From 585c1c4669f9438cc97113efb175d7ac2d555066 Mon Sep 17 00:00:00 2001 From: Korving-F Date: Wed, 23 Feb 2022 13:02:41 +0200 Subject: [PATCH] Updates 4 more scheduled alert rule techniques. --- .../ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml | 5 ++++- .../ASimProcess/imProcess_malware_in_recyclebin.yaml | 6 ++++-- .../DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml | 8 +++++--- .../SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml | 5 ++++- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml b/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml index fd28a546d7..bb50aceaea 100644 --- a/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml +++ b/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml @@ -15,6 +15,9 @@ triggerThreshold: 0 tactics: - Execution - Persistence + - InitialAccess +relevantTechniques: + - T1195 tags: - Id: a3c144f9-8051-47d4-ac29-ffb0c312c910 version: 1.0.0 @@ -44,5 +47,5 @@ entityMappings: columnName: AlgorithmCustomEntity - identifier: Value columnName: FileHashCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml index 50331b185f..29b932b00a 100644 --- a/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml +++ b/Detections/ASimProcess/imProcess_malware_in_recyclebin.yaml @@ -11,6 +11,8 @@ triggerOperator: gt triggerThreshold: 0 tactics: - DefenseEvasion +relevantTechniques: + - T1564 tags: - Id: b8266f81-2715-41a6-9062-42486cbc9c73 version: 1.0.0 @@ -35,5 +37,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.2.1 -kind: Scheduled \ No newline at end of file +version: 1.2.2 +kind: Scheduled diff --git a/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml b/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml index 6d86f3db23..93f7f50275 100644 --- a/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml +++ b/Detections/DeviceEvents/SolarWinds_TEARDROP_Process-IOCs.yaml @@ -17,8 +17,10 @@ triggerThreshold: 0 tactics: - Execution - Persistence + - InitialAccess relevantTechniques: - - T1543.003 + - T1543 + - T1195 tags: - Sunburst - Solorigate @@ -46,5 +48,5 @@ entityMappings: columnName: FileHashType - identifier: Value columnName: FileHashCustomEntity -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml b/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml index 963e742f94..0b78d3eba1 100644 --- a/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml +++ b/Detections/DeviceFileEvents/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml @@ -17,6 +17,9 @@ triggerThreshold: 0 tactics: - Execution - Persistence + - InitialAccess +relevantTechniques: + - T1195 query: | let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]); @@ -44,5 +47,5 @@ entityMappings: columnName: AlgorithmCustomEntity - identifier: Value columnName: FileHashCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled