Rule Document 1:64537

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Execution::User Execution::Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

T1204.002

Rule Categories::Operating Systems::Windows

Rules for detecting attacks against the Windows operating system

Rule Categories::Server::Web Applications

Rules for detecting attacks against miscellaneous Web applications

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

T1190

Vulnerability::Severity::High

Rules that cover vulnerabilities that have CVSS scores of 7.0-9.9 (CVSS V2.0) or 7.0-8.9 (CVSS V3.0 ).

Vulnerability::Severity::Critical

Rules that cover vulnerabilities that have CVSS scores of 10 (CVSS V2.0) or 9.0-10.0 (CVSS V3.0 ).