While reading the playbook page for Remote SCM handle failures, I noticed that while every SQL query on the page is filtering out SubjectLogonID 0x3e4, the Sigma rules appear to be inverted to only show results where SubjectLogonID=0x3e4, which from my understanding of the article seems to be backwards.

Both referenced Sigma rules are written this way: https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scm_database_privileged_operation.yml
and https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scm_database_handle_failure.yml

Relevant snippet:

detection:
    selection: 
        EventID: 4674
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'servicesactive'
        PrivilegeList: 'SeTakeOwnershipPrivilege'
        SubjectLogonId: "0x3e4"
    condition: selection

Possible change:

detection:
    selection: 
        EventID: 4674
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'servicesactive'
        PrivilegeList: 'SeTakeOwnershipPrivilege'
    filter:
        SubjectLogonId: "0x3e4"
    condition: selection and not filter

T0000_wmimplant.xml has the following rule which is not supported:
<Details condition="is">Win32_OSRecoveryConfiguration</Details>

Due to a design flaw in the Sysmon 3.40 schema, the Details element is not supported. A viable replacement for this rule would be the following:
<TargetObject condition="contains">SYSTEM\CurrentControlSet\Control\CrashControl</TargetObject>

Hey Roberto,

thanks for all the references!
The page mentioned above references this file, but the link is dead.

The sentence in question is "Translate useful fields to a YAML file as shown here."

Furthermore, in the section References, there is an ) too much.

Thanks again!
Matthias

executablebooks/MyST-Parser#430

It would be good to have an idea of what fields and events are used the most for all analytics in the project.

Modification of query to exclude Azure sync via Azure AD Connect in hybrid environment.

Current: GPLv3
Proposed: MIT

Collaboration of the project is expanding and GPLv3 is not compatible with other ones that make it easier to collaborate.

Badge:

Man in the Browser technique is missing from the Windows Collection Tactic column in the map. See link form ore details.

https://attack.mitre.org/wiki/Technique/T1185

So I've been examining this hunt/detection and I have attempted to recreate the conditions for this hunt and while doing so I have encountered a possible incorrect logic presented in this hunt.
I may be wrong and if so I'd be happy to learn how to get the desired result.

TL: DR;
1.ParentImage OR ParentProcessName are not the Accessibility program (as suggested in the hunt), but rather the process "winlogon.exe"
2.ParentProcessName is not a field that exists in the event 4688 - "Creator Process Name" is, and only exists since Win10 according to this:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688

What I used:

• Windows Server 2012 R2
• Advanced Event log auditing policy (where every category and subcategory are configured to be logged)
• Sysmon-modular configs - https://github.com/olafhartong/sysmon-modular

The scenario is this:
I used IFEO to set cmd.exe as a debugger to sethc.exe, then, I used the Sticky-Keys, and other methods to invoke sethc.exe and while reviewing the logs (both Evt and Sysmon) none of them contains the had sethc.exe as a parent of cmd.exe

In addition, if those accessibility features do have a debugger set to them, The analytic proposed shouldn't work since it won't execute the accessibility program.

Am I missing something?
If you need additional details I'd be happy to provide,
looking forward to your answer,
Sahar.

Hi, just want to say I am not familiar with jupyter noebook so this is more of a question than an issue at this point. Dockerfile build was successful without errors, looks like the default is to 8888. Able to connect fine, but it just looks like a blank jupyter instance. Am I missing something, I was expecting notebooks etc to all be populated, not sure what to expect. Is there more getting started documentation?

Mordor -> Security Datasets mapping

• Mordor project was re-branded as Security Datasets
• We point from THP to SD in the "test_data" section
• We need to update all the links with the right paths.

In the Local private data objects paragraph, there are some mismatched double quotes that have put everything in italic and attached together.

Cyb3rWard0g, how can I contact you directly regarding this project?

The URL for Decompress Dataset is incorrect, had to use the following instead.
https://github.com/OTRF/Security-Datasets/raw/master/datasets/compound/apt29/day1/apt29_evals_day1_manual.zip

Btw, great work to you and the team. Standby for heavy use of OTRF tools in upcoming revision of Gray Hat Hacking book, in Jan.

In the Documentation there is a link for the standardize event fields and combine them with data dictionaries.

Here the original text:
We could easily standardize its event fields and combine them with data dictionaries as shown in here by the OSSEM project.

The Link behind "here" doesn't work anymore:
https://github.com/hunters-forge/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-1.md#data-dictionary

I believe there could be an additional item which might be easier (with potentially less noise) for bypass_whitelisting_msbuild.md.

I am thinking of Sysmon Event ID =3 with Image=msbuild.exe. My environment contains a significant amount of Event ID =1 since we work in a development environment.

Link for T1075_mimikatz_inmem_pth.xml is not working.

Python is a type infer language, which means we don't have to specify the type of variable in Python. Let's see how to assign a variable in python.

For more

https://techwithpie.blogspot.com/2021/08/Pythonvariables.html

You may add this link in your article. This will increase user experience.

Hi CyberWard0g,

I found a typo in the T1117_regsvr32.xml rule

Line 7 C:\Windows\System\32\regsvr32.exe

should read

C:\Windows\System32\regsvr32.exe

Superb resources, HELK and ThreatHunter-Playbook, many thanks for sharing

Dave

This resource URL is returning 404 not found: https://sqrrl.com/media/Common-Techniques-for-Hunting.pdf

Several rules were created here and contributed to the Sigma project. Initially the idea was to keep the rules in this repo and at the same time contribute them to Sigma. However, we never got around to update the links to the sigma project.

Example:

• Playbook: https://threathunterplaybook.com/notebooks/windows/04_privilege_escalation/WIN-200902020333.html
• Local Sigma rule: https://github.com/OTRF/ThreatHunter-Playbook/blob/master/signatures/sigma/win_scrcons_remote_wmi_scripteventconsumer.yml
• Sigma Rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml

MordorUtils function 'registerMordorSQLTableis still not updated toregisterSDSQLTable`

sd_file = "https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/credential_access/host/empire_dcsync_dcerpc_drsuapi_DsGetNCChanges.zip"
registerSDSQLTable(spark, sd_file, "sdTable")

Docs link: https://threathunterplaybook.com/introduction.html

Needs to be moved to the top of the README so that it is accessible right away without scrolling through the README.

There are many ProcessCreate closing tags that have a "]" in them - e.g. T0000_bitsadmin.xml

SwiftOnSecurity/sysmon-config#27

OSSEM is not organized by:

• OSSEM Data Dictionaries (DD)
• OSSEM Common Data Model (CDM)
• OSSEM Detection Model (DM)

The Threat Hunter Playbook is pointing to the OSSEM project only. We need to update the links to the respective GitHub sub-modules.

#29

Can you still upload the file > https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/metrics/HuntTeam_HeatMap.xlsx

I still prefer this precious gem over the convoluted current Mitre ATT&CK version. Thanks.

The TargetFileName element should be TargetFilename. Changing it will allow sysmon.exe to consume the config.