Cleaned up signature descriptions and metadata.

2026-06-10 01:47:15 +00:00 · 2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
@@ -1,18 +1,17 @@
 title: Account Access Removal
 description: Detects the deletion of a local user account or removal of Active Directory
-  groups through powershell cmdlets. No detection for account password resets for
-  purpose of impact due to false detections.
+  groups through powershell cmdlets.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1531
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR
  TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS
  "Remove-ADGroupMember"
-false_positives: null
-tags: null
-
+false_positives: 
+tags: 
+references:
@@ -1,22 +1,20 @@
 title: Account Manipulation
-description: Both Atomic tests for account manipulation rely on PowerShell AD module,
-  so we can catch both with one query. We have the query encapsulated so that we can
-  filter it at the end by Parent Process, as some Logon Scripts and Configuration
-  Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out
-  certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection
-  on import of Powershell AD cmdlets.
+description: Detect account manipulation with the PowerShell AD module, filtered by Parent Process, as some Logon Scripts and Configuration Items (SCOM, SCCM) may also cause noise.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1098
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
  RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
  ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
-false_positives: null
-tags: null
+false_positives: 
+   - logon scripts
+   - Configuration Manager CI/BL Items
+tags:
+references:
@@ -1,8 +1,8 @@
 title: Allow Executable Through Defender Firewall
 author: keyboardcrunch
-description: Detect allowance of executables through Defender Firewall.
+description: Detect allowance of executables within Users or Temp folders through Defender Firewall.
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
-false_positives: null
-tags: null
+false_positives: 
+tags: 
+references:

@@ -2,7 +2,7 @@ title: Allow SMB and RDP on Defender Firewall
 description: Detects addition of Defender firewall rules for SMB and RDP.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -11,6 +11,6 @@ operating_system: windows
 query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "remote desktop"
  AND TgtProcCmdLine ContainsCIS "enable=Yes") OR (TgtProcName = "netsh.exe" AND TgtProcCmdLine
  ContainsCIS "file and printer sharing" AND TgtProcCmdLine ContainsCIS "enable=Yes")
-false_positives: null
-tags: null
-
+false_positives: 
+tags: 
+references:
@@ -2,7 +2,7 @@ title: AMSI Bypass Through InitFailed
 description: Detects AMSI bypass through InitFailed.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,6 @@ mitre:
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
  OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
-false_positives: null
-tags: null
-
+false_positives: 
+tags: 
+references:
@@ -2,15 +2,13 @@ title: Assoc Default File Change
 description: Detection of file association change through assoc command.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Privilege Escalation
   technique: T1546
   subtechnique: 008
 operating_system: windows
-query: '--- File assoc change by assoc command
-
-  TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
+query: 'TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
 false_positives: null
 tags: null

@@ -1,4 +1,4 @@
-title: Windows Command Shell
+title: Batchfile Execution from Temp
 description: Query for bat files executed from temp directories where SrcProcParentName isn't an executable we want to filter.
 author: keyboardcrunch
 date: 10/10/2020
@@ -1,10 +1,10 @@
 title: BITS Jobs
-description: The below query will find and remote content downloads from DesktopImgDownldr
+description: Detect remote content downloads from DesktopImgDownldr
  or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system
  processes and noise with SrcProcParentName Not In ().
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Persistence
   technique: T1197
@@ -15,6 +15,7 @@ query: (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.ex
  OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe"
  AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not
  In ("services.exe","smss.exe","wininit.exe")
-false_positives: null
+false_positives: 
+   - Powershell file downloads
 tags: null

@@ -1,17 +1,16 @@
 title: Browser Extension Installation
-description: This query takes a lazy approach to detecting the staging of xpi or crx
-  extension packages for installation within Chrome and Firefox based browsers. Unsure
-  how to filter our extension updates without excluding too much.
+description: Lazy quyer for detecting the staging of xpi or crx
+  extension packages for installation within Chrome and Firefox based browsers.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1176
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp
  "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation"
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,12 +1,9 @@
 title: T1548.002 Bypass User Access Control
 description: Detection of UAC bypass through tampering with Shell Open for .ms-settings
-  or .msc file types. Beyond this Atomic test, and to further UAC bypass detection,
-  the below query includes detection for CMSTPLUA COM interface abuse by GUID. Noted
-  issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key
-  paths were ControlSet001\Service\bam\State\UserSettings\GUID...
+  or .msc file types. Also includes detection for CMSTPLUA COM interface abuse by GUID.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1548
@@ -15,6 +12,6 @@ operating_system: windows
 query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine
  ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate"
  AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,9 +1,8 @@
 title: Change Shell Open RegKeys
-description: Detection of file association changes. Detection by registry is noisy
-  due to problem filtering on registry root, so install/uninstall apps create noise.
+description: Detection of file association changes.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1546
@@ -14,6 +13,7 @@ query: '--- File assoc change by registry
  RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command"
  , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry
  Value Modified" )'
-false_positives: null
-tags: null
+false_positives: 
+   - Un/install of some applications
+tags: 

