Views:

Release Schedule

These changes will be rolled out over time in groups. The grouping is based on a generic rule being broken down into high fidelity granular rules that generally point to a specific ATT&CK Technique observed in attacks. The original rule will then no longer be assigned by a Recommendation scan, and will be un-assigned after the next scan. However, if the rule was manually assigned to a host or a policy, it will not be removed.

  1. Batch 1: 2021-06-15
  2. Batch 2: 2021-06-29
  3. Batch 3: 2021-07-13
  4. Batch 4: 2021-07-27
  5. Batch 5: 2021-08-17
  6. Batch 6: 2021-08-24
  7. Batch 7: 2021-08-31
  8. Batch 8: 2021-09-07
  9. Batch 9: 2021-09-14
  10. Batch 10: 2021-09-21
 

Release Date: 2021-06-15

DSRU Version: 21-027

Changes: The first batch will un-recommend 1003513 - Unix - File attributes changed in /etc location. The following rules have been developed to monitor the most important contents of the /etc directory.

 IdentifierNameAssigned by
Recommendation Scan
11010798Linux/Unix - Local user and group files modified (ATT&CK T1136.001, T1531)Yes
21010805Linux/Unix - runtime linker configuration files modifiedNo
31010807Linux/Unix - System wide environment variables and startup scripts modified (ATT&CK T1546.004)Yes
41010808Linux/Unix - bash configuration files modified (ATT&CK T1059.004, T1546.004)Yes
51010809Linux/Unix - List of valid login shells modified (ATT&CK T1059.004)Yes
61010812Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)No
71010813Linux/Unix - PAM configuration files modified (ATT&CK T1068)Yes
81010815Linux/Unix - Samba configuration files modified (ATT&CK T1135)Yes
91010817Linux/Unix - Run control (rc) scripts modified (ATT&CK T1037.004)Yes
101010819Linux/Unix - xinetd configuration files modifiedYes
111010821Linux/Unix - Alternative commands modified (ATT&CK T1036)Yes
121010824Linux/Unix - Software repository modified (ATT&CK T1195.002)Yes
131010825Linux/Unix - adduser, useradd and deluser configuration files modified (ATT&CK T1136.001, T1531)Yes
141010826Linux/Unix - dhclient configuration files modifiedYes
151010827Linux/Unix - csh/tcsh configuration files modified (ATT&CK T1059.004, T1546.004)Yes
161010828Linux/Unix - zsh configuration files modified (ATT&CK T1059.004, T1546.004)Yes
171010838Linux/Unix - Core system configuration files modifiedYes
181010839Linux/Unix - Name of the local system modified (ATT&CK T1082)Yes
191010840Linux/Unix - Host access control files modified (T1584.004)Yes
201010841Linux/Unix - ftpd configuration files modified (ATT&CK T1048, T1071.002)Yes
211010842Linux/Unix - Boot loader configuration files modified (ATT&CK T1542)Yes
221010853Linux/Unix - Process initialization scripts and configuration files modified (ATT&CK 1037)Yes
231010950Linux/Unix - sudo files modified (ATT&CK T1548.003)Yes
241010962Linux/Unix - Network services configuration files modifiedYes
251010963Linux/Unix - Kernel configuration files modified (ATT&CK T1547.006)Yes
261010964Linux/Unix - Internet routing information file modifiedYes
271010979Linux/Unix - FTP client process initiated (ATT&CK T1048)Yes

Release Date: 2021-06-29

DSRU Version: 21-029

Changes: The second batch will un-recommend 1003514 - Unix - File attributes changed in /lib location. The following rules have been developed to monitor the most important contents of the /lib directory. Additionally, a new rule has been created to monitor the /boot directory: 1010856 - Linux/Unix - Static boot loader files modified (ATT&CK T1542)

 IdentifierNameAssigned by
Recommendation Scan
11010793Linux/Unix - Shared object files modifiedYes
21010843Linux/Unix - Boot files modified (ATT&CK T1542)Yes
31010844Linux/Unix - modeprobe configuration files modified (ATT&CK T1547.006)Yes
41010845Linux/Unix - Default firewall rules modified (ATT&CK T1562.004)Yes
51010846Linux/Unix - Disk configuration files modified (ATT&CK T1561.002)Yes
61010847Linux/Unix - SSL configuration files modified (ATT&CK T1587.003)Yes
71010848Linux/Unix - User access control files modified (ATT&CK T1068)Yes
81010856Linux/Unix - Static boot loader files modified (ATT&CK T1542)Yes

Release Date: 2021-07-13

DSRU Version: 21-032

Changes: The third batch will modify several rules to ensure only the required attributes are monitored and that the Name/Description sections conform to the new standard. Additionally, the rule 1003104 - DNS Client will be recommended only on Windows platforms.

The IM Rule “1003335 - Application – PAM” will be deleted in this batch because the entities it monitors are already being monitored by other rules. As such, there is no loss of monitoring with this redundant rule deletion. The new rules listed below provide equivalent coverage with more granularity.

  1. 1003573 - Linux/Unix - File attributes in the /bin directory modified
  2. 1002875 - Linux/Unix - Software installed, updated or removed
  3. 1010813 - Linux/Unix - PAM configuration files modified (ATT&CK T1068)
 IdentifierNameAssigned by
Recommendation Scan
11002875Linux/Unix - Software installed, updated or removedYes
21010373Linux/Unix - Systemd service modified (ATT&CK T1543.002)Yes
31010791Linux/Unix - Task scheduler entries modified (ATT&CK T1053)Yes
41009643Linux/Unix - bash command history cleared (ATT&CK T1059.004)Yes
51009622Linux/Unix - bash non-root user configuration files modified (ATT&CK T1546.004)No
61011021Linux/Unix - bash root user configuration files modified (ATT&CK T1546.004)Yes

Release Date: 2021-07-27

DSRU Version: 21-034

Changes: The fourth batch modifies the remaining Linux/Unix rules to ensure that the Name/Description sections conform to the new standard. Additionally, rules that have configurable attribute monitoring gain the SHA256 attribute as a selectable option.

 IdentifierNameAssigned by
Recommendation Scan
11002766Linux/Unix - Directory attributes of /sbin modified (ATT&CK T1222.002)Yes
21002770Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modifiedYes
31002771Linux/Unix - File permissions in the /var/log directory modified (ATT&CK T1222.002)No
41003513Linux/Unix - File attributes in the /etc directory modifiedNo
51003514Linux/Unix - File attributes in the /lib directory modifiedNo
61003573Linux/Unix - File attributes in the /bin directory modifiedYes
71003574Linux/Unix - File attributes in the /sbin directory modifiedYes
81003587Linux/Unix - Directory attributes of /bin modified (ATT&CK T1222.002)Yes
91005193Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002)No
101008464Linux/Unix - File attributes in the /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local directories modifiedNo
111010389Linux/Unix - Process running from the /tmp and /var/tmp directories detected (ATT&CK T1543)Yes

Release Date: 2021-08-17

DSRU Version: 21-037

Changes: The fifth batch updates the nomenclature of the last remaining Linux/Unix rules. A Windows rule, 1009704 - Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010) has had nomenclature updated to clarify that it has entirely different functionality from the similarly named Linux/Unix rule.

 IdentifierNameAssigned by
Recommendation Scan
11003168Linux/Unix - Process attributes modifiedNo
21003169Linux/Unix - Listening ports modifiedNo
31003354Linux/Unix - Configuration files of sendmail utility modifiedYes
41009745Linux/Unix - Removable Device Detected (ATT&CK T1092)No
51010422Linux/Unix - SCP process detected (ATT&CK T1105, T1048.001)Yes
61009704Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010)No

Release Date: 2021-08-24

DSRU Version: 21-038

Changes: Batch 6 removes recommendation from Application - OpenSSH (ATT&CK T1021.004) but adds additional granular rules as replacement, per platform, ensuring that security coverage is maintained.

 IdentifierNameAssigned by
Recommendation Scan
11003533Application - OpenSSH (ATT&CK T1021.004)No
21011063Linux/Unix - SSH server configuration file modified (ATT&CK T1021.004)Yes
31011066Linux/Unix - SSH client configuration modified (ATT&CK1021.004)Yes
41011067Linux/Unix - Permissions on ssh private host keys modified (ATT&CK T1021.004, T1222.002)Yes
51011068Linux/Unix - SSH authorized_keys file modified - root user (ATT&CK T1563.001, T1021.004)Yes
61011069Linux/Unix - SSH authorized_keys file modified - systemwide (ATT&CK T1563.001, T1021.004)Yes
71011070Linux/Unix - SSH authorized_keys file modified - non-root users (ATT&CK T1563.001, T1021.004)Yes
81011071Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112)Yes
91011092Microsoft Windows - OpenSSH server configuration file modified (ATT&CK T1021.004)Yes

In addition, the following rules have been removed as they either monitor obsolete software or are not relevant on servers:

 IdentifierName
11003151Instant Messenger - AOL Instant Messenger
21003152Instant Messenger - MSN Messenger
31003136Instant Messenger - Yahoo! Messenger
41003728Mail Client - Evolution
51004950Microsoft Visual Studio - New Add-In Created
61003366Microsoft Windows - DHCP Client
71003098Microsoft Windows - FTP Client
81002784Microsoft Windows - IE ActiveX Kill bits modified
91002790Microsoft Windows - Internet Explorer Browser Settings modified
101003096PDF Viewer - Adobe Acrobat
111003159Web Browser - Apple Safari
121003160Web Browser - Google Chrome
131003002Web Browser - Internet Explorer
141003003Web Browser - Mozilla Firefox
151003161Web Browser - Opera

Release Date: 2021-08-31

DSRU Version: 21-039

Changes: Batch 7 involves only Name changes to rules so that they adhere to the new standard.

 IdentifierOld NameNew Name
11002849FTP Server - WarFTPD Application - WarFTPD 
21002851HTTP Server - Apache Application - Apache HTTP Server 
31002853 HTTP Server - TomcatApplication - Apache Tomcat
41002898 FTP Server - WS_FTP Application - WS_FTP 
51002900 TFTP Server - 3CDaemon Application - 3CDaemon 
61002910 HTTP Server - IISApplication - Microsoft IIS 
71002914 FTP Server - NettermFTPApplication - NettermFTP
81002998 Backup Server - CA BrightStor ARCserve Application - ARCserve Backup 
91002999 Database Server - Microsoft SQL ServerApplication - Microsoft SQL Server 
101003000 Database Server - MySQL Application - MySQL
111003019 Trend Micro Deep Security Agent / Relay Application - Trend Micro Deep Security Agent / Relay 
121003020 Trend Micro Deep Security Manager Application - Trend Micro Deep Security Manager
131003039 Mail Server - MDaemon Application - MDaemon Email Server 
141003040 Mail Server - MailEnable Application - MailEnable 
151003063 Mail Server - Microsoft Exchange Server Application - Microsoft Exchange
161003077 Mail Server - IBM Lotus Domino Application - IBM Lotus Domino 
171003087 AntiVirus - Trend Micro OfficeScan Client Application - Trend Micro OfficeScan client 
181003090 Database Server - OracleApplication - Oracle Database Server 
191003092 Mail Server - MerakApplication - Merak Mail Server
201003102 Directory Service - Novell eDirectoryApplication - Novell eDirectory
211003105 Database Server - PostgreSQL Application - PostgreSQL
221003131 Virtualization Software - VMware ServerApplication - VMware Server 
231003139 Application Server - Sun ONEApplication - Sun ONE Application Server
241003142 Directory Server - Sun ONEApplication - Sun ONE Directory Server
251003200 Database Server - IBM DB2 Application - IBM DB2
261003241 Database Server - IngresApplication - Ingres Database Server
271003263 Directory Server - IBM TivoliApplication - IBM Tivoli Directory Server
281003363 Mail Server - IPSwitch IMailApplication - IPSwitch iMail 
291003364 Mail Server - EximApplication - Exim
301003380 Web Server - SquidApplication - Squid Proxy
311003391 FTP Server - vsftpdApplication - vsftpd
321003403 FTP Server - WU-FTPDApplication - WU-FTPD
331003744 AntiVirus - Trend Micro OfficeScan ServerApplication - Trend Micro OfficeScan server
341009060 Kubernetes Cluster Master Application - Kubernetes Cluster master
351009434 Kubernetes Cluster NodeApplication - Kubernetes Cluster node
361010055 AntiVirus - Trend Micro ApexOne ServerApplication - Trend Micro ApexOne server

Release Date: 2021-09-07

DSRU Version: 21-040

Changes: The eighth batch updates 1002781 - Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004) to further reduce noise. Additionally, 1008720 - Users and Groups - Create and Delete Activity (ATT&CK T1136) has been split into two rules, one for the Microsoft Windows platform and one for Linux/Unix. The functionality in both new rules are identical to the original, they are now just specific to their respective platforms.

 IdentifierNameAssigned by
Recommendation Scan
11002781 Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004)No
21008720 Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136)No
31011111 Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136)No

 The following rules have only had their Names and the contents of their respective Details tab updated, no changes in functionality:

 IdentifierOld NameNew Name
11009618 PowerShell (ATT&CK T1086)Microsoft Windows - Powershell activity detected (ATT&CK T1059.001) 
21009628 AppInit DLLs (ATT&CK T1103)Microsoft Windows - AppInit DLL Registry values modified (ATT&CK T1546.010) 
31009629 AppCert DLLs (ATT&CK T1182)Microsoft Windows - AppCert DLL Registry values modified (ATT&CK T1546.009)
41009638 NetSh Helper DLL (ATT&CK T1128)Microsoft Windows - NetSh Helper DLL Registry keys modified (ATT&CK T1546.007)
51009639 Application Shimming (ATT&CK T1138)Microsoft Windows - Application shimming detected (ATT&CK T1546.011) 
61009670 Service Registry Permissions Weakness (ATT&CK T1058) Microsoft Windows - Service Registry keys modified (ATT&CK T1574.011)
71009672 Time Providers (ATT&CK T1209)Microsoft Windows - Time Provider Registry keys modified (ATT&CK T1547.003)
81009710 Install Root Certificate (ATT&CK T1130) Microsoft Windows - Root Certificate Registry keys modified (ATT&CK T1553.004)
91009895 Component Object Model Hijacking (ATT&CK T1122, T1112) Microsoft Windows - Component Object Model Registry keys modified (ATT&CK T1546.015)
101010382 CommandLine (ATT&CK T1059)Microsoft Windows - Windows Command Shell activity detected (ATT&CK T1059.003) 
111002859 Local Security Authority (LSA) Authentication Packages modified (ATT&CK T1174)Microsoft Windows - LSA Authentication Packages modified (ATT&CK T1547.002)
121010353Local Security Authority (LSA) Notification Packages modified (ATT&CK T1131)Microsoft Windows - LSA Notification Packages modified (ATT&CK T1556.002)

Release Date: 2021-09-14

DSRU Version: 21-041

Changes: Batch 9 only consists of cosmetic changes. The following rules have only had their Names and the contents of their respective Details tab updated, no changes in functionality.

 IdentifierOld NameNew Name
11002767 Microsoft Windows - System directory attributes changedMicrosoft Windows - Attributes of system32 directory modified
21002778 Microsoft Windows - System .dll or .exe files modified (ATT&CK T1013)Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001)
31002780 Microsoft Windows - Installed software attributes modifiedMicrosoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554)
41002786 Microsoft Windows - Microsoft hotfixes registry keys modifiedMicrosoft Windows - Microsoft hotfixes registry keys modified (ATT&CK T1112)
51002787 Microsoft Windows - Event Log settings changedMicrosoft Windows - Registry values of event log modified (ATT&CK T1562.002, T1070.001)
61002788 Microsoft Windows - 'ActiveX Compatibility' registry keys modifiedMicrosoft Windows - 'ActiveX Compatibility' registry keys modified (ATT&CK T1112)
71002869 Microsoft Windows - DNS ServerMicrosoft Windows - DNS Server (ATT&CK T1584.002, T1554)
81003367 Microsoft Windows - DHCP ServerMicrosoft Windows - DHCP server files directory and service modified (ATT&CK T1036.003, T1222.001)
91005041 Malware - Suspicious Microsoft Windows Files DetectedThreat - Suspicious Microsoft Windows Files Detected
101005042 Malware - Suspicious Microsoft Windows Registry Entries DetectedThreat - Suspicious Microsoft Windows Registry Entries Detected
111005195 Microsoft Windows - Log File Attributes Changes DetectedMicrosoft Windows - Attributes of log file modified (ATT&CK T1222.001, T1070)
121006076 Task Scheduler Entries Modified (ATT&CK T1168)Microsoft Windows - Task scheduler entries modified (ATT&CK T1053.005)
131006544 Adware - Suspicious Microsoft Windows Superfish DetectedThreat - Suspicious Microsoft Windows Superfish Detected
141006658 TMTR-0012: Suspicious Files Detected In Temporary DirectoriesTMTR-0012: Suspicious Files Detected In Temporary Directories (ATT&CK T1560.001)
151006677 TMTR-0013: Suspicious Files Detected In Windows FolderTMTR-0013: Suspicious Files Detected In Windows Folder (ATT&CK T1560.001)
161006683 TMTR-0016: Suspicious Running Processes DetectedTMTR-0016: Suspicious Running Processes Detected (ATT&CK T1560.001)
171006802 TMTR-0003: Suspicious Files Detected In Operating System DirectoriesTMTR-0003: Suspicious Files Detected In Operating System Directories (ATT&CK T1560.001)
 
181006803 TMTR-0001: Suspicious Files Detected In Operating System DirectoriesTMTR-0001: Suspicious Files Detected In Operating System Directories (ATT&CK T1560.001)
191006804 TMTR-0010: Suspicious Files Detected In System FolderTMTR-0010: Suspicious Files Detected In System Folder (ATT&CK T1560.001)
201006805 TMTR-0009: Suspicious Files Detected In System FolderTMTR-0009: Suspicious Files Detected In System Folder (ATT&CK T1560.001)
211007210 TMTR-0018: Suspicious Files Detected In User Profile DirectoryTMTR-0018: Suspicious Files Detected In User Profile Directory (ATT&CK T1560.001)
221007216 TMTR-0021: Suspicious Files Detected In System DriveTMTR-0021: Suspicious Files Detected In System Drive (ATT&CK T1560.001)
231007217 TMTR-0022: Suspicious Files Detected In Recycle BinTMTR-0022: Suspicious Files Detected In Recycle Bin (ATT&CK T1560.001)
241008257 Microsoft Windows - USB Storage Device Detected (ATT&CK T1092)Microsoft Windows - USB storage device detected (ATT&CK T1092, T1052.001)
251008385 Ransomware - WannaCryThreat - WannaCry
261008684 Ransomware - BADRABBITThreat - BADRABBIT
271009626 Windows Accessibility Features - ImageFileExecution (ATT&CK T1015,T1183)Microsoft Windows - Accessibility features registry keys or files modified (ATT&CK T1546.008, T1546.012)
281010138 Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489)Vulnerability - Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489)
291010266 SaltStack Vulnerabilities Exploitation DetectedVulnerability - SaltStack Vulnerabilities Exploitation Detected
301010515 Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)
311010855 Microsoft Exchange - HAFNIUM Targeted VulnerabilitiesVulnerability - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities

 These rules keep the same name but may have their Description and/or Details tab modified:

 IdentifierName
11002773 Microsoft Windows - 'Hosts' file modified
21002775 Microsoft Windows - Network configuration files modified
31002777 Microsoft Windows - System configuration file modified
41002783 Microsoft Windows - Default Debugger changed
51003166 Application - IBM WebSphere Application Server
61003167 Application - Oracle Bea WebLogic Server
71003333Application - Kerberos
81003334Application - Samba
91003338Application - mountd
101003339 Application - NFS
111003357 Application - vixie-cron
121003359 Application - Portmapper
131003360 Application - Network Information Server
141003361 Application - rstatd
151003370 Application - OpenSSL
161003372 Application - telnetd
171003374 Application - PHP
181003375 Application - Postfix
191003381 Application - Mailman
201003385 Application - Xorg-x / XFree86 / Xfree86 / Xorg-x11
211003386 Application - VNC Server
221003517 Microsoft Windows - System driver files modified
231007295 Application - chrony
241008271 Application - Docker

 Please note: The rule 1002774 - Microsoft Windows - Microsoft html viewer dll file modified has been deleted as its functionality is covered by other rules.

Release Date: 2021-09-21

DSRU Version: 21-042

Changes: Batch 10 is the final update in the revamp. Modified rules in this batch have only had Name changes but 1003138 - Microsoft Windows - Active Directory and 1002776 - Microsoft Windows - Startup Programs Modified (ATT&CK T1112, T1060) have had their recommendation removed with newly issued having the same functionality.

 IdentifierNameOld NameAssigned by Recommendation Scan
11002860Microsoft Windows - SAM registry keys modified (ATT&CK T1098, T1136)Microsoft Windows - SAM Domain Account Users ModifiedYes
21006684 TMTR-0015: Suspicious Service Detected (ATT&CK T1543.003)TMTR-0015: Suspicious Service DetectedNo
31006691TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected (ATT&CK T1098, T1136)TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification DetectedNo
41006796 TMTR-0007: Suspicious Files Detected In Application Directories (ATT&CK T1574.002)TMTR-0007: Suspicious Files Detected In Application DirectoriesNo
51006798 TMTR-0005: Suspicious Files Detected In Application Directories (ATT&CK T1562.001)TMTR-0005: Suspicious Files Detected In Application DirectoriesNo
61006799 TMTR-0014: Suspicious Service Detected (ATT&CK T1543.003)TMTR-0014: Suspicious Service DetectedNo
71006800 TMTR-0002: Suspicious Files Detected In Operating System Directories (ATT&CK T1053.005)TMTR-0002: Suspicious Files Detected In Operating System DirectoriesNo
81007214 TMTR-0019: Suspicious Files Detected In System Drivers Directory (ATT&CK T1014)TMTR-0019: Suspicious Files Detected In System Drivers DirectoryNo
91007218 TMTR-0023: Suspicious Changes In NTLM Settings (ATT&CK T1547.005)TMTR-0023: Suspicious Changes In NTLM SettingsNo
101011141 Microsoft Windows - Windows file protection registry modified (ATT&CK T1546.008, T1112)New ruleYes
111011142 Microsoft Windows - Network services registries modified (ATT&CK T1574.001, T1547.001)New ruleYes
121011144 Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001)New ruleYes
131011145 Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.014, T1547.004)New ruleYes
141011146 Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001)New ruleYes
151011148 Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001)New ruleYes
161011149 Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001)New ruleYes
171011150 Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001)New ruleYes
181011151 Microsoft Windows - Active directory registry keys modified (ATTACK T1112)New ruleYes
191011152 Microsoft Windows - Active directory files modified (ATT&CK T1552.006)New ruleYes