Command to Download", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_susp_grpconv": { "name": "sigmahq/proc_creation_win_lolbin_susp_grpconv", "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors\n", "label": "Suspicious GrpConv Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_tttracer_mod_load": { "name": "sigmahq/proc_creation_win_lolbin_tttracer_mod_load", "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.\n", "label": "Time Travel Debugging Utility Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lolbin_visual_basic_compiler": { "name": "sigmahq/proc_creation_win_lolbin_visual_basic_compiler", "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.\n", "label": "Visual Basic Command Line Compiler Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_lsass_process_clone": { "name": "sigmahq/proc_creation_win_lsass_process_clone", "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity\n", "label": "Potential Credential Dumping Via LSASS Process Clone", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mmc_mmc20_lateral_movement": { "name": "sigmahq/proc_creation_win_mmc_mmc20_lateral_movement", "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe\n", "label": "MMC20 Lateral Movement", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mmc_susp_child_process": { "name": "sigmahq/proc_creation_win_mmc_susp_child_process", "description": "Detects a Windows command line executable started from MMC\n", "label": "MMC Spawning Windows Shell", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mofcomp_execution": { "name": "sigmahq/proc_creation_win_mofcomp_execution", "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts \n", "label": "Potential Suspicious Mofcomp Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mpcmdrun_dll_sideload_defender": { "name": "sigmahq/proc_creation_win_mpcmdrun_dll_sideload_defender", "description": "Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.\n", "label": "Potential Mpclient.DLL Sideloading Via Defender Binaries", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mpcmdrun_download_arbitrary_file": { "name": "sigmahq/proc_creation_win_mpcmdrun_download_arbitrary_file", "description": "Detects the use of Windows Defender MpCmdRun.EXE to download files\n", "label": "File Download Via Windows Defender MpCmpRun.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mpcmdrun_remove_windows_defender_definition": { "name": "sigmahq/proc_creation_win_mpcmdrun_remove_windows_defender_definition", "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files\n", "label": "Windows Defender Definition Files Removed", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_msdt_arbitrary_command_execution": { "name": "sigmahq/proc_creation_win_msdt_arbitrary_command_execution", "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability\n", "label": "Potential Arbitrary Command Execution Using Msdt.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_msdt_susp_parent": { "name": "sigmahq/proc_creation_win_msdt_susp_parent", "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation\n", "label": "Suspicious MSDT Parent Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mshta_http": { "name": "sigmahq/proc_creation_win_mshta_http", "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file\n", "label": "Remotely Hosted HTA File Executed Via Mshta.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mshta_javascript": { "name": "sigmahq/proc_creation_win_mshta_javascript", "description": "Detects execution of javascript code using \"mshta.exe\".\n", "label": "Suspicious JavaScript Execution Via Mshta.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mshta_lethalhta_technique": { "name": "sigmahq/proc_creation_win_mshta_lethalhta_technique", "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process\n", "label": "Potential LethalHTA Technique Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mshta_susp_child_processes": { "name": "sigmahq/proc_creation_win_mshta_susp_child_processes", "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution\n", "label": "Suspicious MSHTA Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mshta_susp_execution": { "name": "sigmahq/proc_creation_win_mshta_susp_execution", "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism\n", "label": "MSHTA Suspicious Execution 01", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mshta_susp_pattern": { "name": "sigmahq/proc_creation_win_mshta_susp_pattern", "description": "Detects suspicious mshta process execution patterns\n", "label": "Suspicious Mshta.EXE Execution Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_msiexec_masquerading": { "name": "sigmahq/proc_creation_win_msiexec_masquerading", "description": "Detects the execution of msiexec.exe from an uncommon directory\n", "label": "Potential MsiExec Masquerading", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_msra_process_injection": { "name": "sigmahq/proc_creation_win_msra_process_injection", "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics\n", "label": "Potential Process Injection Via Msra.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mssql_susp_child_process": { "name": "sigmahq/proc_creation_win_mssql_susp_child_process", "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.\n", "label": "Suspicious Child Process Of SQL Server", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mssql_veaam_susp_child_processes": { "name": "sigmahq/proc_creation_win_mssql_veaam_susp_child_processes", "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.\n", "label": "Suspicious Child Process Of Veeam Dabatase", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mstsc_rdp_hijack_shadowing": { "name": "sigmahq/proc_creation_win_mstsc_rdp_hijack_shadowing", "description": "Detects RDP session hijacking by using MSTSC shadowing\n", "label": "Potential MSTSC Shadowing Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mstsc_run_local_rdp_file_susp_location": { "name": "sigmahq/proc_creation_win_mstsc_run_local_rdp_file_susp_location", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.\n", "label": "Suspicious Mstsc.EXE Execution With Local RDP File", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_mstsc_run_local_rpd_file_susp_parent": { "name": "sigmahq/proc_creation_win_mstsc_run_local_rpd_file_susp_parent", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.\n", "label": "Mstsc.EXE Execution From Uncommon Parent", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_msxsl_remote_execution": { "name": "sigmahq/proc_creation_win_msxsl_remote_execution", "description": "Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.\n", "label": "Remote XSL Execution Via Msxsl.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_net_use_mount_internet_share": { "name": "sigmahq/proc_creation_win_net_use_mount_internet_share", "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility\n", "label": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_net_user_add_never_expire": { "name": "sigmahq/proc_creation_win_net_user_add_never_expire", "description": "Detects creation of local users via the net.exe command with the option \"never expire\"\n", "label": "New User Created Via Net.EXE With Never Expire Option", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_net_user_default_accounts_manipulation": { "name": "sigmahq/proc_creation_win_net_user_default_accounts_manipulation", "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc\n", "label": "Suspicious Manipulation Of Default Accounts Via Net.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_netsh_fw_allow_program_in_susp_location": { "name": "sigmahq/proc_creation_win_netsh_fw_allow_program_in_susp_location", "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall\n", "label": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_netsh_fw_allow_rdp": { "name": "sigmahq/proc_creation_win_netsh_fw_allow_rdp", "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware\n", "label": "RDP Connection Allowed Via Netsh.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_netsh_port_forwarding_3389": { "name": "sigmahq/proc_creation_win_netsh_port_forwarding_3389", "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule\n", "label": "RDP Port Forwarding Rule Added Via Netsh.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_node_abuse": { "name": "sigmahq/proc_creation_win_node_abuse", "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc\n", "label": "Potential Arbitrary Code Execution Via Node.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_nslookup_domain_discovery": { "name": "sigmahq/proc_creation_win_nslookup_domain_discovery", "description": "Detects a set of suspicious network related commands often used in recon stages\n", "label": "Network Reconnaissance Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_odbcconf_driver_install_susp": { "name": "sigmahq/proc_creation_win_odbcconf_driver_install_susp", "description": "Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.\n", "label": "Suspicious Driver/DLL Installation Via Odbcconf.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_odbcconf_exec_susp_locations": { "name": "sigmahq/proc_creation_win_odbcconf_exec_susp_locations", "description": "Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.\n", "label": "Odbcconf.EXE Suspicious DLL Location", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_odbcconf_register_dll_regsvr_susp": { "name": "sigmahq/proc_creation_win_odbcconf_register_dll_regsvr_susp", "description": "Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.\n", "label": "Potentially Suspicious DLL Registered Via Odbcconf.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_arbitrary_cli_download": { "name": "sigmahq/proc_creation_win_office_arbitrary_cli_download", "description": "Detects potential arbitrary file download using a Microsoft Office application\n", "label": "Potential Arbitrary File Download Using Office Application", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_excel_dcom_lateral_movement": { "name": "sigmahq/proc_creation_win_office_excel_dcom_lateral_movement", "description": "Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object. \n", "label": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_exec_from_trusted_locations": { "name": "sigmahq/proc_creation_win_office_exec_from_trusted_locations", "description": "Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.\n", "label": "Potentially Suspicious Office Document Executed From Trusted Location", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_onenote_embedded_script_execution": { "name": "sigmahq/proc_creation_win_office_onenote_embedded_script_execution", "description": "Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories. \n", "label": "OneNote.EXE Execution of Malicious Embedded Scripts", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_onenote_susp_child_processes": { "name": "sigmahq/proc_creation_win_office_onenote_susp_child_processes", "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.\n", "label": "Suspicious Microsoft OneNote Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules": { "name": "sigmahq/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules", "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros\n", "label": "Outlook EnableUnsafeClientMailRules Setting Enabled", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_outlook_execution_from_temp": { "name": "sigmahq/proc_creation_win_office_outlook_execution_from_temp", "description": "Detects a suspicious program execution in Outlook temp folder\n", "label": "Suspicious Execution From Outlook Temporary Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_outlook_susp_child_processes": { "name": "sigmahq/proc_creation_win_office_outlook_susp_child_processes", "description": "Detects a suspicious process spawning from an Outlook process.\n", "label": "Suspicious Outlook Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_outlook_susp_child_processes_remote": { "name": "sigmahq/proc_creation_win_office_outlook_susp_child_processes_remote", "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).\n", "label": "Suspicious Remote Child Process From Outlook", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_spawn_exe_from_users_directory": { "name": "sigmahq/proc_creation_win_office_spawn_exe_from_users_directory", "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)\n", "label": "Suspicious Binary In User Directory Spawned From Office Application", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_office_susp_child_processes": { "name": "sigmahq/proc_creation_win_office_susp_child_processes", "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)\n", "label": "Suspicious Microsoft Office Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_ping_hex_ip": { "name": "sigmahq/proc_creation_win_ping_hex_ip", "description": "Detects a ping command that uses a hex encoded IP address\n", "label": "Ping Hex IP", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_plink_port_forwarding": { "name": "sigmahq/proc_creation_win_plink_port_forwarding", "description": "Detects suspicious Plink tunnel port forwarding to a local port\n", "label": "Suspicious Plink Port Forwarding", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_plink_susp_tunneling": { "name": "sigmahq/proc_creation_win_plink_susp_tunneling", "description": "Execution of plink to perform data exfiltration and tunneling\n", "label": "Potential RDP Tunneling Via Plink", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_aadinternals_cmdlets_execution": { "name": "sigmahq/proc_creation_win_powershell_aadinternals_cmdlets_execution", "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.\n", "label": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_amsi_init_failed_bypass": { "name": "sigmahq/proc_creation_win_powershell_amsi_init_failed_bypass", "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning\n", "label": "Potential AMSI Bypass Via .NET Reflection", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_encoded_cmd": { "name": "sigmahq/proc_creation_win_powershell_base64_encoded_cmd", "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)\n", "label": "Suspicious Encoded PowerShell Command Line", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_encoded_cmd_patterns": { "name": "sigmahq/proc_creation_win_powershell_base64_encoded_cmd_patterns", "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains\n", "label": "Suspicious PowerShell Encoded Command Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_encoded_obfusc": { "name": "sigmahq/proc_creation_win_powershell_base64_encoded_obfusc", "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines\n", "label": "Suspicious Obfuscated PowerShell Code", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_frombase64string": { "name": "sigmahq/proc_creation_win_powershell_base64_frombase64string", "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line\n", "label": "PowerShell Base64 Encoded FromBase64String Cmdlet", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_hidden_flag": { "name": "sigmahq/proc_creation_win_powershell_base64_hidden_flag", "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines\n", "label": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_iex": { "name": "sigmahq/proc_creation_win_powershell_base64_iex", "description": "Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line\n", "label": "PowerShell Base64 Encoded IEX Cmdlet", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_invoke": { "name": "sigmahq/proc_creation_win_powershell_base64_invoke", "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls\n", "label": "PowerShell Base64 Encoded Invoke Keyword", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_mppreference": { "name": "sigmahq/proc_creation_win_powershell_base64_mppreference", "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV\n", "label": "Powershell Base64 Encoded MpPreference Cmdlet", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_reflection_assembly_load": { "name": "sigmahq/proc_creation_win_powershell_base64_reflection_assembly_load", "description": "Detects base64 encoded .NET reflective loading of Assembly\n", "label": "PowerShell Base64 Encoded Reflective Assembly Load", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc": { "name": "sigmahq/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc", "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"\n", "label": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_base64_wmi_classes": { "name": "sigmahq/proc_creation_win_powershell_base64_wmi_classes", "description": "Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.\n", "label": "PowerShell Base64 Encoded WMI Classes", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_cmdline_reversed_strings": { "name": "sigmahq/proc_creation_win_powershell_cmdline_reversed_strings", "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers\n", "label": "Potential PowerShell Obfuscation Via Reversed Commands", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_cmdline_special_characters": { "name": "sigmahq/proc_creation_win_powershell_cmdline_special_characters", "description": "Detects the PowerShell command lines with special characters\n", "label": "Potential PowerShell Command Line Obfuscation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_decrypt_pattern": { "name": "sigmahq/proc_creation_win_powershell_decrypt_pattern", "description": "Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.\n", "label": "PowerShell Execution With Potential Decryption Capabilities", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_defender_disable_feature": { "name": "sigmahq/proc_creation_win_powershell_defender_disable_feature", "description": "Detects requests to disable Microsoft Defender features using PowerShell commands\n", "label": "Powershell Defender Disable Scan Feature", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_disable_defender_av_security_monitoring": { "name": "sigmahq/proc_creation_win_powershell_disable_defender_av_security_monitoring", "description": "Detects attackers attempting to disable Windows Defender using Powershell\n", "label": "Disable Windows Defender AV Security Monitoring", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_disable_ie_features": { "name": "sigmahq/proc_creation_win_powershell_disable_ie_features", "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features\n", "label": "Disabled IE Security Features", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_download_cradle_obfuscated": { "name": "sigmahq/proc_creation_win_powershell_download_cradle_obfuscated", "description": "Detects the execution of a specific OneLiner to download and execute powershell modules in memory.\n", "label": "Obfuscated PowerShell OneLiner Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_download_iex": { "name": "sigmahq/proc_creation_win_powershell_download_iex", "description": "Detects PowerShell download and execution cradles.\n", "label": "PowerShell Download and Execution Cradles", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_email_exfil": { "name": "sigmahq/proc_creation_win_powershell_email_exfil", "description": "Detects email exfiltration via powershell cmdlets\n", "label": "Email Exifiltration Via Powershell", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_frombase64string": { "name": "sigmahq/proc_creation_win_powershell_frombase64string", "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string\n", "label": "Base64 Encoded PowerShell Command Detected", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_getprocess_lsass": { "name": "sigmahq/proc_creation_win_powershell_getprocess_lsass", "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity\n", "label": "PowerShell Get-Process LSASS", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_hide_services_via_set_service": { "name": "sigmahq/proc_creation_win_powershell_hide_services_via_set_service", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)\n", "label": "Abuse of Service Permissions to Hide Services Via Set-Service", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_iex_patterns": { "name": "sigmahq/proc_creation_win_powershell_iex_patterns", "description": "Detects suspicious ways to run Invoke-Execution using IEX alias\n", "label": "Suspicious PowerShell IEX Execution Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_import_cert_susp_locations": { "name": "sigmahq/proc_creation_win_powershell_import_cert_susp_locations", "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", "label": "Root Certificate Installed From Susp Locations", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_mailboxexport_share": { "name": "sigmahq/proc_creation_win_powershell_mailboxexport_share", "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations\n", "label": "Suspicious PowerShell Mailbox Export to Share", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_obfuscation_via_utf8": { "name": "sigmahq/proc_creation_win_powershell_obfuscation_via_utf8", "description": "Detects suspicious encoded character syntax often used for defense evasion\n", "label": "Potential PowerShell Obfuscation Via WCHAR", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_public_folder": { "name": "sigmahq/proc_creation_win_powershell_public_folder", "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder\n", "label": "Execution of Powershell Script in Public Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_remotefxvgpudisablement_abuse": { "name": "sigmahq/proc_creation_win_powershell_remotefxvgpudisablement_abuse", "description": "Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.\n", "label": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_remove_mppreference": { "name": "sigmahq/proc_creation_win_powershell_remove_mppreference", "description": "Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet\n", "label": "Tamper Windows Defender Remove-MpPreference", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_reverse_shell_connection": { "name": "sigmahq/proc_creation_win_powershell_reverse_shell_connection", "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.