docs: 📚 Update from RedCannary

frack113 · Nov 24, 2023 · 38db81d · 38db81d
1 parent 59576e5
commit 38db81d
Show file tree

Hide file tree

Showing 440 changed files with 4,436 additions and 1,607 deletions.
diff --git a/Full_tests.csv b/Full_tests.csv
diff --git a/md/tests/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.md b/md/tests/0be2230c-9ab3-4ac2-8826-3199b9a0ebf8.md
@@ -74,7 +74,7 @@ command_prompt
 
  - win_susp_proc_access_lsass.yml (id: a18dd26b-6450-46de-8c91-9659150cf088)
 
- - sysmon_lsass_memory_dump_file_creation.yml (id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a)
+ - sysmon_lsass_memory_dump_file_creation.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 
  - sysmon_lsass_memdump.yml (id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da)
 

diff --git a/md/tests/2536dee2-12fb-459a-8c37-971844fa73be.md b/md/tests/2536dee2-12fb-459a-8c37-971844fa73be.md
@@ -69,7 +69,7 @@ powershell
 
  - sysmon_cred_dump_lsass_access.yml (id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d)
 
- - sysmon_lsass_memory_dump_file_creation.yml (id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a)
+ - sysmon_lsass_memory_dump_file_creation.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 
  - sysmon_suspicious_dbghelp_dbgcore_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)
 

diff --git a/md/tests/6502c8f0-b775-4dbd-9193-1298f56b6781.md b/md/tests/6502c8f0-b775-4dbd-9193-1298f56b6781.md
@@ -75,7 +75,7 @@ powershell
 
  - sysmon_accessing_winapi_in_powershell_credentials_dumping.yml (id: 3f07b9d1-2082-4c56-9277-613a621983cc)
 
- - sysmon_lsass_memory_dump_file_creation.yml (id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a)
+ - sysmon_lsass_memory_dump_file_creation.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 
  - sysmon_suspicious_dbghelp_dbgcore_load.yml (id: 0e277796-5f23-4e49-a490-483131d4f6e1)
 

diff --git a/md/tests/7cede33f-0acd-44ef-9774-15511300b24b.md b/md/tests/7cede33f-0acd-44ef-9774-15511300b24b.md
@@ -68,7 +68,7 @@ command_prompt
 
  - win_susp_proc_access_lsass.yml (id: a18dd26b-6450-46de-8c91-9659150cf088)
 
- - sysmon_lsass_memory_dump_file_creation.yml (id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a)
+ - sysmon_lsass_memory_dump_file_creation.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 
  - sysmon_lsass_memdump.yml (id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da)
 

diff --git a/md/tests/86fc3f40-237f-4701-b155-81c01c48d697.md b/md/tests/86fc3f40-237f-4701-b155-81c01c48d697.md
@@ -63,7 +63,7 @@ powershell
 
  - sysmon_lsass_memdump.yml (id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da)
 
- - sysmon_lsass_memory_dump_file_creation.yml (id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a)
+ - sysmon_lsass_memory_dump_file_creation.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 
 
 

diff --git a/md/tests/dea6c349-f1c6-44f3-87a1-1ed33a59a607.md b/md/tests/dea6c349-f1c6-44f3-87a1-1ed33a59a607.md
@@ -54,7 +54,7 @@ manual
 # Sigma Rule
  - sysmon_in_memory_assembly_execution.yml (id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39)
 
- - sysmon_lsass_memory_dump_file_creation.yml (id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a)
+ - sysmon_lsass_memory_dump_file_creation.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 
  - file_event_lsass_dump.yml (id: a5a2d357-1ab8-4675-a967-ef9990a59391)
 

diff --git a/missing_tests.csv b/missing_tests.csv
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1,3 @@
 pathlib
-ruamel.yaml
+ruamel.yaml
+requests
diff --git a/sigma_rule.csv b/sigma_rule.csv
diff --git a/yml/001a042b-859f-44d9-bf81-fd1c4e2200b0.yml b/yml/001a042b-859f-44d9-bf81-fd1c4e2200b0.yml
@@ -4,7 +4,7 @@ Attack_description: |-
 
   Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
 guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0
-name: Compressing data using zipfile in Python (Linux)
+name: Compressing data using zipfile in Python (FreeBSD/Linux)
 tactic:
   - collection
 technique:
@@ -14,6 +14,6 @@ os:
 description: 'Uses zipfile from Python to compress files
 
   '
-executor: bash
+executor: sh
 sigma: false
 sigma_rule: []
diff --git a/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml b/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml
@@ -0,0 +1,21 @@
+Attack_name: 'Command and Scripting Interpreter: Windows Command Shell'
+Attack_description: |-
+  Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)
+
+  Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
+
+  Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.
+guid: '00682c9f-7df4-4df8-950b-6dcaaa3ad9af'
+name: Command prompt writing script to file then executes it
+tactic:
+  - execution
+technique:
+  - T1059.003
+os:
+  - windows
+description: |--
+      Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
+      The script will execute 'whoami' then exit.
+executor: command_prompt
+sigma: false
+sigma_rule: []
diff --git a/yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml b/yml/00738d2a-4651-4d76-adf2-c43a41dfb243.yml
@@ -14,7 +14,7 @@ os:
 description: 'This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
 
   '
-executor: powershell
+executor: command_prompt
 sigma: true
 sigma_rule:
   - id: 526be59f-a573-4eea-b5f7-f0973207634d

diff --git a/yml/00cbb875-7ae4-4cf1-b638-e543fd825300.yml b/yml/00cbb875-7ae4-4cf1-b638-e543fd825300.yml
@@ -0,0 +1,20 @@
+Attack_name: Data from Local System
+Attack_description: |
+  Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
+
+  Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
+guid: 00cbb875-7ae4-4cf1-b638-e543fd825300
+name: Find and dump sqlite databases (Linux)
+tactic:
+  - collection
+technique:
+  - T1005
+os:
+  - linux
+description: 'An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then
+  run a find command to find & dump the database content.
+
+  '
+executor: bash
+sigma: false
+sigma_rule: []
diff --git a/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml b/yml/00e3e3c7-6c3c-455e-bd4b-461c7f0e7797.yml
@@ -78,12 +78,12 @@ sigma_rule:
   - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
     name: net_connection_win_binary_susp_com.yml
   - id: 297afac9-5d02-4138-8c58-b977bac60556
-    name: file_event_win_susp_dropper.yml
+    name: file_event_win_susp_binary_dropper.yml
   - id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
     name: proc_creation_win_susp_script_exec_from_temp.yml
   - id: 64e8e417-c19a-475a-8d19-98ea705394cc
     name: posh_pm_alternate_powershell_hosts.yml
   - id: cbb56d62-4060-40f7-9466-d8aaf3123f83
     name: image_load_susp_python_image_load.yml
   - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
-    name: file_access_win_browser_credential_stealing.yml
+    name: file_access_win_browser_credential_access.yml
diff --git a/yml/0128e48e-8c1a-433a-a11a-a5387384f1e1.yml b/yml/0128e48e-8c1a-433a-a11a-a5387384f1e1.yml
@@ -0,0 +1,23 @@
+Attack_name: Process Injection
+Attack_description: "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code
+  in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution
+  via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of
+  which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment
+  modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. "
+guid: '0128e48e-8c1a-433a-a11a-a5387384f1e1'
+name: Read-Write-Execute process Injection
+tactic:
+  - defense-evasion
+  - privilege-escalation
+technique:
+  - T1055
+os:
+  - windows
+description: "This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode.\nThe RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory,
+  and ProtectVirtualMemory, thus evading detection mechanisms \nthat relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation -->
+  GetModuleHandleA --> RtlCopyMemory --> CreateThread.\nThe injected shellcode will open a message box and a notepad.\nRWX Process Injection, also known as MockingJay, was introduced to the security community
+  by SecurityJoes.\nMore details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.\nThe original injector and idea were developed for
+  game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector.\n"
+executor: powershell
+sigma: false
+sigma_rule: []
diff --git a/yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml b/yml/0139dba1-f391-405e-a4f5-f3989f2c88ef.yml
@@ -1,10 +1,13 @@
 Attack_name: Ingress Tool Transfer
 Attack_description: "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the
   victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between
-  victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
-  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`,
-  [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>.
-  On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)"
+  victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such
+  as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code>
+  and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\nAdversaries
+  may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s
+  as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an
+  on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able
+  to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)"
 guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef'
 name: sftp remote file copy (pull)
 tactic:
@@ -17,6 +20,6 @@ os:
 description: 'Utilize sftp to perform a remote file copy (pull)
 
