From 2958a6fcc80e6ea42bf2eb5775c8d5544c68ce1e Mon Sep 17 00:00:00 2001 From: dmitry Date: Tue, 27 Feb 2024 11:58:52 +0300 Subject: [PATCH] =?UTF-8?q?=D0=A1=D0=BA=D0=BE=D1=80=D1=80=D0=B5=D0=BA?= =?UTF-8?q?=D1=82=D0=B8=D1=80=D0=BE=D0=B2=D0=B0=D0=BD=20=D0=BF=D1=80=D0=B5?= =?UTF-8?q?=D1=84=D0=B8=D0=BA=D1=81=20=D0=B2=D1=81=D0=B5=D1=85=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B0=D0=B2=D0=B8=D0=BB,=20=D0=B4=D0=BB=D1=8F=20=D0=B2?= =?UTF-8?q?=D0=BE=D0=B7=D0=BC=D0=BE=D0=B6=D0=BD=D0=BE=D1=81=D1=82=D0=B8=20?= =?UTF-8?q?=D0=BF=D0=BE=D0=B4=D0=B3=D1=80=D1=83=D0=B7=D0=BA=D0=B8=20=D0=BF?= =?UTF-8?q?=D0=B0=D0=BA=D0=B5=D1=82=D0=BE=D0=B2=20=D0=BA=D0=B0=D0=BA=20?= =?UTF-8?q?=D1=81=D0=B8=D1=81=D1=82=D0=B5=D0=BC=D0=BD=D0=BE=D0=B3=D0=BE=20?= =?UTF-8?q?=D0=BA=D0=BE=D0=BD=D1=82=D0=B5=D0=BD=D1=82=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml | 2 +- common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml | 2 +- .../correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml | 2 +- .../CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml | 2 +- .../Teamcity_Get_TokenName_and_Username/metainfo.yaml | 2 +- .../metainfo.yaml | 2 +- .../1149_User_authentication_succeeded/metainfo.yaml | 2 +- packages/windows_open_package/_meta/metainfo.yaml | 2 +- .../IIS_RDP_or_SMB_Tunneling/metainfo.yaml | 2 +- .../mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml | 2 +- .../RDP_Tunneling_via_SSH_5156/metainfo.yaml | 2 +- .../An_attempt_was_made_to_lsass_process/metainfo.yaml | 2 +- .../Chrome_firefox_opera_cred_read/metainfo.yaml | 2 +- .../Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml | 2 +- .../mitre_attck_cred_access/DCSync/metainfo.yaml | 2 +- .../Dump_lsass_via_process_access/metainfo.yaml | 2 +- .../mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml | 2 +- .../Keepass_Key_Dump_Via_KeeThief/metainfo.yaml | 2 +- .../mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml | 2 +- .../mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml | 2 +- .../mitre_attck_cred_access/Mimikatz/metainfo.yaml | 2 +- .../Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml | 2 +- .../PPL_Bypass_via_PPLDump_Tool/metainfo.yaml | 2 +- .../metainfo.yaml | 2 +- .../Remote_registry_access/metainfo.yaml | 2 +- .../Change_powershell_policy_registry/metainfo.yaml | 2 +- .../mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml | 2 +- .../mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml | 2 +- .../Detect_Fake_ComputerAccount/metainfo.yaml | 2 +- .../Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml | 2 +- .../Detect_lolbin_pcalua_exec/metainfo.yaml | 2 +- .../ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml | 2 +- .../ParentPid_Spoofing/metainfo.yaml | 2 +- .../mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml | 2 +- .../RDP_settings_tampering/metainfo.yaml | 2 +- .../ReverseShell_created_via_PEInjection/metainfo.yaml | 2 +- .../Subrule_ParentPid_Spoofing/metainfo.yaml | 2 +- .../mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml | 2 +- .../Suspicious_Explorer_Injection/metainfo.yaml | 2 +- .../mitre_attck_discovery/Bloodhound/metainfo.yaml | 2 +- .../Enumeration_Users_In_Groups/metainfo.yaml | 2 +- .../Local_Groups_Enumeration_Discovery/metainfo.yaml | 2 +- .../Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml | 2 +- .../mitre_attck_execution/Schtasks_Commandline/metainfo.yaml | 2 +- .../mitre_attck_execution/SharpNoPSExec/metainfo.yaml | 2 +- .../Start_process_as_vshadow_child/metainfo.yaml | 2 +- .../VSSVC_service_state_changed/metainfo.yaml | 2 +- .../mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml | 2 +- .../mitre_attck_initial_access/ProxyNotShell/metainfo.yaml | 2 +- .../mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml | 2 +- .../Impacket_WMIExec_Command_Executed/metainfo.yaml | 2 +- .../mitre_attck_lat_move/Smbexec_activity/metainfo.yaml | 2 +- .../mitre_attck_persist/Change_wmi_subscription/metainfo.yaml | 2 +- .../Create_hidden_local_account/metainfo.yaml | 2 +- .../Create_persist_via_Hidden_Run_key_value/metainfo.yaml | 2 +- .../Create_persist_via_WinlogonShell/metainfo.yaml | 2 +- .../metainfo.yaml | 2 +- .../mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml | 2 +- .../Use_persist_Start_process_via_WinlogonShell/metainfo.yaml | 2 +- .../mitre_attck_persist/XP_Cmdshell_Enable/metainfo.yaml | 2 +- .../CreateProcessAsUser_Impersonation/metainfo.yaml | 2 +- .../Detect_Pass_the_Hash_via_Mimikatz_local/metainfo.yaml | 2 +- .../Named_Pipe_Impersonation_PrivEsc/metainfo.yaml | 2 +- .../metainfo.yaml | 2 +- .../mitre_attck_priv_esc/SeDebugPrivilege_Enabled/metainfo.yaml | 2 +- .../UACME_23_DismCore_Hijacking/metainfo.yaml | 2 +- .../mitre_attck_priv_esc/UAC_Bypass_Via_Consent/metainfo.yaml | 2 +- .../Unquoted_Service_Path_Abuse/metainfo.yaml | 2 +- .../mitre_attck_priv_esc/sAMAccountName_Spoofing/metainfo.yaml | 2 +- .../tabular_lists/AD_Domain_Controllers/metainfo.yaml | 2 +- .../tabular_lists/Script_Extensions/metainfo.yaml | 2 +- 71 files changed, 71 insertions(+), 71 deletions(-) diff --git a/common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml b/common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml index 3ae0dd15..c65c7ca3 100644 --- a/common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml +++ b/common/rules_filters/examples/IsNormalizedEvent/metainfo.yaml @@ -8,4 +8,4 @@ Args: {} Tags: - event - normalized -ObjectId: LOC-RF-35030 \ No newline at end of file +ObjectId: SEC-RF-35030 \ No newline at end of file diff --git a/common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml b/common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml index bed673b8..d413920d 100644 --- a/common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml +++ b/common/rules_filters/examples/IsProcessStartEvent/metainfo.yaml @@ -14,4 +14,4 @@ Args: Tags: - system - process -ObjectId: LOC-RF-35031 \ No newline at end of file +ObjectId: SEC-RF-35031 \ No newline at end of file diff --git a/packages/open_vulnerabilities/correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml b/packages/open_vulnerabilities/correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml index bbc1646c..d0cf31b2 100644 --- a/packages/open_vulnerabilities/correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml +++ b/packages/open_vulnerabilities/correlation_rules/CVE_2023_38831_WinRar/metainfo.yaml @@ -17,7 +17,7 @@ ExpertContext: - https://github.com/b1tg/CVE-2023-38831-winrar-exploit Usecases: - WinRAR до версии 6.23 позволяет злоумышленникам выполнять произвольный код, когда пользователь пытается просмотреть безопасный файл в ZIP-архиве. -ObjectId: ESC-CR-204012915 +ObjectId: SEC-CR-204012915 ContentRelations: Implements: ATTACK: diff --git a/packages/open_vulnerabilities/correlation_rules/CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml b/packages/open_vulnerabilities/correlation_rules/CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml index 0bcdaf8d..96d425ca 100644 --- a/packages/open_vulnerabilities/correlation_rules/CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml +++ b/packages/open_vulnerabilities/correlation_rules/CVE_2023_42793_Teamcity_Token_Manipulation/metainfo.yaml @@ -13,7 +13,7 @@ ExpertContext: - https://nvd.nist.gov/vuln/detail/CVE-2023-42793 - https://github.com/H454NSec/CVE-2023-42793 - https://exploit-notes.hdks.org/exploit/web/teamcity-pentesting/ -ObjectId: LOC-CR-723173698 +ObjectId: SEC-CR-723173698 ContentRelations: Implements: ATTACK: diff --git a/packages/open_vulnerabilities/enrichment_rules/Teamcity_Get_TokenName_and_Username/metainfo.yaml b/packages/open_vulnerabilities/enrichment_rules/Teamcity_Get_TokenName_and_Username/metainfo.yaml index 0357a3e0..81fe694b 100644 --- a/packages/open_vulnerabilities/enrichment_rules/Teamcity_Get_TokenName_and_Username/metainfo.yaml +++ b/packages/open_vulnerabilities/enrichment_rules/Teamcity_Get_TokenName_and_Username/metainfo.yaml @@ -8,4 +8,4 @@ ExpertContext: - Sergey Scherbakov Usecases: - Раскладывает по полям имя/id УЗ и имя токена из запроса на токен к REST API TeamCity -ObjectId: LOC-ER-892365548 +ObjectId: SEC-ER-892365548 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4794_Attempt_was_made_to_set_DSRM_admin_password/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4794_Attempt_was_made_to_set_DSRM_admin_password/metainfo.yaml index f40d631e..cd12c996 100644 --- a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4794_Attempt_was_made_to_set_DSRM_admin_password/metainfo.yaml +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4794_Attempt_was_made_to_set_DSRM_admin_password/metainfo.yaml @@ -1,7 +1,7 @@ EventDescriptions: - Criteria: id = "4794_Attempt_was_made_to_set_DSRM_admin_password" LocalizationId: 4794_Attempt_was_made_to_set_DSRM_admin_password_1 -ObjectId: LOC-NF-115213330 +ObjectId: SEC-NF-115213330 ExpertContext: Created: 11.06.2023 Updated: 11.06.2023 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/TerminalServices_RemoteConnectionManager/1149_User_authentication_succeeded/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/TerminalServices_RemoteConnectionManager/1149_User_authentication_succeeded/metainfo.yaml index c91426c8..f141706a 100644 --- a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/TerminalServices_RemoteConnectionManager/1149_User_authentication_succeeded/metainfo.yaml +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/TerminalServices_RemoteConnectionManager/1149_User_authentication_succeeded/metainfo.yaml @@ -6,4 +6,4 @@ ExpertContext: Updated: 05.06.2023 KnowledgeHolders: - "@artemcun" -ObjectId: LOC-NF-186348571 +ObjectId: SEC-NF-186348571 diff --git a/packages/windows_open_package/_meta/metainfo.yaml b/packages/windows_open_package/_meta/metainfo.yaml index 538cfa31..e2469f6a 100644 --- a/packages/windows_open_package/_meta/metainfo.yaml +++ b/packages/windows_open_package/_meta/metainfo.yaml @@ -1,2 +1,2 @@ -ObjectId: LOC-PKG-471366245 +ObjectId: SEC-PKG-471366245 Version: 1.0.0 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/IIS_RDP_or_SMB_Tunneling/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/IIS_RDP_or_SMB_Tunneling/metainfo.yaml index 56b4c206..6c9e3e5d 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/IIS_RDP_or_SMB_Tunneling/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/IIS_RDP_or_SMB_Tunneling/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-887361710 +ObjectId: SEC-CR-887361710 ContentAutoName: IIS_RDP_or_SMB_Tunneling ExpertContext: Created: 12.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml index f13eadf6..30565485 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-143879217 +ObjectId: SEC-CR-143879217 ContentAutoName: RDP_Tunneling ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/metainfo.yaml index 5188d260..9c2f3b9c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/RDP_Tunneling_via_SSH_5156/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-382727157 +ObjectId: SEC-CR-382727157 ContentAutoName: RDP_Tunneling_via_SSH_5156 ExpertContext: Created: 13.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/An_attempt_was_made_to_lsass_process/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/An_attempt_was_made_to_lsass_process/metainfo.yaml index 9d15381d..a832fd53 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/An_attempt_was_made_to_lsass_process/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/An_attempt_was_made_to_lsass_process/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-31343766 +ObjectId: SEC-CR-31343766 ContentAutoName: An_attempt_was_made_to_lsass_process ExpertContext: Created: 12.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/metainfo.yaml index 9bd6275a..3ad49615 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Chrome_firefox_opera_cred_read/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-105581934 +ObjectId: SEC-CR-105581934 ContentAutoName: Chrome_firefox_opera_cred_read ExpertContext: Created: 04.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml index ac7e623c..282b0a21 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Credentials_MiniDumpWriteDump_Lsass/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-179311440 +ObjectId: SEC-CR-179311440 ContentAutoName: Credentials_MiniDumpWriteDump_Lsass ExpertContext: Created: 07.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/metainfo.yaml index 4a7ed094..33d779a4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/DCSync/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-176126000 +ObjectId: SEC-CR-176126000 ContentAutoName: DCSync EventDescriptions: - Criteria: correlation_name = "DCSync" diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/metainfo.yaml index 156795d1..aca8070e 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Dump_lsass_via_process_access/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-128949563 +ObjectId: SEC-CR-128949563 ContentAutoName: Dump_lsass_via_process_access ExpertContext: Created: 09.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml index 423cc567..b64be30f 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/KeePass_CredDump/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: ESC-CR-156832011 +ObjectId: SEC-CR-156832011 ContentAutoName: KeePass_CredDump ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/metainfo.yaml index b732d239..2c76dc40 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Keepass_Key_Dump_Via_KeeThief/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-198578044 +ObjectId: SEC-CR-198578044 ContentAutoName: Keepass_Key_Dump_Via_KeeThief ExpertContext: Created: 06.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml index b0ae33ed..9eb3227c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Kerberos_pwd_spraying/metainfo.yaml @@ -14,7 +14,7 @@ ExpertContext: - Vulnerability scanners, misconfigured systems, remote administration tools, VPN terminators, multiuser systems like Citrix server farms Improvements: - Add events a lot of failure 4668 before correlation rule kerberos_pwd_spraying_4771 and add events success event 4688 -ObjectId: LOC-CR-155929458 +ObjectId: SEC-CR-155929458 EventDescriptions: - Criteria: correlation_name = "Kerberos_pwd_spraying" LocalizationId: corrname_kerberos_pwd_spraying diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml index 351c8aa8..cb9e875f 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/LSASS_ProcDump/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-194813648 +ObjectId: SEC-CR-194813648 ContentAutoName: LSASS_ProcDump ExpertContext: Created: 03.