\n", "label": "Potential Powershell ReverseShell Connection", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_run_script_from_ads": { "name": "sigmahq/proc_creation_win_powershell_run_script_from_ads", "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)\n", "label": "Run PowerShell Script from ADS", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_run_script_from_input_stream": { "name": "sigmahq/proc_creation_win_powershell_run_script_from_input_stream", "description": "Detects PowerShell script execution via input stream redirect\n", "label": "Run PowerShell Script from Redirected Input Stream", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_sam_access": { "name": "sigmahq/proc_creation_win_powershell_sam_access", "description": "Detects suspicious PowerShell scripts accessing SAM hives\n", "label": "PowerShell SAM Copy", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_service_dacl_modification_set_service": { "name": "sigmahq/proc_creation_win_powershell_service_dacl_modification_set_service", "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable\n", "label": "Suspicious Service DACL Modification Via Set-Service Cmdlet", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_set_acl": { "name": "sigmahq/proc_creation_win_powershell_set_acl", "description": "Detects PowerShell execution to set the ACL of a file or a folder\n", "label": "PowerShell Script Change Permission Via Set-Acl", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_set_acl_susp_location": { "name": "sigmahq/proc_creation_win_powershell_set_acl_susp_location", "description": "Detects PowerShell scripts to set the ACL to a file in the Windows folder\n", "label": "PowerShell Set-Acl On Windows Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_shadowcopy_deletion": { "name": "sigmahq/proc_creation_win_powershell_shadowcopy_deletion", "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil\n", "label": "Deletion of Volume Shadow Copies via WMI with PowerShell", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_snapins_hafnium": { "name": "sigmahq/proc_creation_win_powershell_snapins_hafnium", "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27\n", "label": "Exchange PowerShell Snap-Ins Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_susp_download_patterns": { "name": "sigmahq/proc_creation_win_powershell_susp_download_patterns", "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)\n", "label": "Suspicious PowerShell Download and Execute Pattern", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_susp_parameter_variation": { "name": "sigmahq/proc_creation_win_powershell_susp_parameter_variation", "description": "Detects suspicious PowerShell invocation with a parameter substring\n", "label": "Suspicious PowerShell Parameter Substring", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_susp_parent_process": { "name": "sigmahq/proc_creation_win_powershell_susp_parent_process", "description": "Detects a suspicious or uncommon parent processes of PowerShell\n", "label": "Suspicious PowerShell Parent Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_susp_ps_downloadfile": { "name": "sigmahq/proc_creation_win_powershell_susp_ps_downloadfile", "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line\n", "label": "PowerShell DownloadFile", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_token_obfuscation": { "name": "sigmahq/proc_creation_win_powershell_token_obfuscation", "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation\n", "label": "Powershell Token Obfuscation - Process Creation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_powershell_webclient_casing": { "name": "sigmahq/proc_creation_win_powershell_webclient_casing", "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques\n", "label": "Net WebClient Casing Anomalies", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_provlaunch_susp_child_process": { "name": "sigmahq/proc_creation_win_provlaunch_susp_child_process", "description": "Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.\n", "label": "Suspicious Provlaunch.EXE Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_3proxy_execution": { "name": "sigmahq/proc_creation_win_pua_3proxy_execution", "description": "Detects the use of 3proxy, a tiny free proxy server\n", "label": "PUA - 3Proxy Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_adfind_enumeration": { "name": "sigmahq/proc_creation_win_pua_adfind_enumeration", "description": "Detects active directory enumeration activity using known AdFind CLI flags\n", "label": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_adfind_susp_usage": { "name": "sigmahq/proc_creation_win_pua_adfind_susp_usage", "description": "Detects AdFind execution with common flags seen used during attacks\n", "label": "PUA - AdFind Suspicious Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_advancedrun_priv_user": { "name": "sigmahq/proc_creation_win_pua_advancedrun_priv_user", "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts\n", "label": "PUA - AdvancedRun Suspicious Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_chisel": { "name": "sigmahq/proc_creation_win_pua_chisel", "description": "Detects usage of the Chisel tunneling tool via the commandline arguments\n", "label": "PUA - Chisel Tunneling Tool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_cleanwipe": { "name": "sigmahq/proc_creation_win_pua_cleanwipe", "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.\n", "label": "PUA - CleanWipe Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_crassus": { "name": "sigmahq/proc_creation_win_pua_crassus", "description": "Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.\n", "label": "PUA - Crassus Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_csexec": { "name": "sigmahq/proc_creation_win_pua_csexec", "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative\n", "label": "PUA - CsExec Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_defendercheck": { "name": "sigmahq/proc_creation_win_pua_defendercheck", "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.\n", "label": "PUA - DefenderCheck Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_ditsnap": { "name": "sigmahq/proc_creation_win_pua_ditsnap", "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.\n", "label": "PUA - DIT Snapshot Viewer", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_frp": { "name": "sigmahq/proc_creation_win_pua_frp", "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.\n", "label": "PUA - Fast Reverse Proxy (FRP) Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_iox": { "name": "sigmahq/proc_creation_win_pua_iox", "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes\n", "label": "PUA- IOX Tunneling Tool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_netcat": { "name": "sigmahq/proc_creation_win_pua_netcat", "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network\n", "label": "PUA - Netcat Suspicious Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_ngrok": { "name": "sigmahq/proc_creation_win_pua_ngrok", "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections. \n", "label": "PUA - Ngrok Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_nimgrab": { "name": "sigmahq/proc_creation_win_pua_nimgrab", "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.\n", "label": "PUA - Nimgrab Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_nircmd_as_system": { "name": "sigmahq/proc_creation_win_pua_nircmd_as_system", "description": "Detects the use of NirCmd tool for command execution as SYSTEM user\n", "label": "PUA - NirCmd Execution As LOCAL SYSTEM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_nps": { "name": "sigmahq/proc_creation_win_pua_nps", "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server\n", "label": "PUA - NPS Tunneling Tool Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_nsudo": { "name": "sigmahq/proc_creation_win_pua_nsudo", "description": "Detects the use of NSudo tool for command execution\n", "label": "PUA - NSudo Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_rclone_execution": { "name": "sigmahq/proc_creation_win_pua_rclone_execution", "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc\n", "label": "PUA - Rclone Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_runxcmd": { "name": "sigmahq/proc_creation_win_pua_runxcmd", "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts\n", "label": "PUA - RunXCmd Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_seatbelt": { "name": "sigmahq/proc_creation_win_pua_seatbelt", "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters\n", "label": "PUA - Seatbelt Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_pua_wsudo_susp_execution": { "name": "sigmahq/proc_creation_win_pua_wsudo_susp_execution", "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)\n", "label": "PUA - Wsudo Suspicious Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_python_pty_spawn": { "name": "sigmahq/proc_creation_win_python_pty_spawn", "description": "Detects python spawning a pretty tty\n", "label": "Python Spawning Pretty TTY on Windows", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rar_compression_with_password": { "name": "sigmahq/proc_creation_win_rar_compression_with_password", "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.\n", "label": "Rar Usage with Password and Compression Level", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rar_susp_greedy_compression": { "name": "sigmahq/proc_creation_win_rar_susp_greedy_compression", "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes\n", "label": "Suspicious Greedy Compression Using Rar.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rdrleakdiag_process_dumping": { "name": "sigmahq/proc_creation_win_rdrleakdiag_process_dumping", "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory\n", "label": "Process Memory Dump via RdrLeakDiag.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_add_safeboot": { "name": "sigmahq/proc_creation_win_reg_add_safeboot", "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not\n", "label": "Add SafeBoot Keys Via Reg Utility", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_bitlocker": { "name": "sigmahq/proc_creation_win_reg_bitlocker", "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility\n", "label": "Suspicious Reg Add BitLocker", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_delete_safeboot": { "name": "sigmahq/proc_creation_win_reg_delete_safeboot", "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products\n", "label": "SafeBoot Registry Key Deleted Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_delete_services": { "name": "sigmahq/proc_creation_win_reg_delete_services", "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services\n", "label": "Service Registry Key Deleted Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_disable_sec_services": { "name": "sigmahq/proc_creation_win_reg_disable_sec_services", "description": "Detects execution of \"reg.exe\" to disable security services such as Windows Defender.\n", "label": "Security Service Disabled Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_dumping_sensitive_hives": { "name": "sigmahq/proc_creation_win_reg_dumping_sensitive_hives", "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.\n", "label": "Dumping of Sensitive Hives Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_lsa_disable_restricted_admin": { "name": "sigmahq/proc_creation_win_reg_lsa_disable_restricted_admin", "description": "Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise \n", "label": "RestrictedAdminMode Registry Value Tampering - ProcCreation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_lsa_ppl_protection_disabled": { "name": "sigmahq/proc_creation_win_reg_lsa_ppl_protection_disabled", "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process\n", "label": "LSA PPL Protection Disabled Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_nolmhash": { "name": "sigmahq/proc_creation_win_reg_nolmhash", "description": "Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes. By setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. \n", "label": "Enable LM Hash Storage - ProcCreation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_rdp_keys_tamper": { "name": "sigmahq/proc_creation_win_reg_rdp_keys_tamper", "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values\n", "label": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_susp_paths": { "name": "sigmahq/proc_creation_win_reg_susp_paths", "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys\n", "label": "Reg Add Suspicious Paths", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_volsnap_disable": { "name": "sigmahq/proc_creation_win_reg_volsnap_disable", "description": "Detects commands that temporarily turn off Volume Snapshots\n", "label": "Disabled Volume Snapshots", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_reg_windows_defender_tamper": { "name": "sigmahq/proc_creation_win_reg_windows_defender_tamper", "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection\n", "label": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regedit_export_critical_keys": { "name": "sigmahq/proc_creation_win_regedit_export_critical_keys", "description": "Detects the export of a crital Registry key to a file.