Release Schedule
These changes will be rolled out over time in groups. The grouping is based on a generic rule being broken down into high fidelity granular rules that generally point to a specific ATT&CK Technique observed in attacks. The original rule will then no longer be assigned by a Recommendation scan, and will be un-assigned after the next scan. However, if the rule was manually assigned to a host or a policy, it will not be removed.
- Batch 1: 2021-06-15
- Batch 2: 2021-06-29
- Batch 3: 2021-07-13
- Batch 4: 2021-07-27
- Batch 5: 2021-08-17
- Batch 6: 2021-08-24
- Batch 7: 2021-08-31
- Batch 8: 2021-09-07
- Batch 9: 2021-09-14
- Batch 10: 2021-09-21
Release Date: 2021-06-15
DSRU Version: 21-027
Changes: The first batch will un-recommend 1003513 - Unix - File attributes changed in /etc location. The following rules have been developed to monitor the most important contents of the /etc directory.
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1010798 | Linux/Unix - Local user and group files modified (ATT&CK T1136.001, T1531) | Yes |
2 | 1010805 | Linux/Unix - runtime linker configuration files modified | No |
3 | 1010807 | Linux/Unix - System wide environment variables and startup scripts modified (ATT&CK T1546.004) | Yes |
4 | 1010808 | Linux/Unix - bash configuration files modified (ATT&CK T1059.004, T1546.004) | Yes |
5 | 1010809 | Linux/Unix - List of valid login shells modified (ATT&CK T1059.004) | Yes |
6 | 1010812 | Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002) | No |
7 | 1010813 | Linux/Unix - PAM configuration files modified (ATT&CK T1068) | Yes |
8 | 1010815 | Linux/Unix - Samba configuration files modified (ATT&CK T1135) | Yes |
9 | 1010817 | Linux/Unix - Run control (rc) scripts modified (ATT&CK T1037.004) | Yes |
10 | 1010819 | Linux/Unix - xinetd configuration files modified | Yes |
11 | 1010821 | Linux/Unix - Alternative commands modified (ATT&CK T1036) | Yes |
12 | 1010824 | Linux/Unix - Software repository modified (ATT&CK T1195.002) | Yes |
13 | 1010825 | Linux/Unix - adduser, useradd and deluser configuration files modified (ATT&CK T1136.001, T1531) | Yes |
14 | 1010826 | Linux/Unix - dhclient configuration files modified | Yes |
15 | 1010827 | Linux/Unix - csh/tcsh configuration files modified (ATT&CK T1059.004, T1546.004) | Yes |
16 | 1010828 | Linux/Unix - zsh configuration files modified (ATT&CK T1059.004, T1546.004) | Yes |
17 | 1010838 | Linux/Unix - Core system configuration files modified | Yes |
18 | 1010839 | Linux/Unix - Name of the local system modified (ATT&CK T1082) | Yes |
19 | 1010840 | Linux/Unix - Host access control files modified (T1584.004) | Yes |
20 | 1010841 | Linux/Unix - ftpd configuration files modified (ATT&CK T1048, T1071.002) | Yes |
21 | 1010842 | Linux/Unix - Boot loader configuration files modified (ATT&CK T1542) | Yes |
22 | 1010853 | Linux/Unix - Process initialization scripts and configuration files modified (ATT&CK 1037) | Yes |
23 | 1010950 | Linux/Unix - sudo files modified (ATT&CK T1548.003) | Yes |
24 | 1010962 | Linux/Unix - Network services configuration files modified | Yes |
25 | 1010963 | Linux/Unix - Kernel configuration files modified (ATT&CK T1547.006) | Yes |
26 | 1010964 | Linux/Unix - Internet routing information file modified | Yes |
27 | 1010979 | Linux/Unix - FTP client process initiated (ATT&CK T1048) | Yes |
Release Date: 2021-06-29
DSRU Version: 21-029
Changes: The second batch will un-recommend 1003514 - Unix - File attributes changed in /lib location. The following rules have been developed to monitor the most important contents of the /lib directory. Additionally, a new rule has been created to monitor the /boot directory: 1010856 - Linux/Unix - Static boot loader files modified (ATT&CK T1542)
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1010793 | Linux/Unix - Shared object files modified | Yes |
2 | 1010843 | Linux/Unix - Boot files modified (ATT&CK T1542) | Yes |
3 | 1010844 | Linux/Unix - modeprobe configuration files modified (ATT&CK T1547.006) | Yes |
4 | 1010845 | Linux/Unix - Default firewall rules modified (ATT&CK T1562.004) | Yes |
5 | 1010846 | Linux/Unix - Disk configuration files modified (ATT&CK T1561.002) | Yes |
6 | 1010847 | Linux/Unix - SSL configuration files modified (ATT&CK T1587.003) | Yes |
7 | 1010848 | Linux/Unix - User access control files modified (ATT&CK T1068) | Yes |
8 | 1010856 | Linux/Unix - Static boot loader files modified (ATT&CK T1542) | Yes |
Release Date: 2021-07-13
DSRU Version: 21-032
Changes: The third batch will modify several rules to ensure only the required attributes are monitored and that the Name/Description sections conform to the new standard. Additionally, the rule 1003104 - DNS Client will be recommended only on Windows platforms.
The IM Rule “1003335 - Application – PAM” will be deleted in this batch because the entities it monitors are already being monitored by other rules. As such, there is no loss of monitoring with this redundant rule deletion. The new rules listed below provide equivalent coverage with more granularity.
- 1003573 - Linux/Unix - File attributes in the /bin directory modified
- 1002875 - Linux/Unix - Software installed, updated or removed
- 1010813 - Linux/Unix - PAM configuration files modified (ATT&CK T1068)
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1002875 | Linux/Unix - Software installed, updated or removed | Yes |
2 | 1010373 | Linux/Unix - Systemd service modified (ATT&CK T1543.002) | Yes |
3 | 1010791 | Linux/Unix - Task scheduler entries modified (ATT&CK T1053) | Yes |
4 | 1009643 | Linux/Unix - bash command history cleared (ATT&CK T1059.004) | Yes |
5 | 1009622 | Linux/Unix - bash non-root user configuration files modified (ATT&CK T1546.004) | No |
6 | 1011021 | Linux/Unix - bash root user configuration files modified (ATT&CK T1546.004) | Yes |
Release Date: 2021-07-27
DSRU Version: 21-034
Changes: The fourth batch modifies the remaining Linux/Unix rules to ensure that the Name/Description sections conform to the new standard. Additionally, rules that have configurable attribute monitoring gain the SHA256 attribute as a selectable option.
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1002766 | Linux/Unix - Directory attributes of /sbin modified (ATT&CK T1222.002) | Yes |
2 | 1002770 | Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified | Yes |
3 | 1002771 | Linux/Unix - File permissions in the /var/log directory modified (ATT&CK T1222.002) | No |
4 | 1003513 | Linux/Unix - File attributes in the /etc directory modified | No |
5 | 1003514 | Linux/Unix - File attributes in the /lib directory modified | No |
6 | 1003573 | Linux/Unix - File attributes in the /bin directory modified | Yes |
7 | 1003574 | Linux/Unix - File attributes in the /sbin directory modified | Yes |
8 | 1003587 | Linux/Unix - Directory attributes of /bin modified (ATT&CK T1222.002) | Yes |
9 | 1005193 | Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002) | No |
10 | 1008464 | Linux/Unix - File attributes in the /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local directories modified | No |
11 | 1010389 | Linux/Unix - Process running from the /tmp and /var/tmp directories detected (ATT&CK T1543) | Yes |
Release Date: 2021-08-17
DSRU Version: 21-037
Changes: The fifth batch updates the nomenclature of the last remaining Linux/Unix rules. A Windows rule, 1009704 - Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010) has had nomenclature updated to clarify that it has entirely different functionality from the similarly named Linux/Unix rule.
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1003168 | Linux/Unix - Process attributes modified | No |
2 | 1003169 | Linux/Unix - Listening ports modified | No |
3 | 1003354 | Linux/Unix - Configuration files of sendmail utility modified | Yes |
4 | 1009745 | Linux/Unix - Removable Device Detected (ATT&CK T1092) | No |
5 | 1010422 | Linux/Unix - SCP process detected (ATT&CK T1105, T1048.001) | Yes |
6 | 1009704 | Microsoft Windows - Boot or Logon Autostart Execution: Port Monitors (ATT&CK T1547.010) | No |
Release Date: 2021-08-24
DSRU Version: 21-038
Changes: Batch 6 removes recommendation from Application - OpenSSH (ATT&CK T1021.004) but adds additional granular rules as replacement, per platform, ensuring that security coverage is maintained.
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1003533 | Application - OpenSSH (ATT&CK T1021.004) | No |
2 | 1011063 | Linux/Unix - SSH server configuration file modified (ATT&CK T1021.004) | Yes |
3 | 1011066 | Linux/Unix - SSH client configuration modified (ATT&CK1021.004) | Yes |
4 | 1011067 | Linux/Unix - Permissions on ssh private host keys modified (ATT&CK T1021.004, T1222.002) | Yes |
5 | 1011068 | Linux/Unix - SSH authorized_keys file modified - root user (ATT&CK T1563.001, T1021.004) | Yes |
6 | 1011069 | Linux/Unix - SSH authorized_keys file modified - systemwide (ATT&CK T1563.001, T1021.004) | Yes |
7 | 1011070 | Linux/Unix - SSH authorized_keys file modified - non-root users (ATT&CK T1563.001, T1021.004) | Yes |
8 | 1011071 | Microsoft Windows - OpenSSH registry keys modified (ATT&CK T1021.004, T1112) | Yes |
9 | 1011092 | Microsoft Windows - OpenSSH server configuration file modified (ATT&CK T1021.004) | Yes |
In addition, the following rules have been removed as they either monitor obsolete software or are not relevant on servers:
Identifier | Name | |
---|---|---|
1 | 1003151 | Instant Messenger - AOL Instant Messenger |
2 | 1003152 | Instant Messenger - MSN Messenger |
3 | 1003136 | Instant Messenger - Yahoo! Messenger |
4 | 1003728 | Mail Client - Evolution |
5 | 1004950 | Microsoft Visual Studio - New Add-In Created |
6 | 1003366 | Microsoft Windows - DHCP Client |
7 | 1003098 | Microsoft Windows - FTP Client |
8 | 1002784 | Microsoft Windows - IE ActiveX Kill bits modified |
9 | 1002790 | Microsoft Windows - Internet Explorer Browser Settings modified |
10 | 1003096 | PDF Viewer - Adobe Acrobat |
11 | 1003159 | Web Browser - Apple Safari |
12 | 1003160 | Web Browser - Google Chrome |
13 | 1003002 | Web Browser - Internet Explorer |
14 | 1003003 | Web Browser - Mozilla Firefox |
15 | 1003161 | Web Browser - Opera |
Release Date: 2021-08-31
DSRU Version: 21-039
Changes: Batch 7 involves only Name changes to rules so that they adhere to the new standard.
Identifier | Old Name | New Name | |
---|---|---|---|
1 | 1002849 | FTP Server - WarFTPD | Application - WarFTPD |
2 | 1002851 | HTTP Server - Apache | Application - Apache HTTP Server |
3 | 1002853 | HTTP Server - Tomcat | Application - Apache Tomcat |
4 | 1002898 | FTP Server - WS_FTP | Application - WS_FTP |
5 | 1002900 | TFTP Server - 3CDaemon | Application - 3CDaemon |
6 | 1002910 | HTTP Server - IIS | Application - Microsoft IIS |
7 | 1002914 | FTP Server - NettermFTP | Application - NettermFTP |
8 | 1002998 | Backup Server - CA BrightStor ARCserve | Application - ARCserve Backup |
9 | 1002999 | Database Server - Microsoft SQL Server | Application - Microsoft SQL Server |
10 | 1003000 | Database Server - MySQL | Application - MySQL |
11 | 1003019 | Trend Micro Deep Security Agent / Relay | Application - Trend Micro Deep Security Agent / Relay |
12 | 1003020 | Trend Micro Deep Security Manager | Application - Trend Micro Deep Security Manager |
13 | 1003039 | Mail Server - MDaemon | Application - MDaemon Email Server |
14 | 1003040 | Mail Server - MailEnable | Application - MailEnable |
15 | 1003063 | Mail Server - Microsoft Exchange Server | Application - Microsoft Exchange |
16 | 1003077 | Mail Server - IBM Lotus Domino | Application - IBM Lotus Domino |
17 | 1003087 | AntiVirus - Trend Micro OfficeScan Client | Application - Trend Micro OfficeScan client |
18 | 1003090 | Database Server - Oracle | Application - Oracle Database Server |
19 | 1003092 | Mail Server - Merak | Application - Merak Mail Server |
20 | 1003102 | Directory Service - Novell eDirectory | Application - Novell eDirectory |
21 | 1003105 | Database Server - PostgreSQL | Application - PostgreSQL |
22 | 1003131 | Virtualization Software - VMware Server | Application - VMware Server |
23 | 1003139 | Application Server - Sun ONE | Application - Sun ONE Application Server |
24 | 1003142 | Directory Server - Sun ONE | Application - Sun ONE Directory Server |
25 | 1003200 | Database Server - IBM DB2 | Application - IBM DB2 |
26 | 1003241 | Database Server - Ingres | Application - Ingres Database Server |
27 | 1003263 | Directory Server - IBM Tivoli | Application - IBM Tivoli Directory Server |
28 | 1003363 | Mail Server - IPSwitch IMail | Application - IPSwitch iMail |
29 | 1003364 | Mail Server - Exim | Application - Exim |
30 | 1003380 | Web Server - Squid | Application - Squid Proxy |
31 | 1003391 | FTP Server - vsftpd | Application - vsftpd |
32 | 1003403 | FTP Server - WU-FTPD | Application - WU-FTPD |
33 | 1003744 | AntiVirus - Trend Micro OfficeScan Server | Application - Trend Micro OfficeScan server |
34 | 1009060 | Kubernetes Cluster Master | Application - Kubernetes Cluster master |
35 | 1009434 | Kubernetes Cluster Node | Application - Kubernetes Cluster node |
36 | 1010055 | AntiVirus - Trend Micro ApexOne Server | Application - Trend Micro ApexOne server |
Release Date: 2021-09-07
DSRU Version: 21-040
Changes: The eighth batch updates 1002781 - Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004) to further reduce noise. Additionally, 1008720 - Users and Groups - Create and Delete Activity (ATT&CK T1136) has been split into two rules, one for the Microsoft Windows platform and one for Linux/Unix. The functionality in both new rules are identical to the original, they are now just specific to their respective platforms.
Identifier | Name | Assigned by Recommendation Scan | |
---|---|---|---|
1 | 1002781 | Microsoft Windows - Attributes of services modified (ATT&CK T1543.003, T1036.004) | No |
2 | 1008720 | Microsoft Windows - Users and Groups - Create and Delete Activity (ATT&CK T1136) | No |
3 | 1011111 | Linux/Unix - Users and Groups - Create and Delete Activity (ATT&CK T1136) | No |
The following rules have only had their Names and the contents of their respective Details tab updated, no changes in functionality:
Identifier | Old Name | New Name | |
---|---|---|---|
1 | 1009618 | PowerShell (ATT&CK T1086) | Microsoft Windows - Powershell activity detected (ATT&CK T1059.001) |
2 | 1009628 | AppInit DLLs (ATT&CK T1103) | Microsoft Windows - AppInit DLL Registry values modified (ATT&CK T1546.010) |
3 | 1009629 | AppCert DLLs (ATT&CK T1182) | Microsoft Windows - AppCert DLL Registry values modified (ATT&CK T1546.009) |
4 | 1009638 | NetSh Helper DLL (ATT&CK T1128) | Microsoft Windows - NetSh Helper DLL Registry keys modified (ATT&CK T1546.007) |
5 | 1009639 | Application Shimming (ATT&CK T1138) | Microsoft Windows - Application shimming detected (ATT&CK T1546.011) |
6 | 1009670 | Service Registry Permissions Weakness (ATT&CK T1058) | Microsoft Windows - Service Registry keys modified (ATT&CK T1574.011) |
7 | 1009672 | Time Providers (ATT&CK T1209) | Microsoft Windows - Time Provider Registry keys modified (ATT&CK T1547.003) |
8 | 1009710 | Install Root Certificate (ATT&CK T1130) | Microsoft Windows - Root Certificate Registry keys modified (ATT&CK T1553.004) |
9 | 1009895 | Component Object Model Hijacking (ATT&CK T1122, T1112) | Microsoft Windows - Component Object Model Registry keys modified (ATT&CK T1546.015) |
10 | 1010382 | CommandLine (ATT&CK T1059) | Microsoft Windows - Windows Command Shell activity detected (ATT&CK T1059.003) |
11 | 1002859 | Local Security Authority (LSA) Authentication Packages modified (ATT&CK T1174) | Microsoft Windows - LSA Authentication Packages modified (ATT&CK T1547.002) |
12 | 1010353 | Local Security Authority (LSA) Notification Packages modified (ATT&CK T1131) | Microsoft Windows - LSA Notification Packages modified (ATT&CK T1556.002) |
Release Date: 2021-09-14
DSRU Version: 21-041
Changes: Batch 9 only consists of cosmetic changes. The following rules have only had their Names and the contents of their respective Details tab updated, no changes in functionality.
Identifier | Old Name | New Name | |
---|---|---|---|
1 | 1002767 | Microsoft Windows - System directory attributes changed | Microsoft Windows - Attributes of system32 directory modified |
2 | 1002778 | Microsoft Windows - System .dll or .exe files modified (ATT&CK T1013) | Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001) |
3 | 1002780 | Microsoft Windows - Installed software attributes modified | Microsoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554) |
4 | 1002786 | Microsoft Windows - Microsoft hotfixes registry keys modified | Microsoft Windows - Microsoft hotfixes registry keys modified (ATT&CK T1112) |
5 | 1002787 | Microsoft Windows - Event Log settings changed | Microsoft Windows - Registry values of event log modified (ATT&CK T1562.002, T1070.001) |
6 | 1002788 | Microsoft Windows - 'ActiveX Compatibility' registry keys modified | Microsoft Windows - 'ActiveX Compatibility' registry keys modified (ATT&CK T1112) |
7 | 1002869 | Microsoft Windows - DNS Server | Microsoft Windows - DNS Server (ATT&CK T1584.002, T1554) |
8 | 1003367 | Microsoft Windows - DHCP Server | Microsoft Windows - DHCP server files directory and service modified (ATT&CK T1036.003, T1222.001) |
9 | 1005041 | Malware - Suspicious Microsoft Windows Files Detected | Threat - Suspicious Microsoft Windows Files Detected |
10 | 1005042 | Malware - Suspicious Microsoft Windows Registry Entries Detected | Threat - Suspicious Microsoft Windows Registry Entries Detected |
11 | 1005195 | Microsoft Windows - Log File Attributes Changes Detected | Microsoft Windows - Attributes of log file modified (ATT&CK T1222.001, T1070) |
12 | 1006076 | Task Scheduler Entries Modified (ATT&CK T1168) | Microsoft Windows - Task scheduler entries modified (ATT&CK T1053.005) |
13 | 1006544 | Adware - Suspicious Microsoft Windows Superfish Detected | Threat - Suspicious Microsoft Windows Superfish Detected |
14 | 1006658 | TMTR-0012: Suspicious Files Detected In Temporary Directories | TMTR-0012: Suspicious Files Detected In Temporary Directories (ATT&CK T1560.001) |
15 | 1006677 | TMTR-0013: Suspicious Files Detected In Windows Folder | TMTR-0013: Suspicious Files Detected In Windows Folder (ATT&CK T1560.001) |
16 | 1006683 | TMTR-0016: Suspicious Running Processes Detected | TMTR-0016: Suspicious Running Processes Detected (ATT&CK T1560.001) |
17 | 1006802 | TMTR-0003: Suspicious Files Detected In Operating System Directories | TMTR-0003: Suspicious Files Detected In Operating System Directories (ATT&CK T1560.001) |
18 | 1006803 | TMTR-0001: Suspicious Files Detected In Operating System Directories | TMTR-0001: Suspicious Files Detected In Operating System Directories (ATT&CK T1560.001) |
19 | 1006804 | TMTR-0010: Suspicious Files Detected In System Folder | TMTR-0010: Suspicious Files Detected In System Folder (ATT&CK T1560.001) |
20 | 1006805 | TMTR-0009: Suspicious Files Detected In System Folder | TMTR-0009: Suspicious Files Detected In System Folder (ATT&CK T1560.001) |
21 | 1007210 | TMTR-0018: Suspicious Files Detected In User Profile Directory | TMTR-0018: Suspicious Files Detected In User Profile Directory (ATT&CK T1560.001) |
22 | 1007216 | TMTR-0021: Suspicious Files Detected In System Drive | TMTR-0021: Suspicious Files Detected In System Drive (ATT&CK T1560.001) |
23 | 1007217 | TMTR-0022: Suspicious Files Detected In Recycle Bin | TMTR-0022: Suspicious Files Detected In Recycle Bin (ATT&CK T1560.001) |
24 | 1008257 | Microsoft Windows - USB Storage Device Detected (ATT&CK T1092) | Microsoft Windows - USB storage device detected (ATT&CK T1092, T1052.001) |
25 | 1008385 | Ransomware - WannaCry | Threat - WannaCry |
26 | 1008684 | Ransomware - BADRABBIT | Threat - BADRABBIT |
27 | 1009626 | Windows Accessibility Features - ImageFileExecution (ATT&CK T1015,T1183) | Microsoft Windows - Accessibility features registry keys or files modified (ATT&CK T1546.008, T1546.012) |
28 | 1010138 | Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489) | Vulnerability - Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489) |
29 | 1010266 | SaltStack Vulnerabilities Exploitation Detected | Vulnerability - SaltStack Vulnerabilities Exploitation Detected |
30 | 1010515 | Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561) | Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561) |
31 | 1010855 | Microsoft Exchange - HAFNIUM Targeted Vulnerabilities | Vulnerability - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities |
These rules keep the same name but may have their Description and/or Details tab modified:
Identifier | Name | |
---|---|---|
1 | 1002773 | Microsoft Windows - 'Hosts' file modified |
2 | 1002775 | Microsoft Windows - Network configuration files modified |
3 | 1002777 | Microsoft Windows - System configuration file modified |
4 | 1002783 | Microsoft Windows - Default Debugger changed |
5 | 1003166 | Application - IBM WebSphere Application Server |
6 | 1003167 | Application - Oracle Bea WebLogic Server |
7 | 1003333 | Application - Kerberos |
8 | 1003334 | Application - Samba |
9 | 1003338 | Application - mountd |
10 | 1003339 | Application - NFS |
11 | 1003357 | Application - vixie-cron |
12 | 1003359 | Application - Portmapper |
13 | 1003360 | Application - Network Information Server |
14 | 1003361 | Application - rstatd |
15 | 1003370 | Application - OpenSSL |
16 | 1003372 | Application - telnetd |
17 | 1003374 | Application - PHP |
18 | 1003375 | Application - Postfix |
19 | 1003381 | Application - Mailman |
20 | 1003385 | Application - Xorg-x / XFree86 / Xfree86 / Xorg-x11 |
21 | 1003386 | Application - VNC Server |
22 | 1003517 | Microsoft Windows - System driver files modified |
23 | 1007295 | Application - chrony |
24 | 1008271 | Application - Docker |
Please note: The rule 1002774 - Microsoft Windows - Microsoft html viewer dll file modified has been deleted as its functionality is covered by other rules.
Release Date: 2021-09-21
DSRU Version: 21-042
Changes: Batch 10 is the final update in the revamp. Modified rules in this batch have only had Name changes but 1003138 - Microsoft Windows - Active Directory and 1002776 - Microsoft Windows - Startup Programs Modified (ATT&CK T1112, T1060) have had their recommendation removed with newly issued having the same functionality.
Identifier | Name | Old Name | Assigned by Recommendation Scan | |
---|---|---|---|---|
1 | 1002860 | Microsoft Windows - SAM registry keys modified (ATT&CK T1098, T1136) | Microsoft Windows - SAM Domain Account Users Modified | Yes |
2 | 1006684 | TMTR-0015: Suspicious Service Detected (ATT&CK T1543.003) | TMTR-0015: Suspicious Service Detected | No |
3 | 1006691 | TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected (ATT&CK T1098, T1136) | TMTR-0017: Microsoft Windows - SAM Domain Account Users Modification Detected | No |
4 | 1006796 | TMTR-0007: Suspicious Files Detected In Application Directories (ATT&CK T1574.002) | TMTR-0007: Suspicious Files Detected In Application Directories | No |
5 | 1006798 | TMTR-0005: Suspicious Files Detected In Application Directories (ATT&CK T1562.001) | TMTR-0005: Suspicious Files Detected In Application Directories | No |
6 | 1006799 | TMTR-0014: Suspicious Service Detected (ATT&CK T1543.003) | TMTR-0014: Suspicious Service Detected | No |
7 | 1006800 | TMTR-0002: Suspicious Files Detected In Operating System Directories (ATT&CK T1053.005) | TMTR-0002: Suspicious Files Detected In Operating System Directories | No |
8 | 1007214 | TMTR-0019: Suspicious Files Detected In System Drivers Directory (ATT&CK T1014) | TMTR-0019: Suspicious Files Detected In System Drivers Directory | No |
9 | 1007218 | TMTR-0023: Suspicious Changes In NTLM Settings (ATT&CK T1547.005) | TMTR-0023: Suspicious Changes In NTLM Settings | No |
10 | 1011141 | Microsoft Windows - Windows file protection registry modified (ATT&CK T1546.008, T1112) | New rule | Yes |
11 | 1011142 | Microsoft Windows - Network services registries modified (ATT&CK T1574.001, T1547.001) | New rule | Yes |
12 | 1011144 | Microsoft Windows - AutoRun registries modified (ATT&CK T1547.001) | New rule | Yes |
13 | 1011145 | Microsoft Windows - Boot or Logon Autostart Execution registries modified (ATT&CK T1547.014, T1547.004) | New rule | Yes |
14 | 1011146 | Microsoft Windows - Autostart execution registries modified (ATT&CK T1547.001) | New rule | Yes |
15 | 1011148 | Microsoft Windows - Files in appdata startup folder modified (ATT&CK T1547.001) | New rule | Yes |
16 | 1011149 | Microsoft Windows - Files in programdata startup folder modified (ATT&CK T1547.001) | New rule | Yes |
17 | 1011150 | Microsoft Windows - Files in start menu directory modified (ATT&CK T1547.001) | New rule | Yes |
18 | 1011151 | Microsoft Windows - Active directory registry keys modified (ATTACK T1112) | New rule | Yes |
19 | 1011152 | Microsoft Windows - Active directory files modified (ATT&CK T1552.006) | New rule | Yes |