   '
-executor: bash
+executor: sh
 sigma: false
 sigma_rule: []
diff --git a/yml/015cd268-996e-4c32-8347-94c80c6286ee.yml b/yml/015cd268-996e-4c32-8347-94c80c6286ee.yml
@@ -0,0 +1,22 @@
+Attack_name: 'Software Discovery: Security Software Discovery'
+Attack_description: |-
+  Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+  Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
+
+  Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the <code>DescribeSecurityGroups</code> action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)
+guid: 015cd268-996e-4c32-8347-94c80c6286ee
+name: Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets
+tactic:
+  - discovery
+technique:
+  - T1518.001
+os:
+  - windows
+description: |
+  Discovery of installed antivirus products via Get-CimInstance and Get-WmiObject cmdlets of powershell.
+
+  when sucessfully executed, information about installed AV software is displayed..
+executor: command_prompt
+sigma: false
+sigma_rule: []
diff --git a/yml/01993ba5-1da3-4e15-a719-b690d4f0f0b2.yml b/yml/01993ba5-1da3-4e15-a719-b690d4f0f0b2.yml
@@ -1,8 +1,9 @@
 Attack_name: 'Create Account: Local Account'
-Attack_description: |-
-  Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>.(Citation: cisco_username_cmd)
-
-  Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
+Attack_description: "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for
+  administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account. On macOS systems
+  the <code>dscl -create</code> command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+  commands such as <code>username</code>, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nSuch accounts may be used
+  to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system."
 guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2'
 name: Create a user account on a MacOS system
 tactic:

diff --git a/yml/0208ea60-98f1-4e8c-8052-930dce8f742c.yml b/yml/0208ea60-98f1-4e8c-8052-930dce8f742c.yml
@@ -1,4 +1,4 @@
-Attack_name: 'Indicator Removal on Host: Clear Linux or Mac System Logs'
+Attack_name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
 Attack_description: |
   Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
 

diff --git a/yml/0286eb44-e7ce-41a0-b109-3da516e05a5f.yml b/yml/0286eb44-e7ce-41a0-b109-3da516e05a5f.yml
@@ -13,8 +13,8 @@ tactic:
 technique:
   - T1560.001
 os:
-  - macos
   - linux
+  - macos
 description: 'Encrypt data for exiltration
 
   '

diff --git a/yml/03013b4b-01db-437d-909b-1fdaa5010ee8.yml b/yml/03013b4b-01db-437d-909b-1fdaa5010ee8.yml
@@ -1,4 +1,4 @@
-Attack_name: 'Indicator Removal on Host: Clear Linux or Mac System Logs'
+Attack_name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
 Attack_description: |
   Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
 

diff --git a/yml/0451125c-b5f6-488f-993b-5a32b09f7d8f.yml b/yml/0451125c-b5f6-488f-993b-5a32b09f7d8f.yml
@@ -1,4 +1,4 @@
-Attack_name: 'File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification'
+Attack_name: 'File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification'
 Attack_description: "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation:
   Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL
   implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard
@@ -14,8 +14,8 @@ tactic:
 technique:
   - T1222.002
 os:
-  - macos
   - linux
+  - macos
 description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode.
 
   '

diff --git a/yml/078e69eb-d9fb-450e-b9d0-2e118217c846.yml b/yml/078e69eb-d9fb-450e-b9d0-2e118217c846.yml
@@ -0,0 +1,21 @@
+Attack_name: 'Scheduled Task/Job: Cron'
+Attack_description: "Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques)
+  The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems.  The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for
+  execution. Any <code>crontab</code> files are stored in operating system-specific file paths.\n\nAn adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup
+  or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). "
+guid: '078e69eb-d9fb-450e-b9d0-2e118217c846'
+name: Cron - Add script to /etc/cron.d folder
+tactic:
+  - execution
+  - persistence
+  - privilege-escalation
+technique:
+  - T1053.003
+os:
+  - linux
+description: 'This test adds a script to /etc/cron.d folder configured to execute on a schedule.
+
+  '
+executor: sh
+sigma: false
+sigma_rule: []