\n", "label": "Exports Critical Registry Keys To a File", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regedit_import_keys_ads": { "name": "sigmahq/proc_creation_win_regedit_import_keys_ads", "description": "Detects the import of a alternate datastream to the registry with regedit.exe.\n", "label": "Imports Registry Key From an ADS", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regedit_trustedinstaller": { "name": "sigmahq/proc_creation_win_regedit_trustedinstaller", "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe\n", "label": "Regedit as Trusted Installer", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regini_ads": { "name": "sigmahq/proc_creation_win_regini_ads", "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.\n", "label": "Suspicious Registry Modification From ADS Via Regini.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade": { "name": "sigmahq/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade", "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. \n", "label": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_install_reg_debugger_backdoor": { "name": "sigmahq/proc_creation_win_registry_install_reg_debugger_backdoor", "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).\n", "label": "Suspicious Debugger Registration Cmdline", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_logon_script": { "name": "sigmahq/proc_creation_win_registry_logon_script", "description": "Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence\n", "label": "Potential Persistence Via Logon Scripts - CommandLine", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_new_network_provider": { "name": "sigmahq/proc_creation_win_registry_new_network_provider", "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it\n", "label": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_office_disable_python_security_warnings": { "name": "sigmahq/proc_creation_win_registry_office_disable_python_security_warnings", "description": "Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. \n", "label": "Python Function Execution Security Warning Disabled In Excel", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_privilege_escalation_via_service_key": { "name": "sigmahq/proc_creation_win_registry_privilege_escalation_via_service_key", "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level\n", "label": "Potential Privilege Escalation via Service Permissions Weakness", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_provlaunch_provisioning_command": { "name": "sigmahq/proc_creation_win_registry_provlaunch_provisioning_command", "description": "Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".\n", "label": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_registry_set_unsecure_powershell_policy": { "name": "sigmahq/proc_creation_win_registry_set_unsecure_powershell_policy", "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine\n", "label": "Potential PowerShell Execution Policy Tampering - ProcCreation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regsvr32_http_ip_pattern": { "name": "sigmahq/proc_creation_win_regsvr32_http_ip_pattern", "description": "Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.\n", "label": "Potentially Suspicious Regsvr32 HTTP IP Pattern", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regsvr32_remote_share": { "name": "sigmahq/proc_creation_win_regsvr32_remote_share", "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares\n", "label": "Suspicious Regsvr32 Execution From Remote Share", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regsvr32_susp_child_process": { "name": "sigmahq/proc_creation_win_regsvr32_susp_child_process", "description": "Detects potentially suspicious child processes of \"regsvr32.exe\".\n", "label": "Potentially Suspicious Child Process Of Regsvr32", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regsvr32_susp_exec_path_2": { "name": "sigmahq/proc_creation_win_regsvr32_susp_exec_path_2", "description": "Detects execution of regsvr32 where the DLL is located in a highly suspicious locations\n", "label": "Regsvr32 Execution From Highly Suspicious Location", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_regsvr32_susp_extensions": { "name": "sigmahq/proc_creation_win_regsvr32_susp_extensions", "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as other files\n", "label": "Regsvr32 DLL Execution With Suspicious File Extension", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_remote_access_tools_anydesk_silent_install": { "name": "sigmahq/proc_creation_win_remote_access_tools_anydesk_silent_install", "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.\n", "label": "Remote Access Tool - AnyDesk Silent Installation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_remote_access_tools_anydesk_susp_exec": { "name": "sigmahq/proc_creation_win_remote_access_tools_anydesk_susp_exec", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) \n", "label": "Remote Access Tool - Anydesk Execution From Suspicious Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_adfind": { "name": "sigmahq/proc_creation_win_renamed_adfind", "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.\n", "label": "Renamed AdFind Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_autoit": { "name": "sigmahq/proc_creation_win_renamed_autoit", "description": "Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. \n", "label": "Renamed AutoIt Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_binary_highly_relevant": { "name": "sigmahq/proc_creation_win_renamed_binary_highly_relevant", "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\n", "label": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_browsercore": { "name": "sigmahq/proc_creation_win_renamed_browsercore", "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)\n", "label": "Renamed BrowserCore.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_cloudflared": { "name": "sigmahq/proc_creation_win_renamed_cloudflared", "description": "Detects the execution of a renamed \"cloudflared\" binary.\n", "label": "Renamed Cloudflared.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_createdump": { "name": "sigmahq/proc_creation_win_renamed_createdump", "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory\n", "label": "Renamed CreateDump Utility Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_dctask64": { "name": "sigmahq/proc_creation_win_renamed_dctask64", "description": "Detects a renamed \"dctask64.exe\" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution. \n", "label": "Renamed ZOHO Dctask64 Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_gpg4win": { "name": "sigmahq/proc_creation_win_renamed_gpg4win", "description": "Detects the execution of a renamed \"gpg.exe\". Often used by ransomware and loaders to decrypt/encrypt data.\n", "label": "Renamed Gpg.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_jusched": { "name": "sigmahq/proc_creation_win_renamed_jusched", "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group\n", "label": "Renamed Jusched.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_mavinject": { "name": "sigmahq/proc_creation_win_renamed_mavinject", "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag\n", "label": "Renamed Mavinject.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_megasync": { "name": "sigmahq/proc_creation_win_renamed_megasync", "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.\n", "label": "Renamed MegaSync Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_msdt": { "name": "sigmahq/proc_creation_win_renamed_msdt", "description": "Detects the execution of a renamed \"Msdt.exe\" binary\n", "label": "Renamed Msdt.EXE Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_netsupport_rat": { "name": "sigmahq/proc_creation_win_renamed_netsupport_rat", "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings\n", "label": "Renamed NetSupport RAT Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_office_processes": { "name": "sigmahq/proc_creation_win_renamed_office_processes", "description": "Detects the execution of a renamed office binary\n", "label": "Renamed Office Binary Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_paexec": { "name": "sigmahq/proc_creation_win_renamed_paexec", "description": "Detects execution of renamed version of PAExec. Often used by attackers\n", "label": "Renamed PAExec Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_plink": { "name": "sigmahq/proc_creation_win_renamed_plink", "description": "Detects the execution of a renamed version of the Plink binary\n", "label": "Renamed Plink Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_rundll32_dllregisterserver": { "name": "sigmahq/proc_creation_win_renamed_rundll32_dllregisterserver", "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection\n", "label": "Potential Renamed Rundll32 Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_sysinternals_debugview": { "name": "sigmahq/proc_creation_win_renamed_sysinternals_debugview", "description": "Detects suspicious renamed SysInternals DebugView execution\n", "label": "Renamed SysInternals DebugView Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_sysinternals_procdump": { "name": "sigmahq/proc_creation_win_renamed_sysinternals_procdump", "description": "Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms. \n", "label": "Renamed ProcDump Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_sysinternals_psexec_service": { "name": "sigmahq/proc_creation_win_renamed_sysinternals_psexec_service", "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators\n", "label": "Renamed PsExec Service Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_sysinternals_sdelete": { "name": "sigmahq/proc_creation_win_renamed_sysinternals_sdelete", "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)\n", "label": "Renamed Sysinternals Sdelete Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_vmnat": { "name": "sigmahq/proc_creation_win_renamed_vmnat", "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading\n", "label": "Renamed Vmnat.exe Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_renamed_whoami": { "name": "sigmahq/proc_creation_win_renamed_whoami", "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection\n", "label": "Renamed Whoami Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_ads_stored_dll_execution": { "name": "sigmahq/proc_creation_win_rundll32_ads_stored_dll_execution", "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).\n", "label": "Potential Rundll32 Execution With DLL Stored In ADS", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call": { "name": "sigmahq/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call", "description": "Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function\n", "label": "Suspicious Advpack Call Via Rundll32.