diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index 528440d3b6..81216e2344 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -5,7 +5,7 @@ date: '2023-04-28' author: Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic +description: The following analytic is geared towards detecting potential privilege escalation threats in Azure Active Directory (AD). It identifies instances where privileged roles, which hold elevated permissions, are assigned to Service Principals. These non-human entities that can access Azure resources could be exploited in an attack scenario, leading to unauthorized access or malicious activities. The analytic runs a specific search within the ingested Azure AD events, specifically leveraging the AuditLogs log category. Keep in mind, however, that there could be false positives, as administrators may legitimately assign privileged roles to Service Principals. data_source: [] search: ' `azuread` operationName="Add member to role" | rename properties.* as * diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index de729a784c..e78f2ab86d 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -5,7 +5,7 @@ date: '2019-12-06' author: Patrick Bareiss, Splunk status: production type: TTP -description: Detect memory dumping of the LSASS process. +description: The following analytic is designed to detect potentially malicious activities involving the Local Security Authority Subsystem Service (LSASS) process. Specifically, it identifies when the LSASS process memory is being dumped, an action often associated with credential dumping attacks. This analytic leverages Sysmon logs, particularly those with EventCode 10 related to lsass.exe. It searches for indicators of LSASS memory dumping, such as specific call traces to dbgcore.dll and dbghelp.dll. While memory dumps can be legitimate administrative tasks, LSASS memory dumps are typically unusual and warrant investigation. To implement this analytic, ensure your Sysmon setup includes EventCode 10 logging for lsass.exe and customize the provided macros (sysmon and post-filter macro) to match your specific Splunk environment configuration. data_source: - Sysmon Event ID 1 search: '`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index 81a51a9d34..16b6f81910 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -5,8 +5,7 @@ date: '2021-11-04' author: Bhavin Patel, Splunk status: production type: TTP -description: This search looks for execution of commonly used attacker tools on an - endpoint. +description: The following analytic aims to identify the use of tools commonly exploited by cybercriminals. The use of these tools often signals nefarious activities like unauthorized access, network scanning, or data exfiltration, representing a significant threat to an organization's security infrastructure. By examining process activity on the host, particularly those processes corresponding to known attacker tool names, this analytic serves as an early warning system for potential security incidents. However, its precision must be balanced with the understanding that some administrative activities might also trigger alerts, resulting in false positives. This underlines the importance of cyber analysts having a clear understanding of typical endpoint activities and behaviors within their organization, enabling them to accurately interpret and respond to these alerts. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index a5aef514e1..d80819ce90 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -5,7 +5,7 @@ date: '2021-09-16' author: Patrick Bareiss, Rico Valdez, Splunk status: production type: TTP -description: Attempt To Add Certificate To Untrusted Store +description: The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 6f55b32160..2e74c5ef1d 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -5,7 +5,7 @@ date: '2019-12-06' author: Patrick Bareiss, Splunk status: production type: TTP -description: Detect remote thread creation into LSASS consistent with credential dumping. +description: The following analytic developed to detect potential credential dumping attacks where a remote thread is created in the Local Security Authority Subsystem Service (LSASS). Credential dumping, a common tactic used by adversaries to steal user authentication credentials, is a significant threat to network security. The analytic leverages Sysmon Event ID 8 logs and looks for processes creating remote threads in lsass.exe, an unusual activity generally linked to credential theft. The confidence level in this alert is high, but it's worth noting that there might be cases where legitimate tools can access LSASS, generating similar logs. As an analyst, it is critical to understand the broader context of such events and differentiate between legitimate activities and possible threats. data_source: - Sysmon Event ID 8 search: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 2501fd8c4a..62ca63a1c3 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -66,6 +66,7 @@ tags: - T1505 - T1505.003 - T1190 + - T1133 observable: - name: user type: User diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 54086f1e85..385ac36c5b 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -5,7 +5,7 @@ date: '2023-04-14' author: Patrick Bareiss, Splunk status: production type: TTP -description: Detect the usage of comsvcs.dll for dumping the lsass process. +description: 'The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization''s assets and prevent potential breaches.' data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index efad0f8a63..3d78b9ece7 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -45,6 +45,7 @@ tags: and take action accordingly. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index f44590988f..578422eaab 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -46,6 +46,7 @@ tags: a jsp file to disk, potentially indicative of exploitation. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 5919541409..607f672ed5 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -44,6 +44,7 @@ tags: on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/endpoint/living_off_the_land.yml b/detections/endpoint/living_off_the_land.yml index 4ad1ddb41b..8a69f0ffd0 100644 --- a/detections/endpoint/living_off_the_land.yml +++ b/detections/endpoint/living_off_the_land.yml @@ -44,6 +44,7 @@ tags: - T1105 - T1190 - T1059 + - T1133 observable: - name: affected_systems type: Hostname diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index 8b951012e4..3ac5164965 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -53,6 +53,7 @@ tags: - T1105 - T1190 - T1059 + - T1133 observable: - name: risk_object type: Hostname diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index 666ce9cd04..fd80d104f1 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -62,6 +62,7 @@ tags: - T1505 - T1505.003 - T1190 + - T1133 observable: - name: user type: User diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index 7c86398f93..a574a32798 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -45,6 +45,7 @@ tags: $dest$ mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index cce66a6674..22119cc1aa 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -33,6 +33,7 @@ tags: message: Behavior related to exploitation of PaperCut NG has been identified on $host$. mitre_attack_id: - T1190 + - T1133 observable: - name: host type: Hostname diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index d926b1fc82..bb8c2cda02 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -5,7 +5,7 @@ date: '2020-03-16' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP -description: This search looks for scripts launched via WMI. +description: The following analytic is designed to detect the potential misuse of Windows Management Instrumentation (WMI) for malicious purposes. WMI can be utilized by adversaries to execute scripts, a method often employed for maintaining stealth while carrying out malicious activities. The process 'scrcons.exe', integral to executing WMI scripts, is primarily monitored by this analytic. The underlying threat lies in the fact that successful execution of a malicious script can lead to numerous negative outcomes, including system compromise, data exfiltration, or the establishment of persistence. It's essential for cybersecurity analysts to remain vigilant towards unexpected or isolated script executions via WMI, as such instances often signal suspicious activities or potential security breaches. Although uncommon, administrators may occasionally use WMI to launch scripts for legitimate purposes. Therefore, discerning malicious activities from benign ones is crucial in this context. data_source: - Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) @@ -27,7 +27,7 @@ tags: asset_type: Endpoint confidence: 60 impact: 60 - message: A wmic.exe process $process_name$ taht execute script in host $dest$ + message: A wmic.exe process $process_name$ that execute script in host $dest$ mitre_attack_id: - T1047 observable: diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index edef829b15..df9b53f3e5 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -46,6 +46,7 @@ tags: on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 3687655fd0..1a1aa16705 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -29,6 +29,7 @@ tags: mitre_attack_id: - T1059 - T1190 + - T1133 observable: - name: user type: User diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index cb429c4146..0a58c1323b 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -5,7 +5,7 @@ date: '2018-10-23' author: Rico Valdez, Splunk status: experimental type: TTP -description: This search looks for the creation of WMI permanent event subscriptions. +description: The following analytic seeks to detect the creation of Windows Management Instrumentation (WMI) permanent event subscriptions, a technique often used by adversaries for persistence. Such a subscription allows for the execution of specified scripts or binaries in response to defined system events, potentially enabling malicious activities to persist unnoticed. The analytic uses Sysmon Event ID 5 data, specifically focusing on instances where consumers of these events are not the expected "NTEventLogEventConsumer." Although WMI event subscriptions can be used legitimately by administrators, unusual or unexpected subscription creation should be treated as suspicious. Analysts need to be cognizant of the potential for false positives in legitimate administrative activities and should understand WMI activity within the context of the monitored environment. data_source: - Sysmon Event ID 5 search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?[^;|^$]+)" diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index 630038f42e..196d75eaf9 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -5,7 +5,7 @@ date: '2020-07-28' author: Shannon Davis, Splunk status: experimental type: TTP -description: This search detects SIGRed via Splunk Stream. +description: The following analytic is an experimental search designed to identify SIGRed exploitation attempts. SIGRed is a severe, wormable, remote code execution vulnerability in Windows DNS servers, identified as CVE-2020-1350. This analytic specifically looks for DNS SIG and KEY records, and TCP payloads larger than 65KB - potential indicators of the SIGRed exploit. It requires ingestion of both Splunk Stream DNS and TCP data. The search does rely on macro definitions for 'stream:dns' and 'stream:tcp', which should be replaced with appropriate configurations tailored to your Splunk environment. data_source: [] search: '`stream_dns` | spath "query_type{}" | search "query_type{}" IN (SIG,KEY) | spath protocol_stack | search protocol_stack="ip:tcp:dns" | append [search `stream_tcp` diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index 2622f3777d..6edeb0adb8 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -39,6 +39,7 @@ tags: occurred. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index c3eeb1ac00..da1d450324 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -44,6 +44,7 @@ tags: mitre_attack_id: - T1505 - T1190 + - T1133 observable: - name: dest type: IP Address diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index 0fb149cee4..1c737dda9a 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -29,6 +29,7 @@ tags: message: tbd mitre_attack_id: - T1082 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 26d143a359..b875a38e22 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -58,6 +58,7 @@ tags: - T1505.003 - T1505 - T1190 + - T1133 observable: - name: dest type: IP Address diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index 11604b641f..c346ffbb44 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -35,6 +35,7 @@ tags: $dest$. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 6c60700fa2..194d47ded9 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -58,6 +58,7 @@ tags: against $dest$. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index 7ce1936798..16d6e8aadc 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -82,6 +82,7 @@ tags: message: Hunting for Log4Shell exploitation has occurred. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index b69b9150fd..7fae8c4a15 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -46,6 +46,7 @@ tags: message: CVE-2021-44228 Log4Shell triggered for host $dest$ mitre_attack_id: - T1190 + - T1133 observable: - name: user type: User diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index 47d58889ed..214bc83cf4 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -41,6 +41,7 @@ tags: message: CVE-2021-44228 Log4Shell triggered for host $dest$ mitre_attack_id: - T1190 + - T1133 observable: - name: user type: User diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index 5f46d9b535..33a22473bf 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -29,6 +29,7 @@ tags: message: URIs specific to PaperCut NG have been access by a public IP against $dest$. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index 091db37e65..9670242bc1 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -49,6 +49,7 @@ tags: message: ProxyShell or ProxyNotShell activity has been identified on $risk_object$. mitre_attack_id: - T1190 + - T1133 observable: - name: risk_object type: Hostname diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index c89f17b073..394d91b61a 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -36,6 +36,7 @@ tags: - T1505.003 - T1505 - T1190 + - T1133 observable: - name: dest type: IP Address diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index 127f261a68..cf7af755e1 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -30,6 +30,7 @@ tags: message: tbd mitre_attack_id: - T1505.003 + - T1133 observable: - name: user type: User diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index f488d5bdc2..3b1b1176b9 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -39,6 +39,7 @@ tags: $dest$ has occurred. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 6d1e94245e..ab7446c4df 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -40,6 +40,7 @@ tags: $dest$ has occurred. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 261aaee31d..e87267fde9 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -37,6 +37,7 @@ tags: - T1505.003 - T1505 - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index 1d4421e43b..992b5aef3d 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -34,6 +34,7 @@ tags: $src$. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index 030e60448a..063f117bb9 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -36,6 +36,7 @@ tags: a vulnerability in Spring Cloud. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 13e2f51696..7c2ac80407 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -54,6 +54,7 @@ tags: $dest$. Review events and take action accordingly. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/dev/endpoint/java_writing_jsp_file.yml b/dev/endpoint/java_writing_jsp_file.yml index ccc98aa30b..af88f483a2 100644 --- a/dev/endpoint/java_writing_jsp_file.yml +++ b/dev/endpoint/java_writing_jsp_file.yml @@ -42,6 +42,7 @@ tags: a jsp file to disk, potentially indicative of exploitation. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/dev/endpoint/linux_java_spawning_shell.yml b/dev/endpoint/linux_java_spawning_shell.yml index c243f2a070..4206667114 100644 --- a/dev/endpoint/linux_java_spawning_shell.yml +++ b/dev/endpoint/linux_java_spawning_shell.yml @@ -44,6 +44,7 @@ tags: on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/dev/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/dev/endpoint/outbound_network_connection_from_java_using_default_ports.yml index 0f266edf51..c55fd5c445 100644 --- a/dev/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/dev/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -41,6 +41,7 @@ tags: $dest$ mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname diff --git a/dev/endpoint/windows_java_spawning_shells.yml b/dev/endpoint/windows_java_spawning_shells.yml index 1f96fa61d3..7ed05c1314 100644 --- a/dev/endpoint/windows_java_spawning_shells.yml +++ b/dev/endpoint/windows_java_spawning_shells.yml @@ -41,6 +41,7 @@ tags: on endpoint $dest$ spawning a Windows shell, potentially indicative of exploitation. mitre_attack_id: - T1190 + - T1133 observable: - name: dest type: Hostname