Cleaned up signature descriptions and metadata.

2026-06-11 10:21:20 +00:00 · 2020-12-05 21:45:38 -06:00
parent 08e20670ee
commit 4d6ac236bc
59 changed files with 284 additions and 285 deletions
@@ -1,18 +1,17 @@
 title: Account Access Removal
 description: Detects the deletion of a local user account or removal of Active Directory
-  groups through powershell cmdlets. No detection for account password resets for
+  groups through powershell cmdlets.
  purpose of impact due to false detections.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1531
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR
  TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS
  "Remove-ADGroupMember"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
-
+references:
@@ -1,22 +1,20 @@
 title: Account Manipulation
-description: Both Atomic tests for account manipulation rely on PowerShell AD module,
+description: Detect account manipulation with the PowerShell AD module, filtered by Parent Process, as some Logon Scripts and Configuration Items (SCOM, SCCM) may also cause noise.
  so we can catch both with one query. We have the query encapsulated so that we can
  filter it at the end by Parent Process, as some Logon Scripts and Configuration
  Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out
  certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection
  on import of Powershell AD cmdlets.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1098
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
  RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
  ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
-false_positives: null
+false_positives: 
-tags: null
+   - logon scripts
   - Configuration Manager CI/BL Items
 tags:
 references:
@@ -1,8 +1,8 @@
 title: Allow Executable Through Defender Firewall
 author: keyboardcrunch
-description: Detect allowance of executables through Defender Firewall.
+description: Detect allowance of executables within Users or Temp folders through Defender Firewall.
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp")
-false_positives: null
+false_positives: 
-tags: null
+tags: 
 references:
@@ -2,7 +2,7 @@ title: Allow SMB and RDP on Defender Firewall
 description: Detects addition of Defender firewall rules for SMB and RDP.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -11,6 +11,6 @@ operating_system: windows
 query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "remote desktop"
  AND TgtProcCmdLine ContainsCIS "enable=Yes") OR (TgtProcName = "netsh.exe" AND TgtProcCmdLine
  ContainsCIS "file and printer sharing" AND TgtProcCmdLine ContainsCIS "enable=Yes")
-false_positives: null
+false_positives: 
-tags: null
+tags: 
-
+references:
@@ -2,7 +2,7 @@ title: AMSI Bypass Through InitFailed
 description: Detects AMSI bypass through InitFailed.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,6 @@ mitre:
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
  OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
-
+references:
@@ -2,15 +2,13 @@ title: Assoc Default File Change
 description: Detection of file association change through assoc command.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Privilege Escalation
   technique: T1546
   subtechnique: 008
 operating_system: windows
-query: '--- File assoc change by assoc command
+query: 'TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
  TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"'
 false_positives: null
 tags: null
@@ -1,4 +1,4 @@
-title: Windows Command Shell
+title: Batchfile Execution from Temp
 description: Query for bat files executed from temp directories where SrcProcParentName isn't an executable we want to filter.
 author: keyboardcrunch
 date: 10/10/2020
@@ -1,10 +1,10 @@
 title: BITS Jobs
-description: The below query will find and remote content downloads from DesktopImgDownldr
+description: Detect remote content downloads from DesktopImgDownldr
  or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system
  processes and noise with SrcProcParentName Not In ().
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Persistence
   technique: T1197
@@ -15,6 +15,7 @@ query: (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.ex
  OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe"
  AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not
  In ("services.exe","smss.exe","wininit.exe")
-false_positives: null
+false_positives: 
   - Powershell file downloads
 tags: null
@@ -1,17 +1,16 @@
 title: Browser Extension Installation
-description: This query takes a lazy approach to detecting the staging of xpi or crx
+description: Lazy quyer for detecting the staging of xpi or crx
-  extension packages for installation within Chrome and Firefox based browsers. Unsure
+  extension packages for installation within Chrome and Firefox based browsers.
  how to filter our extension updates without excluding too much.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1176
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp
  "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,12 +1,9 @@
 title: T1548.002 Bypass User Access Control
 description: Detection of UAC bypass through tampering with Shell Open for .ms-settings
-  or .msc file types. Beyond this Atomic test, and to further UAC bypass detection,
+  or .msc file types. Also includes detection for CMSTPLUA COM interface abuse by GUID.
  the below query includes detection for CMSTPLUA COM interface abuse by GUID. Noted
  issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key
  paths were ControlSet001\Service\bam\State\UserSettings\GUID...
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1548
@@ -15,6 +12,6 @@ operating_system: windows
 query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine
  ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate"
  AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}")
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,9 +1,8 @@
 title: Change Shell Open RegKeys
-description: Detection of file association changes. Detection by registry is noisy
+description: Detection of file association changes.
  due to problem filtering on registry root, so install/uninstall apps create noise.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1546
@@ -14,6 +13,7 @@ query: '--- File assoc change by registry
  RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command"
  , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry
  Value Modified" )'
-false_positives: null
+false_positives: 
-tags: null
+   - Un/install of some applications
 tags: 
@@ -1,11 +1,9 @@
 title: Clear Windows Event Logs
 description: Detects the clearing of EventLogs through wevtutil (concise) as well
-  as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet
+  as Clear-EventLog through CommandLine and CommandScript objects. 
  detection returns a lot of noise for the CommandScripts object, so filtering out
  SrcProcParentName may be required.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1070
@@ -14,6 +12,7 @@ operating_system: windows
 query: (TgtProcName  = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine
  ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND
  SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe"))
-false_positives: null
+false_positives: 
   - SCOM built-in scripts
 tags: null
@@ -1,16 +0,0 @@
 title: CMSTP
 description: CMSTP is rarely used within my environment, so the below detection has
  low false positives without filtering, though you may want to limit query to inf
  files located in personal/writeable directories.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 003
 operating_system: windows
 query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: CMSTP Signed Binary Proxy Execution
 description: Detect execution through CMSTP installations with INF files.
 author: keyboardcrunch
 date: 10/10/2020
 modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 003
 operating_system: windows
 query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
 false_positives: 
 tags: 
@@ -1,10 +1,8 @@
 title: Compiled HTML File
-description: Breaking down the below query, the first section will detect Atomic Test
+description: Detect malicious chm file spawning a process or hh.exe loading a remote payloads.
  1 where a malicious chm file spawns a process, whereas the second half of the query
  detects hh.exe loading a remote payloads.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
@@ -12,6 +10,6 @@ mitre:
 operating_system: windows
 query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName
  = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)")
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,11 +1,10 @@
-title: Compile After Delivery
+title: CSC Compile After Delivery
-description: Both Atomic tests for this technique leverage csc.exe for compilation
+description: Detect specific compilation of executables as well as dynamic
  of code. The below will detect specific compilation of executables as well as dynamic
  compilation through detection of csc.exe creating executable files (both dll and
-  exe). Filter noise from later portion of query using SrcProcParentName Not In ().
+  exe). 
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1027
@@ -13,6 +12,7 @@ mitre:
 operating_system: windows
 query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  =
  "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
-false_positives: null
+false_positives: 
   - Absolute/Computrace software.
 tags: null
@@ -1,19 +1,17 @@
 title: Deobfuscate or Decode Files
-description: This Atomic tests detections of certutil encoding and decoding of executables,
+description: Detect certutil encoding and decoding of executables,
-  and the replication of certutil for bypassing detection of executable encoding.
+  or use of renamed certutil.exe for bypassing detections.
  Our query below will detected renamed certutil through matching of DisplayName,
  as well as encoding or decoding of exe files.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1140
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR
  ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)"
  OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") )
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,14 +1,14 @@
 title: Disable Defender Firewall
-description: Detection on disabling Microsoft Defender Firewall.
+description: Detect disabling Microsoft Defender Firewall.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
   subtechnique: 004
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,8 +1,8 @@
 title: Disable Sysmon
-description: Detection of disabling the Sysmon driver or service.
+description: Detects disabling of the Sysmon driver or service.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,6 @@ mitre:
 operating_system: windows
 query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv")
  OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u")
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,8 +1,8 @@
 title: DLL Search Order Hijacking
-description: Detection of common DLL search order hijacks.