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_inline_vbs": { "name": "sigmahq/proc_creation_win_rundll32_inline_vbs", "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452\n", "label": "Suspicious Rundll32 Invoking Inline VBScript", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_keymgr": { "name": "sigmahq/proc_creation_win_rundll32_keymgr", "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)\n", "label": "Suspicious Key Manager Access", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_mshtml_runhtmlapplication": { "name": "sigmahq/proc_creation_win_rundll32_mshtml_runhtmlapplication", "description": "Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) \n", "label": "Mshtml.DLL RunHTMLApplication Suspicious Usage", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_no_params": { "name": "sigmahq/proc_creation_win_rundll32_no_params", "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity\n", "label": "Rundll32 Execution Without CommandLine Parameters", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_ntlmrelay": { "name": "sigmahq/proc_creation_win_rundll32_ntlmrelay", "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service\n", "label": "Suspicious NTLM Authentication on the Printer Spooler Service", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_process_dump_via_comsvcs": { "name": "sigmahq/proc_creation_win_rundll32_process_dump_via_comsvcs", "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)\n", "label": "Process Memory Dump Via Comsvcs.DLL", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_registered_com_objects": { "name": "sigmahq/proc_creation_win_rundll32_registered_com_objects", "description": "load malicious registered COM objects\n", "label": "Rundll32 Registered COM Objects", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_shell32_susp_execution": { "name": "sigmahq/proc_creation_win_rundll32_shell32_susp_execution", "description": "Detects shell32.dll executing a DLL in a suspicious directory\n", "label": "Shell32 DLL Execution in Suspicious Directory", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_spawn_explorer": { "name": "sigmahq/proc_creation_win_rundll32_spawn_explorer", "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way\n", "label": "RunDLL32 Spawning Explorer", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_susp_control_dll_load": { "name": "sigmahq/proc_creation_win_rundll32_susp_control_dll_load", "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits\n", "label": "Suspicious Control Panel DLL Load", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_susp_execution_with_image_extension": { "name": "sigmahq/proc_creation_win_rundll32_susp_execution_with_image_extension", "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files\n", "label": "Suspicious Rundll32 Execution With Image Extension", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_susp_shellexec_execution": { "name": "sigmahq/proc_creation_win_rundll32_susp_shellexec_execution", "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack\n", "label": "Suspicious Usage Of ShellExec_RunDLL", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_susp_shimcache_flush": { "name": "sigmahq/proc_creation_win_rundll32_susp_shimcache_flush", "description": "Detects actions that clear the local ShimCache and remove forensic evidence\n", "label": "ShimCache Flush", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_sys": { "name": "sigmahq/proc_creation_win_rundll32_sys", "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452\n", "label": "Suspicious Rundll32 Activity Invoking Sys File", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_unc_path": { "name": "sigmahq/proc_creation_win_rundll32_unc_path", "description": "Detects rundll32 execution where the DLL is located on a remote location (share)\n", "label": "Rundll32 UNC Path Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_webdav_client_susp_execution": { "name": "sigmahq/proc_creation_win_rundll32_webdav_client_susp_execution", "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 \n", "label": "Suspicious WebDav Client Execution Via Rundll32.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_rundll32_without_parameters": { "name": "sigmahq/proc_creation_win_rundll32_without_parameters", "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module\n", "label": "Rundll32 Execution Without Parameters", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sc_change_sevice_image_path_by_non_admin": { "name": "sigmahq/proc_creation_win_sc_change_sevice_image_path_by_non_admin", "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand\n", "label": "Possible Privilege Escalation via Weak Service Permissions", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sc_sdset_allow_service_changes": { "name": "sigmahq/proc_creation_win_sc_sdset_allow_service_changes", "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.\n", "label": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sc_sdset_deny_service_access": { "name": "sigmahq/proc_creation_win_sc_sdset_deny_service_access", "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.\n", "label": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sc_sdset_hide_sevices": { "name": "sigmahq/proc_creation_win_sc_sdset_hide_sevices", "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.\n", "label": "Service DACL Abuse To Hide Services Via Sc.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sc_service_path_modification": { "name": "sigmahq/proc_creation_win_sc_service_path_modification", "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path\n", "label": "Suspicious Service Path Modification", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_appdata_local_system": { "name": "sigmahq/proc_creation_win_schtasks_appdata_local_system", "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local\n", "label": "Suspicious Schtasks Execution AppData Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_change": { "name": "sigmahq/proc_creation_win_schtasks_change", "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload \n", "label": "Suspicious Modification Of Scheduled Tasks", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_creation_temp_folder": { "name": "sigmahq/proc_creation_win_schtasks_creation_temp_folder", "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once\n", "label": "Suspicious Scheduled Task Creation Involving Temp Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_delete": { "name": "sigmahq/proc_creation_win_schtasks_delete", "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\n", "label": "Delete Important Scheduled Task", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_delete_all": { "name": "sigmahq/proc_creation_win_schtasks_delete_all", "description": "Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.\n", "label": "Delete All Scheduled Tasks", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_disable": { "name": "sigmahq/proc_creation_win_schtasks_disable", "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities\n", "label": "Disable Important Scheduled Task", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_folder_combos": { "name": "sigmahq/proc_creation_win_schtasks_folder_combos", "description": "Detects scheduled task creations that have suspicious action command and folder combinations\n", "label": "Schtasks From Suspicious Folders", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_one_time_only_midnight_task": { "name": "sigmahq/proc_creation_win_schtasks_one_time_only_midnight_task", "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00\n", "label": "Uncommon One Time Only Scheduled Task At 00:00", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_powershell_persistence": { "name": "sigmahq/proc_creation_win_schtasks_powershell_persistence", "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader\n", "label": "Potential Persistence Via Powershell Search Order Hijacking - Task", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_reg_loader_encoded": { "name": "sigmahq/proc_creation_win_schtasks_reg_loader_encoded", "description": "Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.\n", "label": "Scheduled Task Executing Encoded Payload from Registry", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_schedule_type": { "name": "sigmahq/proc_creation_win_schtasks_schedule_type", "description": "Detects scheduled task creations or modification on a suspicious schedule type\n", "label": "Suspicious Schtasks Schedule Types", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_schtasks_system": { "name": "sigmahq/proc_creation_win_schtasks_system", "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges\n", "label": "Schtasks Creation Or Modification With SYSTEM Privileges", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_scrcons_susp_child_process": { "name": "sigmahq/proc_creation_win_scrcons_susp_child_process", "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).\n", "label": "Script Event Consumer Spawning Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sdiagnhost_susp_child": { "name": "sigmahq/proc_creation_win_sdiagnhost_susp_child", "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)\n", "label": "Sdiagnhost Calling Suspicious Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_servu_susp_child_process": { "name": "sigmahq/proc_creation_win_servu_susp_child_process", "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service\n", "label": "Suspicious Serv-U Process Pattern", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_setres_uncommon_child_process": { "name": "sigmahq/proc_creation_win_setres_uncommon_child_process", "description": "Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path. \n", "label": "Uncommon Child Process Of Setres.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_splwow64_cli_anomaly": { "name": "sigmahq/proc_creation_win_splwow64_cli_anomaly", "description": "Detects suspicious Splwow64.exe process without any command line parameters\n", "label": "Suspicious Splwow64 Without Params", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_spoolsv_susp_child_processes": { "name": "sigmahq/proc_creation_win_spoolsv_susp_child_processes", "description": "Detects suspicious print spool service (spoolsv.exe) child processes.\n", "label": "Suspicious Spool Service Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sqlcmd_veeam_dump": { "name": "sigmahq/proc_creation_win_sqlcmd_veeam_dump", "description": "Detects dump of credentials in VeeamBackup dbo\n", "label": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sqlite_chromium_profile_data": { "name": "sigmahq/proc_creation_win_sqlite_chromium_profile_data", "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.\n", "label": "SQLite Chromium Profile Data DB Access", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sqlite_firefox_gecko_profile_data": { "name": "sigmahq/proc_creation_win_sqlite_firefox_gecko_profile_data", "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.\n", "label": "SQLite Firefox Profile Data DB Access", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_ssh_rdp_tunneling": { "name": "sigmahq/proc_creation_win_ssh_rdp_tunneling", "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP\n", "label": "Potential RDP Tunneling Via SSH", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_stordiag_susp_child_process": { "name": "sigmahq/proc_creation_win_stordiag_susp_child_process", "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe\n", "label": "Execution via stordiag.exe", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_abusing_debug_privilege": { "name": "sigmahq/proc_creation_win_susp_abusing_debug_privilege", "description": "Detection of unusual child processes by different system processes\n", "label": "Abused Debug Privilege by Arbitrary Parent Processes", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_add_user_privileged_group": { "name": "sigmahq/proc_creation_win_susp_add_user_privileged_group", "description": "Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".\n", "label": "User Added To Highly Privileged Group", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_add_user_remote_desktop_group": { "name": "sigmahq/proc_creation_win_susp_add_user_remote_desktop_group", "description": "Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".\n", "label": "User Added to Remote Desktop Users Group", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_archiver_iso_phishing": { "name": "sigmahq/proc_creation_win_susp_archiver_iso_phishing", "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)\n", "label": "Phishing Pattern ISO in Archive", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_child_process_as_system_": { "name": "sigmahq/proc_creation_win_susp_child_process_as_system_", "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts\n", "label": "Suspicious Child Process Created as System", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_cli_obfuscation_unicode_img": { "name": "sigmahq/proc_creation_win_susp_cli_obfuscation_unicode_img", "description": "Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. \n", "label": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_copy_system_dir_lolbin": { "name": "sigmahq/proc_creation_win_susp_copy_system_dir_lolbin", "description": "Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. \n", "label": "LOL-Binary Copied From System Directory", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_crypto_mining_monero": { "name": "sigmahq/proc_creation_win_susp_crypto_mining_monero", "description": "Detects command line parameters or strings often used by crypto miners\n", "label": "Potential Crypto Mining Activity", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_data_exfiltration_via_cli": { "name": "sigmahq/proc_creation_win_susp_data_exfiltration_via_cli", "description": "Detects the use of various CLI utilities exfiltrating data via web requests\n", "label": "Potential Data Exfiltration Activity Via CommandLine Tools", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_disable_raccine": { "name": "sigmahq/proc_creation_win_susp_disable_raccine", "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.\n", "label": "Raccine Uninstall", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_double_extension": { "name": "sigmahq/proc_creation_win_susp_double_extension", "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns\n", "label": "Suspicious Double Extension File Execution", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_double_extension_parent": { "name": "sigmahq/proc_creation_win_susp_double_extension_parent", "description": "Detect execution of suspicious double extension files in ParentCommandLine\n", "label": "Suspicious Parent Double Extension File Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_download_office_domain": { "name": "sigmahq/proc_creation_win_susp_download_office_domain", "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents\n", "label": "Suspicious Download from Office Domain", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_dumpstack_log_evasion": { "name": "sigmahq/proc_creation_win_susp_dumpstack_log_evasion", "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender\n", "label": "DumpStack.log Defender Evasion", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_1": { "name": "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_1", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\n", "label": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_2": { "name": "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_2", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\n", "label": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_3": { "name": "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_3", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\n", "label": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_4": { "name": "sigmahq/proc_creation_win_susp_emoji_usage_in_cli_4", "description": "Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\n", "label": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_etw_modification_cmdline": { "name": "sigmahq/proc_creation_win_susp_etw_modification_cmdline", "description": "Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. \n", "label": "ETW Logging Tamper In .NET Processes Via CommandLine", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_etw_trace_evasion": { "name": "sigmahq/proc_creation_win_susp_etw_trace_evasion", "description": "Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. \n", "label": "ETW Trace Evasion Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_eventlog_clear": { "name": "sigmahq/proc_creation_win_susp_eventlog_clear", "description": "Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\". This technique were seen used by threat actors and ransomware strains in order to evade defenses. \n", "label": "Suspicious Eventlog Clearing or Configuration Change Activity", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_execution_from_public_folder_as_parent": { "name": "sigmahq/proc_creation_win_susp_execution_from_public_folder_as_parent", "description": "Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines. \n", "label": "Potentially Suspicious Execution From Parent Process In Public Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_execution_path": { "name": "sigmahq/proc_creation_win_susp_execution_path", "description": "Detects a potentially suspicious execution from an uncommon folder.\n", "label": "Process Execution From A Potentially Suspicious Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_gather_network_info_execution": { "name": "sigmahq/proc_creation_win_susp_gather_network_info_execution", "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine\n", "label": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_image_missing": { "name": "sigmahq/proc_creation_win_susp_image_missing", "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)\n", "label": "Execution Of Non-Existing File", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_inline_base64_mz_header": { "name": "sigmahq/proc_creation_win_susp_inline_base64_mz_header", "description": "Detects encoded base64 MZ header in the commandline\n", "label": "Base64 MZ Header In CommandLine", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_inline_win_api_access": { "name": "sigmahq/proc_creation_win_susp_inline_win_api_access", "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec\n", "label": "Potential WinAPI Calls Via CommandLine", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_lsass_dmp_cli_keywords": { "name": "sigmahq/proc_creation_win_susp_lsass_dmp_cli_keywords", "description": "Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. \n", "label": "LSASS Dump Keyword In CommandLine", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_non_priv_reg_or_ps": { "name": "sigmahq/proc_creation_win_susp_non_priv_reg_or_ps", "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry\n", "label": "Non-privileged Usage of Reg or Powershell", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_ntds": { "name": "sigmahq/proc_creation_win_susp_ntds", "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration\n", "label": "Suspicious Process Patterns NTDS.DIT Exfil", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_nteventlogfile_usage": { "name": "sigmahq/proc_creation_win_susp_nteventlogfile_usage", "description": "Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script\n", "label": "Potentially Suspicious Call To Win32_NTEventlogFile Class", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_parents": { "name": "sigmahq/proc_creation_win_susp_parents", "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program\n", "label": "Suspicious Process Parents", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_powershell_execution_via_dll": { "name": "sigmahq/proc_creation_win_susp_powershell_execution_via_dll", "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine. \n", "label": "Potential PowerShell Execution Via DLL", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_priv_escalation_via_named_pipe": { "name": "sigmahq/proc_creation_win_susp_priv_escalation_via_named_pipe", "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.\n", "label": "Privilege Escalation via Named Pipe Impersonation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_progname": { "name": "sigmahq/proc_creation_win_susp_progname", "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools\n", "label": "Suspicious Program Names", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_recycle_bin_fake_execution": { "name": "sigmahq/proc_creation_win_susp_recycle_bin_fake_execution", "description": "Detects process execution from a fake recycle bin folder, often used to avoid security solution.\n", "label": "Suspicious Process Execution From Fake Recycle.Bin Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_redirect_local_admin_share": { "name": "sigmahq/proc_creation_win_susp_redirect_local_admin_share", "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers\n", "label": "Suspicious Redirection to Local Admin Share", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_right_to_left_override": { "name": "sigmahq/proc_creation_win_susp_right_to_left_override", "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. \n", "label": "Potential Defense Evasion Via Right-to-Left Override", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_script_exec_from_env_folder": { "name": "sigmahq/proc_creation_win_susp_script_exec_from_env_folder", "description": "Detects a suspicious script execution in temporary folders or folders accessible by environment variables\n", "label": "Script Interpreter Execution From Suspicious Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_script_exec_from_temp": { "name": "sigmahq/proc_creation_win_susp_script_exec_from_temp", "description": "Detects a suspicious script executions from temporary folder\n", "label": "Suspicious Script Execution From Temp Folder", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_sensitive_file_access_shadowcopy": { "name": "sigmahq/proc_creation_win_susp_sensitive_file_access_shadowcopy", "description": "Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) \n", "label": "Sensitive File Access Via Volume Shadow Copy Backup", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_service_creation": { "name": "sigmahq/proc_creation_win_susp_service_creation", "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths\n", "label": "Suspicious New Service Creation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_service_dir": { "name": "sigmahq/proc_creation_win_susp_service_dir", "description": "Detects a service binary running in a suspicious directory\n", "label": "Suspicious Service Binary Directory", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_service_tamper": { "name": "sigmahq/proc_creation_win_susp_service_tamper", "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts \n", "label": "Suspicious Windows Service Tampering", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_shadow_copies_deletion": { "name": "sigmahq/proc_creation_win_susp_shadow_copies_deletion", "description": "Shadow Copies deletion using operating systems utilities\n", "label": "Shadow Copies Deletion Using Operating Systems Utilities", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_shell_spawn_susp_program": { "name": "sigmahq/proc_creation_win_susp_shell_spawn_susp_program", "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.\n", "label": "Windows Shell/Scripting Processes Spawning Suspicious Programs", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_system_user_anomaly": { "name": "sigmahq/proc_creation_win_susp_system_user_anomaly", "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)\n", "label": "Suspicious SYSTEM User Process Creation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_task_folder_evasion": { "name": "sigmahq/proc_creation_win_susp_task_folder_evasion", "description": "The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr \n", "label": "Tasks Folder Evasion", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_whoami_as_param": { "name": "sigmahq/proc_creation_win_susp_whoami_as_param", "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)\n", "label": "WhoAmI as Parameter", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_susp_workfolders": { "name": "sigmahq/proc_creation_win_susp_workfolders", "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe\n", "label": "Execution via WorkFolders.exe", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_svchost_execution_with_no_cli_flags": { "name": "sigmahq/proc_creation_win_svchost_execution_with_no_cli_flags", "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.\n", "label": "Suspect Svchost Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_svchost_termserv_proc_spawn": { "name": "sigmahq/proc_creation_win_svchost_termserv_proc_spawn", "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)\n", "label": "Terminal Service Process Spawn", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_adexplorer_susp_execution": { "name": "sigmahq/proc_creation_win_sysinternals_adexplorer_susp_execution", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.\n", "label": "Suspicious Active Directory Database Snapshot Via ADExplorer", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_procdump_evasion": { "name": "sigmahq/proc_creation_win_sysinternals_procdump_evasion", "description": "Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name\n", "label": "Potential SysInternals ProcDump Evasion", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_procdump_lsass": { "name": "sigmahq/proc_creation_win_sysinternals_procdump_lsass", "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. \n", "label": "Potential LSASS Process Dump Via Procdump", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_psexec_paexec_escalate_system": { "name": "sigmahq/proc_creation_win_sysinternals_psexec_paexec_escalate_system", "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights\n", "label": "PsExec/PAExec Escalation to LOCAL SYSTEM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_psexec_remote_execution": { "name": "sigmahq/proc_creation_win_sysinternals_psexec_remote_execution", "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility\n", "label": "Potential PsExec Remote Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_psexesvc_as_system": { "name": "sigmahq/proc_creation_win_sysinternals_psexesvc_as_system", "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)\n", "label": "PsExec Service Child Process Execution as LOCAL SYSTEM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_pssuspend_susp_execution": { "name": "sigmahq/proc_creation_win_sysinternals_pssuspend_susp_execution", "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses\n", "label": "Sysinternals PsSuspend Suspicious Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_sdelete": { "name": "sigmahq/proc_creation_win_sysinternals_sdelete", "description": "Detects the use of SDelete to erase a file not the free space\n", "label": "Potential File Overwrite Via Sysinternals SDelete", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_susp_psexec_paexec_flags": { "name": "sigmahq/proc_creation_win_sysinternals_susp_psexec_paexec_flags", "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges\n", "label": "Potential Privilege Escalation To LOCAL SYSTEM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_sysinternals_sysmon_uninstall": { "name": "sigmahq/proc_creation_win_sysinternals_sysmon_uninstall", "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion\n", "label": "Uninstall Sysinternals Sysmon", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_systemsettingsadminflows_turn_on_dev_features": { "name": "sigmahq/proc_creation_win_systemsettingsadminflows_turn_on_dev_features", "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.\n", "label": "Potential Signing Bypass Via Windows Developer Features", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_taskkill_sep": { "name": "sigmahq/proc_creation_win_taskkill_sep", "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. \n", "label": "Taskkill Symantec Endpoint Protection", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_taskmgr_localsystem": { "name": "sigmahq/proc_creation_win_taskmgr_localsystem", "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\n", "label": "Taskmgr as LOCAL_SYSTEM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_tscon_localsystem": { "name": "sigmahq/proc_creation_win_tscon_localsystem", "description": "Detects a tscon.exe start as LOCAL SYSTEM\n", "label": "Suspicious TSCON Start as SYSTEM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_tscon_rdp_redirect": { "name": "sigmahq/proc_creation_win_tscon_rdp_redirect", "description": "Detects a suspicious RDP session redirect using tscon.exe\n", "label": "Suspicious RDP Redirect Using TSCON", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_changepk_slui": { "name": "sigmahq/proc_creation_win_uac_bypass_changepk_slui", "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)\n", "label": "UAC Bypass Using ChangePK and SLUI", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_cleanmgr": { "name": "sigmahq/proc_creation_win_uac_bypass_cleanmgr", "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)\n", "label": "UAC Bypass Using Disk Cleanup", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_cmstp": { "name": "sigmahq/proc_creation_win_uac_bypass_cmstp", "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files\n", "label": "Bypass UAC via CMSTP", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_cmstp_com_object_access": { "name": "sigmahq/proc_creation_win_uac_bypass_cmstp_com_object_access", "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)\n", "label": "CMSTP UAC Bypass via COM Object Access", "behaviors": [], "mitre_attacks": [], "confidence": 2, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_computerdefaults": { "name": "sigmahq/proc_creation_win_uac_bypass_computerdefaults", "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)\n", "label": "UAC Bypass Tools Using ComputerDefaults", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_consent_comctl32": { "name": "sigmahq/proc_creation_win_uac_bypass_consent_comctl32", "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)\n", "label": "UAC Bypass Using Consent and Comctl32 - Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_dismhost": { "name": "sigmahq/proc_creation_win_uac_bypass_dismhost", "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)\n", "label": "UAC Bypass Using DismHost", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_eventvwr_recentviews": { "name": "sigmahq/proc_creation_win_uac_bypass_eventvwr_recentviews", "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews\n", "label": "UAC Bypass Using Event Viewer RecentViews", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_fodhelper": { "name": "sigmahq/proc_creation_win_uac_bypass_fodhelper", "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.\n", "label": "Bypass UAC via Fodhelper.exe", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_icmluautil": { "name": "sigmahq/proc_creation_win_uac_bypass_icmluautil", "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface\n", "label": "UAC Bypass via ICMLuaUtil", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_idiagnostic_profile": { "name": "sigmahq/proc_creation_win_uac_bypass_idiagnostic_profile", "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique\n", "label": "UAC Bypass Using IDiagnostic Profile", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_ieinstal": { "name": "sigmahq/proc_creation_win_uac_bypass_ieinstal", "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)\n", "label": "UAC Bypass Using IEInstal - Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_msconfig_gui": { "name": "sigmahq/proc_creation_win_uac_bypass_msconfig_gui", "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)\n", "label": "UAC Bypass Using MSConfig Token Modification - Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_ntfs_reparse_point": { "name": "sigmahq/proc_creation_win_uac_bypass_ntfs_reparse_point", "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)\n", "label": "UAC Bypass Using NTFS Reparse Point - Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_pkgmgr_dism": { "name": "sigmahq/proc_creation_win_uac_bypass_pkgmgr_dism", "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)\n", "label": "UAC Bypass Using PkgMgr and DISM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_trustedpath": { "name": "sigmahq/proc_creation_win_uac_bypass_trustedpath", "description": "Detects indicators of a UAC bypass method by mocking directories\n", "label": "TrustedPath UAC Bypass Pattern", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_winsat": { "name": "sigmahq/proc_creation_win_uac_bypass_winsat", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)\n", "label": "UAC Bypass Abusing Winsat Path Parsing - Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_wmp": { "name": "sigmahq/proc_creation_win_uac_bypass_wmp", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)\n", "label": "UAC Bypass Using Windows Media Player - Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_wsreset": { "name": "sigmahq/proc_creation_win_uac_bypass_wsreset", "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.\n", "label": "Bypass UAC via WSReset.exe", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uac_bypass_wsreset_integrity_level": { "name": "sigmahq/proc_creation_win_uac_bypass_wsreset_integrity_level", "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config\n", "label": "UAC Bypass WSReset", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_ultravnc_susp_execution": { "name": "sigmahq/proc_creation_win_ultravnc_susp_execution", "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)\n", "label": "Suspicious UltraVNC Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_uninstall_crowdstrike_falcon": { "name": "sigmahq/proc_creation_win_uninstall_crowdstrike_falcon", "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon\n", "label": "Uninstall Crowdstrike Falcon Sensor", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_userinit_uncommon_child_processes": { "name": "sigmahq/proc_creation_win_userinit_uncommon_child_processes", "description": "Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.\n", "label": "Uncommon Userinit Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_vmware_toolbox_cmd_persistence_susp": { "name": "sigmahq/proc_creation_win_vmware_toolbox_cmd_persistence_susp", "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state\n", "label": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_vmware_vmtoolsd_susp_child_process": { "name": "sigmahq/proc_creation_win_vmware_vmtoolsd_susp_child_process", "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup\n", "label": "VMToolsd Suspicious Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_vscode_tunnel_renamed_execution": { "name": "sigmahq/proc_creation_win_vscode_tunnel_renamed_execution", "description": "Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel\n", "label": "Renamed Visual Studio Code Tunnel Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_w32tm": { "name": "sigmahq/proc_creation_win_w32tm", "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism\n", "label": "Use of W32tm as Timer", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wab_execution_from_non_default_location": { "name": "sigmahq/proc_creation_win_wab_execution_from_non_default_location", "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity\n", "label": "Wab Execution From Non Default Location", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wab_unusual_parents": { "name": "sigmahq/proc_creation_win_wab_unusual_parents", "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity\n", "label": "Wab/Wabmig Unusual Parent Or Child Processes", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wbadmin_delete_all_backups": { "name": "sigmahq/proc_creation_win_wbadmin_delete_all_backups", "description": "Detects the deletion of all backups or system state backups via \"wbadmin.exe\". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled. \n", "label": "All Backups Deleted Via Wbadmin.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_webshell_chopper": { "name": "sigmahq/proc_creation_win_webshell_chopper", "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells\n", "label": "Chopper Webshell Process Pattern", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_webshell_hacking": { "name": "sigmahq/proc_creation_win_webshell_hacking", "description": "Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system \n", "label": "Webshell Hacking Activity Patterns", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_webshell_recon_commands_and_processes": { "name": "sigmahq/proc_creation_win_webshell_recon_commands_and_processes", "description": "Detects certain command line parameters often used during reconnaissance activity via web shells\n", "label": "Webshell Detection With Command Line Keywords", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_webshell_susp_process_spawned_from_webserver": { "name": "sigmahq/proc_creation_win_webshell_susp_process_spawned_from_webserver", "description": "Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation \n", "label": "Suspicious Process By Web Server Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_webshell_tool_recon": { "name": "sigmahq/proc_creation_win_webshell_tool_recon", "description": "Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands \n", "label": "Webshell Tool Reconnaissance Activity", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_werfault_lsass_shtinkering": { "name": "sigmahq/proc_creation_win_werfault_lsass_shtinkering", "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass\n", "label": "Potential Credential Dumping Via WER", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wermgr_susp_exec_location": { "name": "sigmahq/proc_creation_win_wermgr_susp_exec_location", "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.\n", "label": "Suspicious Execution Location Of Wermgr.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wget_download_direct_ip": { "name": "sigmahq/proc_creation_win_wget_download_direct_ip", "description": "Detects potentially suspicious file downloads directly from IP addresses using Wget.exe\n", "label": "Suspicious File Download From IP Via Wget.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_whoami_execution_from_high_priv_process": { "name": "sigmahq/proc_creation_win_whoami_execution_from_high_priv_process", "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors\n", "label": "Whoami.EXE Execution From Privileged Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_whoami_priv_discovery": { "name": "sigmahq/proc_creation_win_whoami_priv_discovery", "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.\n", "label": "Security Privileges Enumeration Via Whoami.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_winget_add_insecure_custom_source": { "name": "sigmahq/proc_creation_win_winget_add_insecure_custom_source", "description": "Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) \n", "label": "Add Insecure Download Source To Winget", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_winrm_susp_child_process": { "name": "sigmahq/proc_creation_win_winrm_susp_child_process", "description": "Detects suspicious processes including shells spawnd from WinRM host process\n", "label": "Suspicious Processes Spawned by WinRM", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmi_backdoor_exchange_transport_agent": { "name": "sigmahq/proc_creation_win_wmi_backdoor_exchange_transport_agent", "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters\n", "label": "WMI Backdoor Exchange Transport Agent", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmic_eventconsumer_creation": { "name": "sigmahq/proc_creation_win_wmic_eventconsumer_creation", "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence\n", "label": "New ActiveScriptEventConsumer Created Via Wmic.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmic_namespace_defender": { "name": "sigmahq/proc_creation_win_wmic_namespace_defender", "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic\n", "label": "Potential Windows Defender Tampering Via Wmic.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmic_susp_execution_via_office_process": { "name": "sigmahq/proc_creation_win_wmic_susp_execution_via_office_process", "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).\n", "label": "Suspicious WMIC Execution Via Office Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmic_susp_process_creation": { "name": "sigmahq/proc_creation_win_wmic_susp_process_creation", "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.\n", "label": "Suspicious Process Created Via Wmic.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmic_uninstall_security_products": { "name": "sigmahq/proc_creation_win_wmic_uninstall_security_products", "description": "Detects uninstallation or termination of security products using the WMIC utility\n", "label": "Potential Tampering With Security Products Via WMIC", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wmiprvse_susp_child_processes": { "name": "sigmahq/proc_creation_win_wmiprvse_susp_child_processes", "description": "Detects suspicious and uncommon child processes of WmiPrvSE\n", "label": "Suspicious WmiPrvSE Child Process", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wpbbin_potential_persistence": { "name": "sigmahq/proc_creation_win_wpbbin_potential_persistence", "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section\n", "label": "UEFI Persistence Via Wpbbin - ProcessCreation", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wscript_cscript_uncommon_extension_exec": { "name": "sigmahq/proc_creation_win_wscript_cscript_uncommon_extension_exec", "description": "Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension\n", "label": "Cscript/Wscript Uncommon Script Extension Execution", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wuauclt_dll_loading": { "name": "sigmahq/proc_creation_win_wuauclt_dll_loading", "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.\n", "label": "Proxy Execution Via Wuauclt.EXE", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wuauclt_no_cli_flags_execution": { "name": "sigmahq/proc_creation_win_wuauclt_no_cli_flags_execution", "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags \n", "label": "Suspicious Windows Update Agent Empty Cmdline", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_wusa_cab_files_extraction_from_susp_paths": { "name": "sigmahq/proc_creation_win_wusa_cab_files_extraction_from_susp_paths", "description": "Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths. \n", "label": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "sigmahq/proc_creation_win_xwizard_execution_non_default_location": { "name": "sigmahq/proc_creation_win_xwizard_execution_non_default_location", "description": "Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\". \n", "label": "Xwizard.EXE Execution From Non-Default Location", "behaviors": [], "mitre_attacks": [], "confidence": 1, "spoofable": 0, "cti": true, "service": "windows", "created_at": "2024-12-05 14:55:42" }, "thespad/sshesame-bf": { "name": "thespad/sshesame-bf", "description": "Detect sshesame bruteforce", "label": "SSHesame Bruteforce", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sshesame", "created_at": "2023-10-06 15:17:26" }, "thespad/sshesame-cmd": { "name": "thespad/sshesame-cmd", "description": "Detect sshesame commands", "label": "Sshesame Commands", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sshesame", "created_at": "2023-10-06 15:17:26" }, "thespad/sshesame-input": { "name": "thespad/sshesame-input", "description": "Detect sshesame input spam", "label": "Sshesame Input Spam", "behaviors": [ "ssh:bruteforce" ], "mitre_attacks": [ "TA0002:T1059" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "sshesame", "created_at": "2023-10-06 15:17:26" }, "timokoessler/gitlab-bf": { "name": "timokoessler/gitlab-bf", "description": "Detect gitlab bruteforce", "label": "Gitlab Bruteforce", "behaviors": [ "vcs:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "gitlab", "created_at": "2023-10-06 15:17:26" }, "timokoessler/gitlab-bf_user-enum": { "name": "timokoessler/gitlab-bf_user-enum", "description": "Detect gitlab user enum bruteforce", "label": "Gitlab User Enumeration", "behaviors": [ "vcs:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "gitlab", "created_at": "2023-10-06 15:17:26" }, "timokoessler/mongodb-bf": { "name": "timokoessler/mongodb-bf", "description": "Detect mongodb bruteforce", "label": "MongoDB Bruteforce", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mongodb", "created_at": "2023-10-06 15:17:26" }, "timokoessler/mongodb-bf_user-enum": { "name": "timokoessler/mongodb-bf_user-enum", "description": "Detect mongodb user enum bruteforce", "label": "MongoDB User Enumeration", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mongodb", "created_at": "2023-10-06 15:17:26" }, "timokoessler/mongodb-bf_auth-db-enum": { "name": "timokoessler/mongodb-bf_auth-db-enum", "description": "Detect mongodb authentication database enum bruteforce", "label": "MongoDB Authentication Enumeration", "behaviors": [ "database:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "mongodb", "created_at": "2023-10-06 15:17:26" }, "timokoessler/uptime-kuma-bf": { "name": "timokoessler/uptime-kuma-bf", "description": "Detect Uptime Kuma bruteforce", "label": "Uptime Kuma Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "uptime-kuma", "created_at": "2023-10-06 15:17:26" }, "timokoessler/uptime-kuma-bf_user-enum": { "name": "timokoessler/uptime-kuma-bf_user-enum", "description": "Detect Uptime Kuma user enum bruteforce", "label": "Uptime Kuma User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589", "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "uptime-kuma", "created_at": "2023-10-06 15:17:26" }, "xs539/bookstack-bf": { "name": "xs539/bookstack-bf", "description": "Detect bookstack bruteforce", "label": "Bookstack Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "bookstack", "created_at": "2023-10-06 18:53:50" }, "xs539/bookstack-bf_user-enum": { "name": "xs539/bookstack-bf_user-enum", "description": "Detect bookstack bruteforce", "label": "Bookstack User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "bookstack", "created_at": "2023-10-06 18:53:50" }, "xs539/joplin-server-bf": { "name": "xs539/joplin-server-bf", "description": "Detect Joplin Server bruteforce", "label": "Joplin Bruteforce", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0006:T1110" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "joplin", "created_at": "2023-10-06 18:53:50" }, "xs539/joplin-server-bf_user-enum": { "name": "xs539/joplin-server-bf_user-enum", "description": "Detect Joplin Server bruteforce", "label": "Joplin User Enumeration", "behaviors": [ "http:bruteforce" ], "mitre_attacks": [ "TA0043:T1589" ], "confidence": 3, "spoofable": 0, "cti": true, "service": "joplin", "created_at": "2023-10-06 18:53:50" } }