@@ -1,11 +1,9 @@
 title: Clear Windows Event Logs
 description: Detects the clearing of EventLogs through wevtutil (concise) as well
-  as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet
-  detection returns a lot of noise for the CommandScripts object, so filtering out
-  SrcProcParentName may be required.
+  as Clear-EventLog through CommandLine and CommandScript objects. 
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1070
@@ -14,6 +12,7 @@ operating_system: windows
 query: (TgtProcName  = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine
  ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
  SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe"))
-false_positives: null
+false_positives: 
+   - SCOM built-in scripts
 tags: null

@@ -1,16 +0,0 @@
-title: CMSTP
-description: CMSTP is rarely used within my environment, so the below detection has
-  low false positives without filtering, though you may want to limit query to inf
-  files located in personal/writeable directories.
-author: keyboardcrunch
-date: 10/10/2020
-modified: null
-mitre:
-   tactic: Defense Evasion
-   technique: T1218
-   subtechnique: 003
-operating_system: windows
-query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
-false_positives: null
-tags: null
-
@@ -0,0 +1,14 @@
+title: CMSTP Signed Binary Proxy Execution
+description: Detect execution through CMSTP installations with INF files.
+author: keyboardcrunch
+date: 10/10/2020
+modified: 05/12/2020
+mitre:
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 003
+operating_system: windows
+query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
+false_positives: 
+tags: 
+
@@ -1,10 +1,8 @@
 title: Compiled HTML File
-description: Breaking down the below query, the first section will detect Atomic Test
-  1 where a malicious chm file spawns a process, whereas the second half of the query
-  detects hh.exe loading a remote payloads.
+description: Detect malicious chm file spawning a process or hh.exe loading a remote payloads.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
@@ -12,6 +10,6 @@ mitre:
 operating_system: windows
 query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName
  = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,11 +1,10 @@
-title: Compile After Delivery
-description: Both Atomic tests for this technique leverage csc.exe for compilation
-  of code. The below will detect specific compilation of executables as well as dynamic
+title: CSC Compile After Delivery
+description: Detect specific compilation of executables as well as dynamic
  compilation through detection of csc.exe creating executable files (both dll and
-  exe). Filter noise from later portion of query using SrcProcParentName Not In ().
+  exe). 
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1027
@@ -13,6 +12,7 @@ mitre:
 operating_system: windows
 query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  =
  "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
-false_positives: null
+false_positives: 
+   - Absolute/Computrace software.
 tags: null