+description: Detection of common DLL search order hijacks, currently only amsi.dll.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
@@ -10,6 +10,6 @@ mitre:
 operating_system: windows
 query: (FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32")
  AND EventType = "File Creation"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,16 +0,0 @@
 title: DLL Side-Loading of Notepad++ GUP.exe
 description: Detection for GUP.exe side-loading a dll, where executable has a display
  name of "WinGup for Notepad++" and has non-standard source process. Keep an eye
  on Cross Process events.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
   subtechnique: 002
 operating_system: windows
 query: TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
 false_positives: null
 tags: null
@@ -0,0 +1,14 @@
 title: DLL Side-Loading of Notepad++ GUP.exe
 description: Detection of GUP.exe updater from Notepad++ being used for side-loading a dll.
 author: keyboardcrunch
 date: 10/10/2020
 modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Persistence, Privilege Escalation
   technique: T1574
   subtechnique: 002
 operating_system: windows
 query: TgtProcDisplayName = "WinGup for Notepad++" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe")
 false_positives: null
 tags: null
@@ -2,7 +2,7 @@ title: Edge or IE Credential Extraction with PowerShell
 description: Detects the extraction of Edge or Internet Explorer PasswordVault credentials with PowerShell.
 author: keyboardcrunch
 date: 24/11/2020
-modified:
+modified: 05/12/2020
 mitre: 
   tactic: Credential Access
   technique: T1555
@@ -10,8 +10,6 @@ mitre:
 operating_system: windows
 query: SrcProcCmdScript ContainsCIS "Windows.Security.Credentials.PasswordVault" OR SrcProcCmdScript ContainsCIS "RetrievePassword"
 false_positives:
   - 
 tags:
   - 
 references:
   - https://github.com/HanseSecure/credgrap_ie_edge
@@ -1,9 +1,9 @@
 title: Group Policy Preference Cred Extraction
-description: Detection focuses on sysvol GP Policy xml file enumeration, with findstr
+description: Detection of sysvol GP Policy xml file enumeration, with findstr
  or Get-GPPPassword (Alias or CmdScript internal match).
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1552
@@ -12,6 +12,6 @@ operating_system: windows
 query: TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline
  ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path
  \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -3,16 +3,17 @@ description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deleti
  of shadowcopy content and disabling of system recovery.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1490
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete
  catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy"
  AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy"
  AND SrcProcCmdScript ContainsCIS "Delete()")
-false_positives: null
+false_positives: 
-tags: null
+   - Manual backup or recovery through shadowcopy
 tags: 
@@ -1,13 +1,9 @@
 title: Invoke-MalDoc
-description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion
+description: Detection of Invoke-MalDoc.ps1, complementary to T1027 Evasion
-  Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query
+  Indicator built into SentinelOne Agent.
  should only be used for threat hunting, but it will detect Macro security settings
  changes to the registry for Word and Excel as well as detecting COM objects within
  ComandLine and CommandScript indicator objects. There may be a lot of results, focus
  on Indicators and Command Scripts objects as they'll have less false positives.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Initial Access
   technique: T1566
@@ -17,6 +13,8 @@ query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\Acc
  AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine
  In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")
  OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application"))
-false_positives: null
+false_positives: 
-tags: null
+   - Macro security setting changes
   - Powershell automation of Office docs
 tags: 
@@ -1,10 +1,9 @@
 title: Kill Eventlog Service Threads
-description: Detection is specific to Invoke-Phant0m strings as the test uses it,
+description: Invoke-Phant0m specific detection (currently), catches renamed and obfuscated 
-  and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread
+  versions by querying for the TerminateThread call.
  call.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -12,6 +11,6 @@ mitre:
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS
  "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -5,13 +5,14 @@ description: LaZagne happens to spawn 3 cmd shells to save security, system and
  location.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1552
   subtechnique: 001
 operating_system: windows
 query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
-false_positives: null
+false_positives: 
-tags: null
+   - Full registry exports
 tags: 
@@ -1,8 +1,8 @@
 title: Local Account Added Windows
-description: Query below we'll query all instances of local accounts being created.
+description: Detect all instances of local accounts being created.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Persistence
   technique: T1136
@@ -11,6 +11,7 @@ operating_system: windows
 query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser")
  OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet
  localgroup administrators\b.*\b\/add\b"
-false_positives: General account maintenance.
+false_positives: 
-tags: null
+   - General account maintenance.
 tags: 
@@ -1,15 +1,14 @@
 title: T1003.004 LSA Secrets
-description: For simplicity, we're detecting a Cmdline used for both psexec (the test)
+description: Detect direct LSA extraction with reg.exe.
  as well as direct reg.exe LSA extraction.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1003
   subtechnique: 004
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -1,5 +1,5 @@
 title: LSASS Memory Dumping
-description: Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query.
+description: Detection of wce (by hash), procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault for LSASS dumping all in one query.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -1,10 +1,9 @@
 title: Malicious Documents
-description: The tests for this technique overlap heavily with T1566.001 Spearphishing
+description: Detect high risk processes spawned from Office applications. Complementary to T1566.001 Spearphishing
-  Attachment due to similar download and macro detections, so here we're focusing
+  Attachment due to similar download and macro detections.
  on detecting Office applications launching processes.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Execution
   technique: T1204
@@ -13,6 +12,9 @@ operating_system: windows
 query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
  In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
  OR IndicatorName = "SuspiciousDocument"
-false_positives: Legit docs with macros.
+false_positives: 
-tags: null
+   - Legit docs with macros.
   - McAfee DLP hits on links opened from docs.
   - Office plugins opening sites within browsers.
 tags: 
@@ -0,0 +1,16 @@
 title: Modified SysInternals AccessChk
 description: Detection of renamed AccessChk.exe, can be used for retrieval of the Chrome password db
  as well as other privileged files.
 author: keyboardcrunch
 date: 10/10/2020
 modified: 05/12/2020
 mitre:
   tactic: Credential Access
   technique: T1555
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective
  permissions for securable objects"
 false_positives: 
 tags: 
@@ -1,17 +0,0 @@
 title: Modified SysInternals AccessChk Chrome password collector
 description: To focus on detection, we're looking for AccessChk.exe where the DisplayName
  does not match that of the original. There's 4X as many Cross_Process objects with
  this query but none detect the collection of the Chrome password db.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Credential Access
   technique: T1555
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective
  permissions for securable objects"
 false_positives: null
 tags: null
@@ -1,12 +1,11 @@
 title: Msiexec Remote MSI
-description: The below query will accurately detect execution of remote msi files
+description: Detect execution of remote msi files by msiexec.exe. The second 
-  by msiexec.exe. The second half of the query aims to detect processes spawned by
+  half of the query aims to detect processes spawned by msi files instead of dll files
-  msi files instead of dll files in the CommandLine (as that is very noisy) and may
+  in the CommandLine (as that is very noisy) and may return a bit of noise within
-  return a bit of noise within for the CrossProcess Object as some auto-update processes
+  for the CrossProcess Object as some auto-update processes may be collected by this query.
  may be collected by this query.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
@@ -15,6 +14,7 @@ operating_system: windows
 query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)"
  ) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle"
  AND SrcProcParentName = "msiexec.exe")
-false_positives: null
+false_positives: 
-tags: null
+   - Auto-update processes
 tags: 
@@ -1,10 +1,9 @@
 title: Non-Windows Control Panel Item
-description: The below query will find all cpl files outside standard directories
+description: Detect cpl files outside standard Windows directories. First portion
-  and all cpl files executed outside of Windows directories. First portion of query
+  of query may need to be dropped if there is too much noise in your environment.
  may need to be dropped if there's too much noise in your environment.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1218
@@ -14,6 +13,7 @@ query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows
  AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not
  ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine
  ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows")
-false_positives: null
+false_positives: 
-tags: null
+   - Applications bringing their own cpl files
 tags: 
@@ -1,6 +1,5 @@
 title: NTDS Copy
-description: We won't bother detecting VSS copies being created, rather detecting
+description: Detection of credential file copies, either NTDS.dit or SYSTEM whether a VSS copy or not.
  credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -1,8 +1,8 @@
 title: Open Local Port on Defender Firewall
-description: Detection of opening of local ports within Defender Firewall.
+description: Detect opening of local ports within Defender Firewall.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion
   technique: T1562
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine
  ContainsCIS "dir=in" AND TgtProcCmdLine ContainsCIS "localport="
-false_positives: null
+false_positives: 
-tags: null
+   - Application installs requiring listening ports.
 tags: 
@@ -10,8 +10,7 @@ mitre:
 operating_system: windows
 query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" )
 false_positives:
-   - Possible legit uses of macros for sorting/saving emails.
+   - Possible legit uses of macros for sorting or saving emails.
 tags: 
   - 
 references:
   - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
@@ -4,7 +4,7 @@ description: Detects parent PID spoofing through Cross Process indicators (SrcPr
  through Command Scripts indicators. Update the TgtProcName list to filter noise.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1134
@@ -15,6 +15,7 @@ query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Proces
  AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel  != "LOW" AND TgtProcName
  Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND
  SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess")
-false_positives: null
+false_positives: 
-tags: null
+   - Cross Process indicators are noisy
 tags: 
@@ -1,12 +1,11 @@
-title: Powershell MalDoc
+title: Powershell Download Cradles
-description: This test merely uses Powershell to download a maldoc, the below query
+description: Detects usage of Powershell to download a malicious files. The below query
  will find CommandLine or CommandScript downloads using multiple cradle methods as
-  documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239.
+  documented here HarmJ0y. This query should only be used for hunting purposes 
-  The below query should only be used for hunting purposes and covers most unobfuscated
+  and covers most unobfuscated powershell cradles.
  powershell cradles.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Initial Access
   technique: T1566
@@ -16,6 +15,7 @@ query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadStri
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript
  In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX
  (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP"))
-false_positives: null
+false_positives: 
-tags: null
+tags: 
-
+references:
   - https://gist.github.com/HarmJ0y/bb48307ffa663256e239
@@ -1,5 +1,5 @@
 title: PowerShell GUI Input Capture
-description: Focusing here on detecting the Powershell UI.PromptForCredential and
+description: Detect usage of Powershell UI.PromptForCredential and
  GetNetworkCredential().Password in CmdScript or CmdLine.
 author: keyboardcrunch
 date: 10/10/2020
@@ -2,14 +2,15 @@ title: PowerShell HTTP Form Submission
 description: Detection of powershell data POST and PUT with Invoke-WebRequest.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Exfiltration
   technique: T1020
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS
  "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post")
-false_positives: PowerShell HTTP form submissions.
+false_positives: 
-tags: null
+   - PowerShell HTTP form submissions.
 tags: 
@@ -2,7 +2,7 @@ title: PowerShell TimeStomping
 description: Detection of time stomping with PowerShell.
 author: keyboardcrunch
 date: 24/11/2020
-modified:
+modified: 05/12/2020
 mitre: 
   tactic: Defense Evasion
   technique: T1070
@@ -10,8 +10,6 @@ mitre:
 operating_system: windows
 query: SrcProcCmdScript In Contains Anycase ("[IO.File]::SetCreationTime","[IO.File]::SetLastAccessTime","[IO.File]::SetLastWriteTime")
 false_positives:
   - 
 tags:
   - 
 references:
   - https://attack.mitre.org/techniques/T1070/006/
@@ -1,17 +1,18 @@
 title: T1055 Process Injection
 description: Detects Process Injection through execution of MavInject, filtering out
  noisy/expected activity. SrcProcParentName filter narrows Cross Process items to
-  HQ results.
+  refine results.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Defense Evasion, Privilege Escalation
   technique: T1055
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning")
  AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe"))
-false_positives: null
+false_positives: 
-tags: null
+   - Legitimate usage of MavInject
 tags: 
@@ -1,6 +1,5 @@
 title: Registry Credential Enumeration
-description: This query detects enumeration and discovery of credentials within the
+description: Detect enumeration and discovery of credentials within the Registry, including Putty sessions.
  Registry, including Putty sessions.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -2,7 +2,7 @@ title: Rundll32 Possible Cobalt Strike
 description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
 author: keyboardcrunch
 date: 02/12/2020
-modified:
+modified: 05/12/2020
 mitre: 
   tactic: Defense Evasion
   technique: T1218
@@ -11,6 +11,7 @@ operating_system:
 query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
 false_positives:
   - Printer drivers
   - High number of outbound SMB connections
 tags:
   - Cobalt Strike
 references:
@@ -1,11 +1,9 @@
 title: Scheduled Tasks Creation
-description: Our goal with this query is to detect any schtasks /create command as
+description: Detection of schtasks /create command as well as any use of the New-ScheduledTask* 
-  well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent
+  cmdlets from powershell.
  noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName
  executables.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Execution, Persistence
   technique: T1053
@@ -14,6 +12,8 @@ operating_system: windows
 query: (( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" )
  OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript  ContainsCIS
  "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe")
-false_positives: null
+false_positives: 
-tags: null
+   - NPCAP driver task
   - Legitimate task creation
 tags: 
@@ -1,6 +1,6 @@
 title: ScheduledTaskRegister
 description: Leveraging the ScheduleTaskRegister Indicator object for detection of
-  registered tasks.
+  registered tasks, but filtering for better quality results.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
@@ -1,14 +1,15 @@
 title: Secure Delete Data Destruction
-description: Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
+description: Detection of SDelete (by display name). Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1485
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: TgtProcDisplayName = "Secure file delete"
-false_positives: null
+false_positives: 
-tags: null
+   - Legitimate usage of SDelete
 tags: 
@@ -1,10 +1,9 @@
 title: Security Support Provider
-description: Detection of changes to Security Support Provider through Registry modification.
+description: Detect changes to Security Support Provider through Registry modification.
-  Filters most standard system changes with SrcProcName Not In (list) but there will
+  Filters most standard system changes with SrcProcName Not In (list).
  be some noise from installers.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Privilege Escalation, Persistence
   technique: T1547
@@ -13,6 +12,7 @@ operating_system: windows
 query: RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName
  Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not
  ContainCIS "system32\wsauth.dll")
-false_positives: null
+false_positives: 
-tags: null
+   - Some application installs
 tags: 
@@ -0,0 +1,15 @@
 title: Service Created
 description: Detects creation and modification of windows services through binPath
  argument to sc.exe.
 author: keyboardcrunch
 date: 10/10/2020
 modified: null
 mitre:
   tactic: Privilege Escalation
   technique: T1543
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
 false_positives: null
 tags: null
@@ -1,17 +1,18 @@
-title: Service Disable
+title: Service Disabled
-description: Detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
+description: Detect disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Impact
   technique: T1489
-   subtechnique: null
+   subtechnique: 
 operating_system: windows
 query: (TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode
  Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled")
  OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType
  Disabled")
-false_positives: Manual service toggling.
+false_positives: 
-tags: null
+   - Manual service toggling.
 tags: 
@@ -1,8 +1,8 @@
-title: Service Starting
+title: Service Started
 description: Detection of sc.exe start or start-service.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Execution
   technique: T1569
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine
  ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe"
-false_positives: Manual service actions.
+false_positives: 
-tags: null
+   - Manual service actions.
 tags: 
@@ -1,4 +1,4 @@
-title: Startup Folder
+title: Startup Folder Persistence
 description: Detect any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations.
 author: keyboardcrunch
 date: 10/10/2020
@@ -11,6 +11,7 @@ operating_system: windows
 query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND
  TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND
  SrcProcName Not In ("ONENOTE.EXE","msiexec.exe")
-false_positives: Some application installs.
+false_positives: 
   - Some application installs.
 tags: null
@@ -1,12 +1,8 @@
-title: Windows Remote Management
+title: Windows Remote Management Execution
-description: The below query (in order) remote process executions through MMC, WMIC,
+description: Detect remote process executions through MMC, WMIC, and PsExec (by name or display name). 
  and PsExec (by name or display name). Also of note, there are only 3 tests documented
  for this Atomic, yet there are 6 tests, so the below query focuses on detectability.
  PsExec detection may have a lot of noise depending on your environment, and may
  require additional filtering.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Lateral Movement
   technique: T1021
@@ -17,6 +13,7 @@ query: (TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine Conta
  OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine
  ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR
  SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty)
-false_positives: null
+false_positives: 
-tags: null
+   - Legitimate usage of PSExec
 tags: 
@@ -1,15 +1,15 @@
-title: Windows Service Creation
+title: Service Created
 description: Detects creation and modification of windows services through binPath
  argument to sc.exe.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 05/12/2020
 mitre:
   tactic: Privilege Escalation
   technique: T1543
   subtechnique: 003
 operating_system: windows
 query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath="
-false_positives: null
+false_positives: 
-tags: null
+tags: 
@@ -2,7 +2,7 @@ title: Windows Share Creation
 description: Detecting the creation and use of Windows shares, may catch a lot of legitimate activity.
 author: keyboardcrunch
 date: 10/10/2020
-modified: null
+modified: 
 mitre:
   tactic: Lateral Movement
   technique: T1021
@@ -10,6 +10,7 @@ mitre:
 operating_system: windows
 query: TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine
  ContainsCIS "use ")
-false_positives: Share creations.
+false_positives: 
-tags: null
+   - Share creation
 tags: