Merge PR #4512 from @frack113 - Add Missing Emerging Threats Tag

chore: add missing tag `detection.emerging_threats` for emerging threats rules
SigmaHQ · Oct 26, 2023 · 1584787 · 1584787
1 parent 86d5b64
commit 1584787
Show file tree

Hide file tree

Showing 31 changed files with 32 additions and 0 deletions.
diff --git a/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml
@@ -11,6 +11,7 @@ tags:
     - attack.persistence
     - attack.g0064
     - attack.t1543.003
+    - detection.emerging_threats
 logsource:
     product: windows
     service: system

diff --git a/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml
@@ -12,6 +12,7 @@ tags:
     - attack.g0010
     - attack.execution
     - attack.t1106
+    - detection.emerging_threats
 logsource:
     product: windows
     category: pipe_created

diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml
@@ -11,6 +11,7 @@ tags:
     - attack.persistence
     - attack.g0010
     - attack.t1543.003
+    - detection.emerging_threats
 logsource:
     product: windows
     service: system

diff --git a/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml
@@ -11,6 +11,7 @@ tags:
     - attack.persistence
     - attack.g0010
     - attack.t1543.003
+    - detection.emerging_threats
 logsource:
     product: windows
     service: system

diff --git a/...s/2020/Exploits/win_vul_cve_2020_0688.yml → ...s/CVE-2020-0688/win_vul_cve_2020_0688.yml b/...s/2020/Exploits/win_vul_cve_2020_0688.yml → ...s/CVE-2020-0688/win_vul_cve_2020_0688.yml
@@ -11,6 +11,8 @@ modified: 2022/12/25
 tags:
     - attack.initial_access
     - attack.t1190
+    - cve.2020.0688
+    - detection.emerging_threats
 logsource:
     product: windows
     service: application

diff --git a/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml b/rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml
@@ -15,6 +15,7 @@ tags:
     - attack.credential_access
     - attack.command_and_control
     - attack.t1071
+    - detection.emerging_threats
 logsource:
     product: windows
     service: dns-server-analytic

diff --git a/...merging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml b/...merging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml
@@ -15,6 +15,7 @@ tags:
     - attack.resource_development
     - attack.t1587
     - cve.2021.1675
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/...merging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml b/...merging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml
@@ -14,6 +14,7 @@ tags:
     - attack.t1203
     - attack.execution
     - cve.2021.26858
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/...s-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/...s-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml
@@ -11,6 +11,7 @@ modified: 2023/06/22
 tags:
     - attack.resource_development
     - attack.t1587
+    - detection.emerging_threats
 logsource:
     product: windows
     category: file_event

diff --git a/...s-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml b/...s-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml
@@ -11,6 +11,7 @@ modified: 2022/12/25
 tags:
     - attack.privilege_escalation
     - attack.t1068
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/.../2021/Exploits/win_vul_cve_2021_41379.yml → ...CVE-2021-41379/win_vul_cve_2021_41379.yml b/.../2021/Exploits/win_vul_cve_2021_41379.yml → ...CVE-2021-41379/win_vul_cve_2021_41379.yml
@@ -10,6 +10,7 @@ modified: 2022/07/12
 tags:
     - attack.initial_access
     - attack.t1190
+    - detection.emerging_threats
 logsource:
     product: windows
     service: application

diff --git a/...-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml b/...-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml
@@ -10,6 +10,7 @@ date: 2022/06/06
 tags:
     - attack.execution
     - cve.2021.44077
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/...-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/...-emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -14,6 +14,7 @@ tags:
     - attack.t1203
     - cve.2021.33771
     - cve.2021.31979
+    - detection.emerging_threats
     # - threat_group.Sourgum
 logsource:
     product: windows

diff --git a/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/rules-emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml
@@ -10,6 +10,7 @@ modified: 2022/07/12
 tags:
     - attack.lateral_movement
     - attack.t1210
+    - detection.emerging_threats
 logsource:
     product: windows
     service: msexchange-management

diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml
@@ -10,6 +10,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1059.001
     - cve.2022.24527
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/...2/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/...2/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml
@@ -9,6 +9,7 @@ date: 2023/05/23
 tags:
     - attack.impact
     - attack.t1486
+    - detection.emerging_threats
 logsource:
     product: windows
     service: security

diff --git a/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml
@@ -10,6 +10,7 @@ modified: 2022/10/09
 tags:
     - attack.persistence
     - attack.t1546
+    - detection.emerging_threats
 logsource:
     product: windows
     service: application

diff --git a/...erging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml b/...erging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml
@@ -10,6 +10,7 @@ date: 2023/10/20
 tags:
     - attack.privilege_escalation
     - attack.initial_access
+    - detection.emerging_threats
 logsource:
     product: cisco
     service: syslog

diff --git a/...emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/...emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml
@@ -12,6 +12,7 @@ tags:
     - attack.persistence
     - attack.t1505.001
     - cve.2023.27363
+    - detection.emerging_threats
 logsource:
     product: windows
     category: file_event

diff --git a/...erging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml b/...erging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml
@@ -15,6 +15,7 @@ tags:
     - cve.2023.27997
     - attack.initial_access
     - attack.t1190
+    - detection.emerging_threats
 logsource:
     category: webserver
 detection:

diff --git a/...023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/...023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml
@@ -12,6 +12,7 @@ tags:
     - attack.persistence
     - attack.defense_evasion
     - cve.2023.36884
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/...ats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml b/...ats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml
@@ -9,6 +9,7 @@ date: 2023/07/12
 tags:
     - attack.command_and_control
     - cve.2023.36884
+    - detection.emerging_threats
 logsource:
     category: proxy
 detection:

diff --git a/...84/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml b/...84/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml
@@ -9,6 +9,7 @@ date: 2023/07/12
 tags:
     - attack.command_and_control
     - cve.2023.36884
+    - detection.emerging_threats
 logsource:
     category: proxy
 detection:

diff --git a/.../Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml b/.../Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml
@@ -9,6 +9,7 @@ date: 2023/07/12
 tags:
     - attack.command_and_control
     - cve.2023.36884
+    - detection.emerging_threats
 logsource:
     category: proxy
 detection:

diff --git a/...VE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml b/...VE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml
@@ -9,6 +9,7 @@ date: 2023/07/12
 tags:
     - attack.command_and_control
     - cve.2023.36884
+    - detection.emerging_threats
 logsource:
     category: proxy
 detection:

diff --git a/...6884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/...6884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml
@@ -9,6 +9,7 @@ date: 2023/07/13
 tags:
     - attack.command_and_control
     - cve.2023.36884
+    - detection.emerging_threats
 logsource:
     product: windows
     service: security

diff --git a/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml
@@ -8,6 +8,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/04/21
 tags:
     - attack.execution
+    - detection.emerging_threats
 logsource:
     product: windows
     service: application

diff --git a/...threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/...threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml
@@ -17,6 +17,7 @@ tags:
     - attack.execution
     - attack.t1105
     - attack.t1059
+    - detection.emerging_threats
 logsource:
     category: file_event
     product: windows

diff --git a/...are/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/...are/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml
@@ -14,6 +14,7 @@ date: 2023/10/15
 tags:
     - attack.execution
     - attack.t1059
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

diff --git a/...ng-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/...ng-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml
@@ -10,6 +10,7 @@ modified: 2023/10/15
 tags:
     - attack.persistence
     - attack.t1136.001
+    - detection.emerging_threats
 logsource:
     category: process_creation
     product: windows

diff --git a/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml
@@ -11,6 +11,7 @@ date: 2023/02/23
 tags:
     - attack.command_and_control
     - attack.t1219
+    - detection.emerging_threats
 logsource:
     product: windows
     category: dns_query