@@ -1,19 +1,17 @@
 title: Deobfuscate or Decode Files
-description: This Atomic tests detections of certutil encoding and decoding of executables,
-  and the replication of certutil for bypassing detection of executable encoding.
-  Our query below will detected renamed certutil through matching of DisplayName,
-  as well as encoding or decoding of exe files.
+description: Detect certutil encoding and decoding of executables,
+  or use of renamed certutil.exe for bypassing detections.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1140
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
  ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
  OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,14 +1,14 @@
 title: Disable Defender Firewall
-description: Detection on disabling Microsoft Defender Firewall.
+description: Detect disabling Microsoft Defender Firewall.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 004
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,8 +1,8 @@
 title: Disable Sysmon
-description: Detection of disabling the Sysmon driver or service.
+description: Detects disabling of the Sysmon driver or service.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,6 @@ mitre:
 operating_system: windows
 query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv")
  OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,8 +1,8 @@
 title: DLL Search Order Hijacking
-description: Detection of common DLL search order hijacks.
+description: Detection of common DLL search order hijacks, currently only amsi.dll.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
@@ -10,6 +10,6 @@ mitre:
 operating_system: windows
 query: (FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32")
  AND EventType = "File Creation"
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,16 +0,0 @@
-title: DLL Side-Loading of Notepad++ GUP.exe
-description: Detection for GUP.exe side-loading a dll, where executable has a display
-  name of "WinGup for Notepad++" and has non-standard source process. Keep an eye
-  on Cross Process events.
-author: keyboardcrunch
-date: 10/10/2020
-modified: null
-mitre:
-   tactic: Defense Evasion, Persistence, Privilege Escalation
-   technique: T1574
-   subtechnique: 002
-operating_system: windows
-query: TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
-false_positives: null
-tags: null
-
@@ -0,0 +1,14 @@
+title: DLL Side-Loading of Notepad++ GUP.exe
+description: Detection of GUP.exe updater from Notepad++ being used for side-loading a dll.
+author: keyboardcrunch
+date: 10/10/2020
+modified: 05/12/2020
+mitre:
+   tactic: Defense Evasion, Persistence, Privilege Escalation
+   technique: T1574
+   subtechnique: 002
+operating_system: windows
+query: TgtProcDisplayName = "WinGup for Notepad++" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
+false_positives: null
+tags: null
+
@@ -2,7 +2,7 @@ title: Edge or IE Credential Extraction with PowerShell
 description: Detects the extraction of Edge or Internet Explorer PasswordVault credentials with PowerShell.
 author: keyboardcrunch
 date: 24/11/2020
-modified:
+modified: 05/12/2020
 mitre: 
   tactic: Credential Access
   technique: T1555
@@ -10,8 +10,6 @@ mitre:
 operating_system: windows
 query: SrcProcCmdScript ContainsCIS "Windows.Security.Credentials.PasswordVault" OR SrcProcCmdScript ContainsCIS "RetrievePassword"
 false_positives:
-   - 
 tags:
-   - 
 references:
   - https://github.com/HanseSecure/credgrap_ie_edge
@@ -1,9 +1,9 @@
 title: Group Policy Preference Cred Extraction
-description: Detection focuses on sysvol GP Policy xml file enumeration, with findstr
+description: Detection of sysvol GP Policy xml file enumeration, with findstr
  or Get-GPPPassword (Alias or CmdScript internal match).
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1552
@@ -12,6 +12,6 @@ operating_system: windows
 query: TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline
  ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path
  \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'"
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -3,16 +3,17 @@ description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deleti
  of shadowcopy content and disabling of system recovery.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1490
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete
  catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy"
  AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy"
  AND SrcProcCmdScript ContainsCIS "Delete()")
-false_positives: null
-tags: null
+false_positives: 
+   - Manual backup or recovery through shadowcopy
+tags: 

@@ -1,13 +1,9 @@
 title: Invoke-MalDoc
-description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion
-  Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query
-  should only be used for threat hunting, but it will detect Macro security settings
-  changes to the registry for Word and Excel as well as detecting COM objects within
-  ComandLine and CommandScript indicator objects. There may be a lot of results, focus
-  on Indicators and Command Scripts objects as they'll have less false positives.
+description: Detection of Invoke-MalDoc.ps1, complementary to T1027 Evasion
+  Indicator built into SentinelOne Agent.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Initial Access
   technique: T1566
@@ -17,6 +13,8 @@ query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\Acc
  AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
  In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
  OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
-false_positives: null
-tags: null
+false_positives: 
+   - Macro security setting changes
+   - Powershell automation of Office docs
+tags: 

@@ -1,10 +1,9 @@
 title: Kill Eventlog Service Threads
-description: Detection is specific to Invoke-Phant0m strings as the test uses it,
-  and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread
-  call.
+description: Invoke-Phant0m specific detection (currently), catches renamed and obfuscated 
+  versions by querying for the TerminateThread call.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -12,6 +11,6 @@ mitre:
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS
  "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -5,13 +5,14 @@ description: LaZagne happens to spawn 3 cmd shells to save security, system and
  location.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 001
 operating_system: windows
 query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
-false_positives: null
-tags: null
+false_positives: 
+   - Full registry exports
+tags: 

@@ -1,8 +1,8 @@
 title: Local Account Added Windows
-description: Query below we'll query all instances of local accounts being created.
+description: Detect all instances of local accounts being created.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1136
@@ -11,6 +11,7 @@ operating_system: windows
 query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser")
  OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet
  localgroup administrators\b.*\b\/add\b"
-false_positives: General account maintenance.
-tags: null
+false_positives: 
+   - General account maintenance.
+tags: 

@@ -1,15 +1,14 @@
 title: T1003.004 LSA Secrets
-description: For simplicity, we're detecting a Cmdline used for both psexec (the test)
-  as well as direct reg.exe LSA extraction.
+description: Detect direct LSA extraction with reg.exe.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 004
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -1,5 +1,5 @@
 title: LSASS Memory Dumping
-description: Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query.
+description: Detection of wce (by hash), procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault for LSASS dumping all in one query.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -1,10 +1,9 @@
 title: Malicious Documents
-description: The tests for this technique overlap heavily with T1566.001 Spearphishing
-  Attachment due to similar download and macro detections, so here we're focusing
-  on detecting Office applications launching processes.
+description: Detect high risk processes spawned from Office applications. Complementary to T1566.001 Spearphishing
+  Attachment due to similar download and macro detections.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Execution
   technique: T1204
@@ -13,6 +12,9 @@ operating_system: windows
 query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
  In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
  OR IndicatorName = "SuspiciousDocument"
-false_positives: Legit docs with macros.
-tags: null
+false_positives: 
+   - Legit docs with macros.
+   - McAfee DLP hits on links opened from docs.
+   - Office plugins opening sites within browsers.
+tags: 

@@ -0,0 +1,16 @@
+title: Modified SysInternals AccessChk
+description: Detection of renamed AccessChk.exe, can be used for retrieval of the Chrome password db
+  as well as other privileged files.
+author: keyboardcrunch
+date: 10/10/2020
+modified: 05/12/2020
+mitre:
+   tactic: Credential Access
+   technique: T1555
+   subtechnique: 003
+operating_system: windows
+query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective
+  permissions for securable objects"
+false_positives: 
+tags: 
+
@@ -1,17 +0,0 @@
-title: Modified SysInternals AccessChk Chrome password collector
-description: To focus on detection, we're looking for AccessChk.exe where the DisplayName
-  does not match that of the original. There's 4X as many Cross_Process objects with
-  this query but none detect the collection of the Chrome password db.
-author: keyboardcrunch
-date: 10/10/2020
-modified: null
-mitre:
-   tactic: Credential Access
-   technique: T1555
-   subtechnique: 003
-operating_system: windows
-query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective
-  permissions for securable objects"
-false_positives: null
-tags: null
-
@@ -1,12 +1,11 @@
 title: Msiexec Remote MSI
-description: The below query will accurately detect execution of remote msi files
-  by msiexec.exe. The second half of the query aims to detect processes spawned by
-  msi files instead of dll files in the CommandLine (as that is very noisy) and may
-  return a bit of noise within for the CrossProcess Object as some auto-update processes
-  may be collected by this query.
+description: Detect execution of remote msi files by msiexec.exe. The second 
+  half of the query aims to detect processes spawned by msi files instead of dll files
+  in the CommandLine (as that is very noisy) and may return a bit of noise within
+  for the CrossProcess Object as some auto-update processes may be collected by this query.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
@@ -15,6 +14,7 @@ operating_system: windows
 query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
  ) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle"
  AND SrcProcParentName = "msiexec.exe")
-false_positives: null
-tags: null
+false_positives: 
+   - Auto-update processes
+tags: 

@@ -1,10 +1,9 @@
 title: Non-Windows Control Panel Item
-description: The below query will find all cpl files outside standard directories
-  and all cpl files executed outside of Windows directories. First portion of query
-  may need to be dropped if there's too much noise in your environment.
+description: Detect cpl files outside standard Windows directories. First portion
+  of query may need to be dropped if there is too much noise in your environment.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
@@ -14,6 +13,7 @@ query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows
  AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
  ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
  ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
-false_positives: null
-tags: null
+false_positives: 
+   - Applications bringing their own cpl files
+tags: 

@@ -1,6 +1,5 @@
 title: NTDS Copy
-description: We won't bother detecting VSS copies being created, rather detecting
-  credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not.
+description: Detection of credential file copies, either NTDS.dit or SYSTEM whether a VSS copy or not.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -1,8 +1,8 @@
 title: Open Local Port on Defender Firewall
-description: Detection of opening of local ports within Defender Firewall.
+description: Detect opening of local ports within Defender Firewall.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "dir=in" AND TgtProcCmdLine ContainsCIS "localport="
-false_positives: null
-tags: null
+false_positives: 
+   - Application installs requiring listening ports.
+tags: 

