├── LICENSE ├── MITRE ATT&CK TTP HX OPENIOC RULES ├── Collection │ └── Archive Collected Data │ │ └── SharpHound (Utility).ioc ├── Command and Control │ ├── Application Layer Protocol │ │ └── ThunderShell (Utility).ioc │ ├── Ingress Tool Transfer │ │ ├── BITSAdmin downloading suspicious binaries (Methodology).ioc │ │ └── CertUtil downloading suspicious binaries (Methodology).ioc │ ├── Protocol Tunneling │ │ └── Ligolo (Utility).ioc │ ├── Proxy │ │ └── PortProxy (Utility).ioc │ └── Remote Access Software │ │ ├── Ammyy Admin (Utility).ioc │ │ ├── Anydesk (Utility).ioc │ │ ├── Atera (Utility).ioc │ │ ├── GoToAssist (Utility).ioc │ │ ├── LogMeIn (Utility).ioc │ │ ├── ScreenConnect (Utility).ioc │ │ ├── Splashtop (Utility).ioc │ │ ├── TeamViewer (Utility).ioc │ │ ├── VNC (Utility).ioc │ │ └── VNC module backdoor (Utility).ioc ├── Credential Access │ ├── Credentials From Password Stores │ │ ├── LaZagne (Utility).ioc │ │ └── azbelt (Utility).ioc │ ├── OS Credential Dumping │ │ ├── DSInternals (Utility).ioc │ │ ├── ExtPassword (Utility).ioc │ │ ├── Fgdump (Utility).ioc │ │ ├── Potential Credential dumping from Password Stores (Methodology).ioc │ │ ├── PowerSploit's Invoke-NinjaCopy (Utility).ioc │ │ ├── Secretsdump.py (Utility).ioc │ │ ├── SharpDPAPI (Utility).ioc │ │ ├── SharpLAPS (Utility).ioc │ │ ├── SharpSecDump (Utility).ioc │ │ ├── Suspicious access to Ntds.dit Active Directory database (Methodology).ioc │ │ └── Suspicious process dump using comsvcs.dll (Methodology).ioc │ └── Steal or Forge Authentication Certificates │ │ └── Certify (Utility).ioc ├── Defense Evasion │ ├── Command Obfuscation │ │ ├── Suspicious Execution of mshta.exe.ioc │ │ └── Suspicious Powershell Command Obfuscation (Methodology).ioc │ ├── Impair Defenses │ │ └── Disable or Modify Tools │ │ │ ├── Backstab (Utility).ioc │ │ │ ├── PCHunter (Utility).ioc │ │ │ ├── PowerTool (Utility).ioc │ │ │ └── TDSSKiller (Utility).ioc │ ├── Indicator Removal │ │ └── Indicator Removal (Methodology).ioc │ ├── Obfuscated Files or Information │ │ └── Obfuscated Powershell Command (Methodology).ioc │ └── System Binary Proxy Execution │ │ ├── Rundll32 execution load with DllRegisterServer (Methodology).ioc │ │ └── Serpent Backdoor Payload Execution via Scheduled Task (Methodology).ioc ├── Discovery │ ├── Domain Trust Discovery │ │ ├── AdFind (Utility).ioc │ │ └── Domain Trust Discovery with nltest.exe (Methodology).ioc │ ├── Group Policy Discovery │ │ └── SharpView (Utility).ioc │ ├── Network Service Discovery │ │ └── Advanced IP Scanner (Utility).ioc │ ├── Network Share Discovery │ │ └── Network Share Discovery (Methodology).ioc │ ├── System Information Discovery │ │ └── Seatbelt (Utility).ioc │ └── System Network Connections Discovery │ │ └── Cl0p Ransomware Discovery Script (Utility).ioc ├── Execution │ ├── Command and Scripting Interpreter │ │ ├── Powershell │ │ │ ├── Powershell download cradle (Methodology).ioc │ │ │ ├── Suspicious Download Cradle (Methodology).ioc │ │ │ ├── Suspicious RC4 Decryption Function (Methodology).ioc │ │ │ └── sharpsh (Utility).ioc │ │ ├── Visual Basic │ │ │ ├── VSDiagnostics used for proxying execution malicious binaries (Methodology).ioc │ │ │ └── Windows Script Host launched by a Browser (Methodology).ioc │ │ ├── WMI │ │ │ ├── Execution of wmiexec script (Utility).ioc │ │ │ ├── Impacket wmiexec script (Utility).ioc │ │ │ ├── SharpWMI (Utility).ioc │ │ │ ├── Suspicious WMI execution (Methodology).ioc │ │ │ └── WMI suspicious process chain (Methodology).ioc │ │ └── Windows Command Shell │ │ │ ├── Service Control Manager spawning Command Shell with suspect strings (Methodology).ioc │ │ │ ├── Suspicious .cmd execution from a non-system drive (Methodology).ioc │ │ │ ├── Suspicious file transfer using xcopy (Methodology).ioc │ │ │ ├── Windows Explorer spawning Command Shell with start and exit commands.ioc │ │ │ ├── Windows scheduled task create shell (Methodology).ioc │ │ │ └── cmd.exe executing a Windows shortcut (LNK) file (Methodology).ioc │ ├── Malicious File │ │ └── Office Application spawn suspicious process (Methodology).ioc │ ├── Privilege Escalation │ │ └── AdvancedRun (Utility).ioc │ ├── Shared Modules │ │ └── Suspicious DLL load from common malware directory (Methodology).ioc │ └── Software Deployment Tools │ │ └── Chocolatey (Utility).ioc ├── Exfiltration │ └── Exfiltration Over Web Service │ │ └── FreeFileSync (Utility).ioc ├── Inhibit System Recovery │ └── Impact │ │ └── WMI Shadow copy deletion (Methodology).ioc ├── Lateral Movement │ └── Remote Services │ │ ├── File writes within Admin Shares (Methodology).ioc │ │ ├── MoveScheduler (Utility).ioc │ │ ├── Psexec script (Utility).ioc │ │ ├── SCShell (Utility).ioc │ │ ├── Sharp-SMBExec (Utility).ioc │ │ ├── SharpRDP (Utility).ioc │ │ ├── Smbexec script (Utility).ioc │ │ └── atexec.py (Utility).ioc ├── Persistence │ ├── Boot or Logon Autostart Execution │ │ └── Boot or Logon Autostart Execution Winlogon Helper DLL (Methodology).ioc │ ├── Create or Modify System Service │ │ └── Default Impacket service creation via registry keys (Utility).ioc │ ├── Hijack Execution Flow │ │ └── ServiceMove-BOF (Utility).ioc │ └── Scheduled Task │ │ ├── Scheduled Task creation using PowerShell cmdlets (Methodology).ioc │ │ ├── Scheduled Task creation using Schedule.Service COM Object (Methodology).ioc │ │ ├── Scheduled Task creation via Powershell (Methodology).ioc │ │ ├── Scheduled tasks with suspicious network connections (Methodology).ioc │ │ ├── Suspicious Windows Task Modification (Methodology).ioc │ │ ├── Suspicious Windows Task Schedulers create command to execute other processes (Methodology).ioc │ │ ├── Suspicious image load (taskschd.dll) by unusual process (Methodology).ioc │ │ └── Suspicious image load of taskschd.dll by Office process (Methodology).ioc ├── Privilege Escalation │ └── SharpUp (Utility).ioc ├── Reconnaissance │ └── Gather Victim Network Information │ │ └── Script files conducting reconnaissance (Methodology).ioc ├── Remote System Discovery │ └── WMI reconnaissance (Methodology).ioc └── Resource Development │ └── Obtain Capabilities │ └── Tool │ ├── SQLRecon (Utility).ioc │ └── SharpMapExec (Utility).ioc └── README.md /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/LICENSE -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Collection/Archive Collected Data/SharpHound (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Collection/Archive Collected Data/SharpHound (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Application Layer Protocol/ThunderShell (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Application Layer Protocol/ThunderShell (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Ingress Tool Transfer/BITSAdmin downloading suspicious binaries (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Ingress Tool Transfer/BITSAdmin downloading suspicious binaries (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Ingress Tool Transfer/CertUtil downloading suspicious binaries (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Ingress Tool Transfer/CertUtil downloading suspicious binaries (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Protocol Tunneling/Ligolo (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Protocol Tunneling/Ligolo (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Proxy/PortProxy (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Proxy/PortProxy (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Ammyy Admin (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Ammyy Admin (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Anydesk (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Anydesk (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Atera (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Atera (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/GoToAssist (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/GoToAssist (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/LogMeIn (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/LogMeIn (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/ScreenConnect (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/ScreenConnect (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Splashtop (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/Splashtop (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/TeamViewer (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/TeamViewer (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/VNC (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/VNC (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/VNC module backdoor (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Command and Control/Remote Access Software/VNC module backdoor (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/Credentials From Password Stores/LaZagne (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/Credentials From Password Stores/LaZagne (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/Credentials From Password Stores/azbelt (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/Credentials From Password Stores/azbelt (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/DSInternals (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/DSInternals (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/ExtPassword (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/ExtPassword (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Fgdump (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Fgdump (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Potential Credential dumping from Password Stores (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Potential Credential dumping from Password Stores (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/PowerSploit's Invoke-NinjaCopy (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/PowerSploit's Invoke-NinjaCopy (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Secretsdump.py (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Secretsdump.py (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/SharpDPAPI (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/SharpDPAPI (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/SharpLAPS (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/SharpLAPS (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/SharpSecDump (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/SharpSecDump (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Suspicious access to Ntds.dit Active Directory database (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Suspicious access to Ntds.dit Active Directory database (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Suspicious process dump using comsvcs.dll (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/OS Credential Dumping/Suspicious process dump using comsvcs.dll (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/Steal or Forge Authentication Certificates/Certify (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Credential Access/Steal or Forge Authentication Certificates/Certify (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Command Obfuscation/Suspicious Execution of mshta.exe.ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Command Obfuscation/Suspicious Execution of mshta.exe.ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Command Obfuscation/Suspicious Powershell Command Obfuscation (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Command Obfuscation/Suspicious Powershell Command Obfuscation (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/Backstab (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/Backstab (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/PCHunter (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/PCHunter (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/PowerTool (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/PowerTool (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/TDSSKiller (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Impair Defenses/Disable or Modify Tools/TDSSKiller (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Indicator Removal/Indicator Removal (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Indicator Removal/Indicator Removal (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Obfuscated Files or Information/Obfuscated Powershell Command (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/Obfuscated Files or Information/Obfuscated Powershell Command (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/System Binary Proxy Execution/Rundll32 execution load with DllRegisterServer (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/System Binary Proxy Execution/Rundll32 execution load with DllRegisterServer (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/System Binary Proxy Execution/Serpent Backdoor Payload Execution via Scheduled Task (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Defense Evasion/System Binary Proxy Execution/Serpent Backdoor Payload Execution via Scheduled Task (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Domain Trust Discovery/AdFind (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Domain Trust Discovery/AdFind (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Domain Trust Discovery/Domain Trust Discovery with nltest.exe (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Domain Trust Discovery/Domain Trust Discovery with nltest.exe (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Group Policy Discovery/SharpView (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Group Policy Discovery/SharpView (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Network Service Discovery/Advanced IP Scanner (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Network Service Discovery/Advanced IP Scanner (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Network Share Discovery/Network Share Discovery (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/Network Share Discovery/Network Share Discovery (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/System Information Discovery/Seatbelt (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/System Information Discovery/Seatbelt (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/System Network Connections Discovery/Cl0p Ransomware Discovery Script (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Discovery/System Network Connections Discovery/Cl0p Ransomware Discovery Script (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/Powershell download cradle (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/Powershell download cradle (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/Suspicious Download Cradle (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/Suspicious Download Cradle (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/Suspicious RC4 Decryption Function (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/Suspicious RC4 Decryption Function (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/sharpsh (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Powershell/sharpsh (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Visual Basic/VSDiagnostics used for proxying execution malicious binaries (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Visual Basic/VSDiagnostics used for proxying execution malicious binaries (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Visual Basic/Windows Script Host launched by a Browser (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Visual Basic/Windows Script Host launched by a Browser (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/Execution of wmiexec script (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/Execution of wmiexec script (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/Impacket wmiexec script (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/Impacket wmiexec script (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/SharpWMI (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/SharpWMI (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/Suspicious WMI execution (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/Suspicious WMI execution (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/WMI suspicious process chain (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/WMI/WMI suspicious process chain (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Service Control Manager spawning Command Shell with suspect strings (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Service Control Manager spawning Command Shell with suspect strings (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Suspicious .cmd execution from a non-system drive (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Suspicious .cmd execution from a non-system drive (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Suspicious file transfer using xcopy (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Suspicious file transfer using xcopy (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Windows Explorer spawning Command Shell with start and exit commands.ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Windows Explorer spawning Command Shell with start and exit commands.ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Windows scheduled task create shell (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/Windows scheduled task create shell (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/cmd.exe executing a Windows shortcut (LNK) file (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Command and Scripting Interpreter/Windows Command Shell/cmd.exe executing a Windows shortcut (LNK) file (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Malicious File/Office Application spawn suspicious process (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Malicious File/Office Application spawn suspicious process (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Privilege Escalation/AdvancedRun (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Privilege Escalation/AdvancedRun (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Shared Modules/Suspicious DLL load from common malware directory (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Shared Modules/Suspicious DLL load from common malware directory (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Software Deployment Tools/Chocolatey (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Execution/Software Deployment Tools/Chocolatey (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Exfiltration/Exfiltration Over Web Service/FreeFileSync (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Exfiltration/Exfiltration Over Web Service/FreeFileSync (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Inhibit System Recovery/Impact/WMI Shadow copy deletion (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Inhibit System Recovery/Impact/WMI Shadow copy deletion (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/File writes within Admin Shares (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/File writes within Admin Shares (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/MoveScheduler (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/MoveScheduler (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/Psexec script (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/Psexec script (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/SCShell (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/SCShell (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/Sharp-SMBExec (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/Sharp-SMBExec (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/SharpRDP (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/SharpRDP (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/Smbexec script (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/Smbexec script (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/atexec.py (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Lateral Movement/Remote Services/atexec.py (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Boot or Logon Autostart Execution/Boot or Logon Autostart Execution Winlogon Helper DLL (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Boot or Logon Autostart Execution/Boot or Logon Autostart Execution Winlogon Helper DLL (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Create or Modify System Service/Default Impacket service creation via registry keys (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Create or Modify System Service/Default Impacket service creation via registry keys (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Hijack Execution Flow/ServiceMove-BOF (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Hijack Execution Flow/ServiceMove-BOF (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled Task creation using PowerShell cmdlets (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled Task creation using PowerShell cmdlets (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled Task creation using Schedule.Service COM Object (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled Task creation using Schedule.Service COM Object (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled Task creation via Powershell (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled Task creation via Powershell (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled tasks with suspicious network connections (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Scheduled tasks with suspicious network connections (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious Windows Task Modification (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious Windows Task Modification (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious Windows Task Schedulers create command to execute other processes (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious Windows Task Schedulers create command to execute other processes (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious image load (taskschd.dll) by unusual process (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious image load (taskschd.dll) by unusual process (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious image load of taskschd.dll by Office process (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Persistence/Scheduled Task/Suspicious image load of taskschd.dll by Office process (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Privilege Escalation/SharpUp (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Privilege Escalation/SharpUp (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Reconnaissance/Gather Victim Network Information/Script files conducting reconnaissance (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Reconnaissance/Gather Victim Network Information/Script files conducting reconnaissance (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Remote System Discovery/WMI reconnaissance (Methodology).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Remote System Discovery/WMI reconnaissance (Methodology).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Resource Development/Obtain Capabilities/Tool/SQLRecon (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Resource Development/Obtain Capabilities/Tool/SQLRecon (Utility).ioc -------------------------------------------------------------------------------- /MITRE ATT&CK TTP HX OPENIOC RULES/Resource Development/Obtain Capabilities/Tool/SharpMapExec (Utility).ioc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/MITRE ATT&CK TTP HX OPENIOC RULES/Resource Development/Obtain Capabilities/Tool/SharpMapExec (Utility).ioc -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dfir-ronin/APT-OpenIOC-Detection-Rules/HEAD/README.md --------------------------------------------------------------------------------