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/metainfo.yaml index 9886aa3e..614d482d 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz/metainfo.yaml @@ -15,7 +15,7 @@ ExpertContext: - Provider: Microsoft-Windows-Sysmon EventID: - 1 -ObjectId: LOC-CR-121752854 +ObjectId: SEC-CR-121752854 EventDescriptions: - Criteria: correlation_name = "Mimikatz" LocalizationId: corrname_Mimikatz diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml index f804120f..f3592c04 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Mimikatz_Memssp_Default_Log_Detected/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-420314424 +ObjectId: SEC-CR-420314424 ContentAutoName: Mimikatz_Memssp_Default_Log_Detected ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/metainfo.yaml index 5166dcbe..44c88b77 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/PPL_Bypass_via_PPLDump_Tool/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-726341693 +ObjectId: SEC-CR-726341693 ContentAutoName: PPL_Bypass_via_PPLDump_Tool ExpertContext: Created: 14.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/metainfo.yaml index 823ee629..df1ea24e 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Phishing_windows_credentials_powershell_scriptblock/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-133323320 +ObjectId: SEC-CR-133323320 ContentAutoName: Phishing_windows_credentials_powershell_scriptblock ExpertContext: Created: 17.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/metainfo.yaml index deaa93b3..cb5f9b87 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_cred_access/Remote_registry_access/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-131630298 +ObjectId: SEC-CR-131630298 ContentAutoName: Remote_registry_access ExpertContext: Created: 13.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/metainfo.yaml index 23a8a2dc..68b598b0 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Change_powershell_policy_registry/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-469916719 +ObjectId: SEC-CR-469916719 ContentAutoName: Change_powershell_policy_registry ExpertContext: Created: 10.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml index 3ace799b..21bb8775 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Clearing_eventlog/metainfo.yaml @@ -1,5 +1,5 @@ Name: Tasks_actions -ObjectId: LOC-CR-284318162 +ObjectId: SEC-CR-284318162 ContentAutoName: Tasks_actions ExpertContext: Created: 01.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml index e71508bb..7070981b 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/DCShadow_Attack/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-202536688 +ObjectId: SEC-CR-202536688 ContentAutoName: DCShadow_Attack ExpertContext: Created: 01.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/metainfo.yaml index 4ebd38ab..22482648 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_Fake_ComputerAccount/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-277281147 +ObjectId: SEC-CR-277281147 ContentAutoName: Detect_Fake_ComputerAccount ExpertContext: Created: 04.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml index d40efa3f..ad770ed4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_hiding_files_via_attrib_cmdlet/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-100869373 +ObjectId: SEC-CR-100869373 ContentAutoName: Detect_hiding_files_via_attrib_cmdlet ExpertContext: Created: 16.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/metainfo.yaml index 66cd859f..de96c300 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Detect_lolbin_pcalua_exec/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-450661205 +ObjectId: SEC-CR-450661205 ContentAutoName: Detect_lolbin_pcalua_exec ExpertContext: Created: 18.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml index cdcbc3fd..23a427a2 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ImageLoad_from_Network_Share_to_LSASS/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-120990365 +ObjectId: SEC-CR-120990365 ContentAutoName: ImageLoad_from_Network_Share_to_LSASS ExpertContext: Created: 12.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/metainfo.yaml index a119eb01..22da31d4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ParentPid_Spoofing/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: ESC-CR-706374286 +ObjectId: SEC-CR-706374286 ContentAutoName: ParentPid_Spoofing ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml index 88be6ae3..2d06b88d 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Portproxy_netsh/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-913584083 +ObjectId: SEC-CR-913584083 ContentAutoName: Portforward_netsh ExpertContext: Created: 03.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/metainfo.yaml index f289ea99..8f502e43 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/RDP_settings_tampering/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-496129294 +ObjectId: SEC-CR-496129294 ContentAutoName: RDP_settings_tampering ExpertContext: Created: 09.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/metainfo.yaml index 3da7e2a7..b8f20491 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/ReverseShell_created_via_PEInjection/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-420817287 +ObjectId: SEC-CR-420817287 ContentAutoName: ReverseShell_created_via_PEInjection ExpertContext: Created: 06.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/metainfo.yaml index 6118e5f0..cd9acaaf 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Subrule_ParentPid_Spoofing/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: ESC-CR-195011447 +ObjectId: SEC-CR-195011447 ContentAutoName: Subrule_ParentPid_Spoofing ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml index 06e2b531..92d79db5 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspend_Process/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-162042829 +ObjectId: SEC-CR-162042829 ContentAutoName: Suspend_prpcess ExpertContext: Created: 09.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/metainfo.yaml index 033c1bc9..48f14150 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_defense_evasion/Suspicious_Explorer_Injection/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: ESC-CR-205336157 +ObjectId: SEC-CR-205336157 ContentAutoName: Suspicious_Explorer_Injection ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/metainfo.yaml index 55d87e11..83804715 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Bloodhound/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-224304134 +ObjectId: SEC-CR-224304134 ContentAutoName: Bloodhound ExpertContext: Created: 02.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/metainfo.yaml index af726c03..36590bd4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Enumeration_Users_In_Groups/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-125559457 +ObjectId: SEC-CR-125559457 ContentAutoName: Enumeration_Users_In_Groups ExpertContext: Created: 12.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/metainfo.yaml index f62f3fe1..95bc73e3 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_discovery/Local_Groups_Enumeration_Discovery/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-949509640 +ObjectId: SEC-CR-949509640 ContentAutoName: Local_Groups_Enumeration_Discovery ExpertContext: Created: 03.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml index 3b3f3815..55180d8a 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Detect_execution_imageload_wuauclt_lolbas/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-192895047 +ObjectId: SEC-CR-192895047 ContentAutoName: Detect_execution_imageload_wuauclt_lolbas ExpertContext: Created: 07.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/metainfo.yaml index d5ae0a93..86c02bd4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Schtasks_Commandline/metainfo.yaml @@ -18,7 +18,7 @@ ExpertContext: EventID: - 4103 - 4104 -ObjectId: LOC-CR-152436010 +ObjectId: SEC-CR-152436010 EventDescriptions: - Criteria: correlation_name = "Schtasks_Commandline" LocalizationId: corrname_Schtasks_Commandline diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/SharpNoPSExec/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/SharpNoPSExec/metainfo.yaml index b0bb33ae..31ec7e7f 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/SharpNoPSExec/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/SharpNoPSExec/metainfo.yaml @@ -16,7 +16,7 @@ ExpertContext: - 4657 Usecases: - Атакующие могут модифицировать путь к исполняемому файлу существующей службы Windows для запуска ВПО (например с помощью SharpNoPSExec) -ObjectId: LOC-CR-249739163 +ObjectId: SEC-CR-249739163 ContentRelations: Implements: ATTACK: diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/metainfo.yaml index 0fe3f25d..5f12983e 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/Start_process_as_vshadow_child/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-109694263 +ObjectId: SEC-CR-109694263 ContentAutoName: Start_process_as_vshadow_child ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/metainfo.yaml index 28e6d435..bf355a3d 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/VSSVC_service_state_changed/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-109592014 +ObjectId: SEC-CR-109592014 ContentAutoName: VSSVC_service_state_changed ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml index d339d960..d907cf68 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_execution/XP_Cmdshell_Usage/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: ESC-CR-205452331 +ObjectId: SEC-CR-205452331 ContentAutoName: XP_Cmdshell_Usage ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/metainfo.yaml index 188649b5..e3a125cf 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_initial_access/ProxyNotShell/metainfo.yaml @@ -12,7 +12,7 @@ ExpertContext: - Provider: Microsoft-Windows-Sysmon EventID: - 1 -ObjectId: LOC-CR-655783268 +ObjectId: SEC-CR-655783268 EventDescriptions: - Criteria: correlation_name = "ProxyNotShell" and src.ip = src.host LocalizationId: corrname_ProxyNotShell diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml index 48bbda28..b65af40a 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Detect_MSHTA_LethalHTA/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-485903980 +ObjectId: SEC-CR-485903980 ContentAutoName: Detect_MSHTA_LethalHTA ExpertContext: Created: 10.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/metainfo.yaml index 59a0d00d..ab1ad31a 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Impacket_WMIExec_Command_Executed/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-173716752 +ObjectId: SEC-CR-173716752 ContentAutoName: Impacket_WMIExec_Command_Executed ExpertContext: Created: 14.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Smbexec_activity/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Smbexec_activity/metainfo.yaml index 59c97cdd..b57e4714 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Smbexec_activity/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_lat_move/Smbexec_activity/metainfo.yaml @@ -28,7 +28,7 @@ ExpertContext: - 5145 Usecases: - Атакующие могут использовать инструменты удаленного администрирования для выполнения горизонтального перемещения по сети жертвы -ObjectId: LOC-CR-186456257 +ObjectId: SEC-CR-186456257 ContentRelations: Implements: ATTACK: diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/metainfo.yaml index 04f7d9ac..1448fef9 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Change_wmi_subscription/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-128702970 +ObjectId: SEC-CR-128702970 ContentAutoName: Change_wmi_subscription ExpertContext: Created: 03.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/metainfo.yaml index 0fafe6d2..11e5dadc 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_hidden_local_account/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-176508511 +ObjectId: SEC-CR-176508511 ContentAutoName: Create_hidden_local_account ExpertContext: Created: 08.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/metainfo.yaml index 8c20fa22..01c898a5 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_Hidden_Run_key_value/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-157328435 +ObjectId: SEC-CR-157328435 ContentAutoName: Create_persist_via_Hidden_Run_key_value ExpertContext: Created: 12.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/metainfo.yaml index 19b4f6dc..a1ef6359 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Create_persist_via_WinlogonShell/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-58748064 +ObjectId: SEC-CR-58748064 ContentAutoName: Create_persist_via_WinlogonShell ExpertContext: Created: 02.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/metainfo.yaml index b389eda2..c6f90885 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DCSync_prepare_Add_replicatation_rights_to_Account/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-384735839 +ObjectId: SEC-CR-384735839 ContentAutoName: DCSync_prepare_Add_replicatation_rights_to_Account ExpertContext: Created: 08.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml index b7f42f79..ff8ef248 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/DSRM_Password_Changed/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-142614850 +ObjectId: SEC-CR-142614850 ContentAutoName: DSRM_Password_Changed ExpertContext: Created: 11.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/metainfo.yaml index 7649de80..6cadc4d1 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Use_persist_Start_process_via_WinlogonShell/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-823326244 +ObjectId: SEC-CR-823326244 ContentAutoName: Use_persist_Start_process_via_WinlogonShell ExpertContext: Created: 02.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/metainfo.yaml index 8438b59e..52680764 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/XP_Cmdshell_Enable/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: ESC-CR-446260832 +ObjectId: SEC-CR-446260832 ContentAutoName: XP_Cmdshell_Enable ExpertContext: Created: 05.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/metainfo.yaml index e4ca4ad9..949c877a 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/CreateProcessAsUser_Impersonation/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-630568812 +ObjectId: SEC-CR-630568812 ContentAutoName: CreateProcessAsUser_Impersonation ExpertContext: Created: 07.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/metainfo.yaml index f0ccd76e..b24c991b 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Detect_Pass_the_Hash_via_Mimikatz_local/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-193927723 +ObjectId: SEC-CR-193927723 ContentAutoName: Detect_Pass_the_Hash_via_Mimikatz_local ExpertContext: Created: 08.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/metainfo.yaml index 8e64bc7a..3228348c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Named_Pipe_Impersonation_PrivEsc/metainfo.yaml @@ -23,7 +23,7 @@ ExpertContext: EventID: - 7045 - 5145 -ObjectId: LOC-CR-180323302 +ObjectId: SEC-CR-180323302 EventDescriptions: - Criteria: correlation_name = "Named_Pipe_Impersonation_PrivEsc" LocalizationId: corrname_Named_Pipe_Impersonation_PrivEsc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/metainfo.yaml index 19215bdf..891a59c7 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Potential_Privileged_Escalation_via_KrbRelayUp/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-191110408 +ObjectId: SEC-CR-191110408 ContentAutoName: Potential_Privileged_Escalation_via_KrbRelayUp ExpertContext: Created: 14.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/SeDebugPrivilege_Enabled/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/SeDebugPrivilege_Enabled/metainfo.yaml index 3991bf90..96a848b1 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/SeDebugPrivilege_Enabled/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/SeDebugPrivilege_Enabled/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-909630006 +ObjectId: SEC-CR-909630006 ContentAutoName: SeDebugPrivilege_Enabled ExpertContext: Created: 01.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/metainfo.yaml index a886af12..2e007af4 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UACME_23_DismCore_Hijacking/metainfo.yaml @@ -1,5 +1,5 @@ Updated: 26.12.2022 -ObjectId: LOC-CR-127877797 +ObjectId: SEC-CR-127877797 ContentAutoName: UACME_23_DismCore_Hijacking ExpertContext: Created: 13.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/metainfo.yaml index 2ef081fb..115fe34c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_Bypass_Via_Consent/metainfo.yaml @@ -14,7 +14,7 @@ ExpertContext: EventID: - 1 - 7 -ObjectId: LOC-CR-133155613 +ObjectId: SEC-CR-133155613 ContentRelations: Implements: ATTACK: diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/metainfo.yaml index 37c26436..8d837371 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Unquoted_Service_Path_Abuse/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-178721525 +ObjectId: SEC-CR-178721525 ContentAutoName: Unquoted_Service_Path_Abuse ExpertContext: Created: 07.06.2023 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/metainfo.yaml index 2168b9f6..06c7cd7c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/sAMAccountName_Spoofing/metainfo.yaml @@ -1,4 +1,4 @@ -ObjectId: LOC-CR-193677244 +ObjectId: SEC-CR-193677244 ContentAutoName: sAMAccountName_Spoofing ExpertContext: Created: 04.06.2023 diff --git a/packages/windows_open_package/tabular_lists/AD_Domain_Controllers/metainfo.yaml b/packages/windows_open_package/tabular_lists/AD_Domain_Controllers/metainfo.yaml index 5ceaf356..2c1c7a4f 100644 --- a/packages/windows_open_package/tabular_lists/AD_Domain_Controllers/metainfo.yaml +++ b/packages/windows_open_package/tabular_lists/AD_Domain_Controllers/metainfo.yaml @@ -1,2 +1,2 @@ -ObjectId: LOC-TL-41842215 +ObjectId: SEC-TL-41842215 ContentAutoName: AD_Domain_Controllers diff --git a/packages/windows_open_package/tabular_lists/Script_Extensions/metainfo.yaml b/packages/windows_open_package/tabular_lists/Script_Extensions/metainfo.yaml index 33cb3304..509fb89e 100644 --- a/packages/windows_open_package/tabular_lists/Script_Extensions/metainfo.yaml +++ b/packages/windows_open_package/tabular_lists/Script_Extensions/metainfo.yaml @@ -1,2 +1,2 @@ -ObjectId: LOC-TL-204 +ObjectId: SEC-TL-204 ContentAutoName: Script_Extensions