@@ -10,8 +10,7 @@ mitre:
 operating_system: windows
 query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" )
 false_positives:
-   - Possible legit uses of macros for sorting/saving emails.
-tags:
-   - 
+   - Possible legit uses of macros for sorting or saving emails.
+tags: 
 references:
   - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
@@ -4,7 +4,7 @@ description: Detects parent PID spoofing through Cross Process indicators (SrcPr
  through Command Scripts indicators. Update the TgtProcName list to filter noise.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1134
@@ -15,6 +15,7 @@ query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Proces
  AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel  != "LOW" AND TgtProcName
  Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
  SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
-false_positives: null
-tags: null
+false_positives: 
+   - Cross Process indicators are noisy
+tags: 

@@ -1,12 +1,11 @@
-title: Powershell MalDoc
-description: This test merely uses Powershell to download a maldoc, the below query
+title: Powershell Download Cradles
+description: Detects usage of Powershell to download a malicious files. The below query
  will find CommandLine or CommandScript downloads using multiple cradle methods as
-  documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239.
-  The below query should only be used for hunting purposes and covers most unobfuscated
-  powershell cradles.
+  documented here HarmJ0y. This query should only be used for hunting purposes 
+  and covers most unobfuscated powershell cradles.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Initial Access
   technique: T1566
@@ -16,6 +15,7 @@ query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadStri
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
  In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
-false_positives: null
-tags: null
-
+false_positives: 
+tags: 
+references:
+   - https://gist.github.com/HarmJ0y/bb48307ffa663256e239
@@ -1,5 +1,5 @@
 title: PowerShell GUI Input Capture
-description: Focusing here on detecting the Powershell UI.PromptForCredential and
+description: Detect usage of Powershell UI.PromptForCredential and
  GetNetworkCredential().Password in CmdScript or CmdLine.
 author: keyboardcrunch
 date: 10/10/2020
@@ -2,14 +2,15 @@ title: PowerShell HTTP Form Submission
 description: Detection of powershell data POST and PUT with Invoke-WebRequest.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Exfiltration
   technique: T1020
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS
  "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
-false_positives: PowerShell HTTP form submissions.
-tags: null
+false_positives: 
+   - PowerShell HTTP form submissions.
+tags: 

@@ -2,7 +2,7 @@ title: PowerShell TimeStomping
 description: Detection of time stomping with PowerShell.
 author: keyboardcrunch
 date: 24/11/2020
-modified:
+modified: 05/12/2020
 mitre: 
   tactic: Defense Evasion
   technique: T1070
@@ -10,8 +10,6 @@ mitre:
 operating_system: windows
 query: SrcProcCmdScript In Contains Anycase ("[IO.File]::SetCreationTime","[IO.File]::SetLastAccessTime","[IO.File]::SetLastWriteTime")
 false_positives:
-   - 
 tags:
-   - 
 references:
   - https://attack.mitre.org/techniques/T1070/006/
@@ -1,17 +1,18 @@
 title: T1055 Process Injection
 description: Detects Process Injection through execution of MavInject, filtering out
  noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
-  HQ results.
+  refine results.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1055
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
  AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
-false_positives: null
-tags: null
+false_positives: 
+   - Legitimate usage of MavInject
+tags: 

@@ -1,6 +1,5 @@
 title: Registry Credential Enumeration
-description: This query detects enumeration and discovery of credentials within the
-  Registry, including Putty sessions.
+description: Detect enumeration and discovery of credentials within the Registry, including Putty sessions.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -2,7 +2,7 @@ title: Rundll32 Possible Cobalt Strike
 description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
 author: keyboardcrunch
 date: 02/12/2020
-modified:
+modified: 05/12/2020
 mitre: 
   tactic: Defense Evasion
   technique: T1218
@@ -11,6 +11,7 @@ operating_system:
 query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
 false_positives:
   - Printer drivers
+   - High number of outbound SMB connections
 tags:
   - Cobalt Strike
 references:
@@ -1,11 +1,9 @@
 title: Scheduled Tasks Creation
-description: Our goal with this query is to detect any schtasks /create command as
-  well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent
-  noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName
-  executables.
+description: Detection of schtasks /create command as well as any use of the New-ScheduledTask* 
+  cmdlets from powershell.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Execution, Persistence
   technique: T1053
@@ -14,6 +12,8 @@ operating_system: windows
 query: (( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" )
  OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript  ContainsCIS
  "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")
-false_positives: null
-tags: null
+false_positives: 
+   - NPCAP driver task
+   - Legitimate task creation
+tags: 

@@ -1,6 +1,6 @@
 title: ScheduledTaskRegister
 description: Leveraging the ScheduleTaskRegister Indicator object for detection of
-  registered tasks.
+  registered tasks, but filtering for better quality results.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -1,14 +1,15 @@
 title: Secure Delete Data Destruction
-description: Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
+description: Detection of SDelete (by display name). Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1485
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: TgtProcDisplayName = "Secure file delete"
-false_positives: null
-tags: null
+false_positives: 
+   - Legitimate usage of SDelete
+tags: 

@@ -1,10 +1,9 @@
 title: Security Support Provider
-description: Detection of changes to Security Support Provider through Registry modification.
-  Filters most standard system changes with SrcProcName Not In (list) but there will
-  be some noise from installers.
+description: Detect changes to Security Support Provider through Registry modification.
+  Filters most standard system changes with SrcProcName Not In (list).
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1547
@@ -13,6 +12,7 @@ operating_system: windows
 query: RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName
  Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not
  ContainCIS "system32\wsauth.dll")
-false_positives: null
-tags: null
+false_positives: 
+   - Some application installs
+tags: 

@@ -0,0 +1,15 @@
+title: Service Created
+description: Detects creation and modification of windows services through binPath
+  argument to sc.exe.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Privilege Escalation
+   technique: T1543
+   subtechnique: 003
+operating_system: windows
+query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
+false_positives: null
+tags: null
+
@@ -1,17 +1,18 @@
-title: Service Disable
-description: Detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
+title: Service Disabled
+description: Detect disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1489
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: (TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode
  Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled")
  OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType
  Disabled")
-false_positives: Manual service toggling.
-tags: null
+false_positives: 
+   - Manual service toggling.
+tags: 

@@ -1,8 +1,8 @@
-title: Service Starting
+title: Service Started
 description: Detection of sc.exe start or start-service.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Execution
   technique: T1569
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine
  ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe"
-false_positives: Manual service actions.
-tags: null
+false_positives: 
+   - Manual service actions.
+tags: 

@@ -1,4 +1,4 @@
-title: Startup Folder
+title: Startup Folder Persistence
 description: Detect any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations.
 author: keyboardcrunch
 date: 10/10/2020
@@ -11,6 +11,7 @@ operating_system: windows
 query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND
  TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND
  SrcProcName Not In ("ONENOTE.EXE","msiexec.exe")
-false_positives: Some application installs.
+false_positives: 
+   - Some application installs.
 tags: null

@@ -1,12 +1,8 @@
-title: Windows Remote Management
-description: The below query (in order) remote process executions through MMC, WMIC,
-  and PsExec (by name or display name). Also of note, there are only 3 tests documented
-  for this Atomic, yet there are 6 tests, so the below query focuses on detectability.
-  PsExec detection may have a lot of noise depending on your environment, and may
-  require additional filtering.
+title: Windows Remote Management Execution
+description: Detect remote process executions through MMC, WMIC, and PsExec (by name or display name). 
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Lateral Movement
   technique: T1021
@@ -17,6 +13,7 @@ query: (TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine Conta
  OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine
  ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR
  SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)
-false_positives: null
-tags: null
+false_positives: 
+   - Legitimate usage of PSExec
+tags: 

@@ -1,15 +1,15 @@
-title: Windows Service Creation
+title: Service Created
 description: Detects creation and modification of windows services through binPath
  argument to sc.exe.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Privilege Escalation
   technique: T1543
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
-false_positives: null
-tags: null
+false_positives: 
+tags: 

@@ -2,7 +2,7 @@ title: Windows Share Creation
 description: Detecting the creation and use of Windows shares, may catch a lot of legitimate activity.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Lateral Movement
   technique: T1021
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine
  ContainsCIS "use ")
-false_positives: Share creations.
-tags: null
+false_positives: 
+   - Share creation
+tags: