headless_bee

t-contreras · t-contreras · commit 1f3fb62796b3 · 2025-02-24T12:08:52.000+01:00
diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml
@@ -81,7 +81,6 @@ tags:
   - Phemedrone Stealer
   - Braodo Stealer
   - PXA Stealer
-  - Nexus APT Threat Activity
   - Data Destruction
   - Log4Shell CVE-2021-44228
   asset_type: Endpoint
diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml
@@ -49,7 +49,6 @@ tags:
   - DarkGate Malware
   - Sandworm Tools
   - Rhysida Ransomware
-  - Nexus APT Threat Activity
   - Earth Estries
   - SamSam Ransomware
   asset_type: Endpoint
diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml
@@ -41,7 +41,6 @@ tags:
   - China-Nexus Threat Activity
   - CISA AA22-277A
   - Collection and Staging
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml
@@ -64,7 +64,6 @@ tags:
   - Linux Privilege Escalation
   - Compromised Linux Host
   - Linux Living Off The Land
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml
@@ -61,7 +61,6 @@ tags:
   - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml
@@ -61,7 +61,6 @@ tags:
   - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Compromised Linux Host
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml
@@ -48,7 +48,6 @@ tags:
   - Linux Persistence Techniques
   - Linux Privilege Escalation
   - Linux Living Off The Land
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml
@@ -54,7 +54,6 @@ tags:
   - Linux Persistence Techniques
   - XorDDos
   - Linux Privilege Escalation
-  - Nexus APT Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1037.004
diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml
@@ -70,7 +70,6 @@ tags:
   - Backdoor Pingpong
   - Cyclops Blink
   - Sandworm Tools
-  - Nexus APT Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.004
diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml
@@ -61,7 +61,6 @@ tags:
   - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - Linux Privilege Escalation
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml
@@ -60,7 +60,6 @@ tags:
   - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - Linux Privilege Escalation
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml
@@ -60,7 +60,6 @@ tags:
   - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - Linux Privilege Escalation
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml
@@ -54,7 +54,6 @@ tags:
   - China-Nexus Threat Activity
   - Linux Persistence Techniques
   - Linux Privilege Escalation
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
@@ -64,7 +64,6 @@ tags:
   - HAFNIUM Group
   - DHS Report TA18-074A
   - DarkCrystal RAT
-  - Nexus APT Threat Activity
   - AsyncRAT
   - Earth Estries
   - Volt Typhoon
diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml
@@ -61,7 +61,6 @@ tags:
   analytic_story:
   - China-Nexus Threat Activity
   - CISA AA24-241A
-  - Nexus APT Threat Activity
   - Malicious PowerShell
   - Flax Typhoon
   - CISA AA23-347A
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml
@@ -70,7 +70,6 @@ tags:
   - Active Directory Lateral Movement
   - CISA AA23-347A
   - Suspicious WMI Use
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -77,7 +77,6 @@ tags:
   - DarkCrystal RAT
   - Sandworm Tools
   - Living Off The Land
-  - Nexus APT Threat Activity
   - AsyncRAT
   - Scheduled Tasks
   - AgentTesla
diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
@@ -78,7 +78,6 @@ tags:
   - Qakbot
   - Derusbi
   - Living Off The Land
-  - Nexus APT Threat Activity
   - Earth Estries
   - Suspicious Regsvr32 Activity
   asset_type: Endpoint
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -74,7 +74,6 @@ tags:
   - CISA AA23-347A
   - Windows Persistence Techniques
   - Living Off The Land
-  - Nexus APT Threat Activity
   - Azorult
   - Ryuk Ransomware
   - Scheduled Tasks
diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml
@@ -64,7 +64,6 @@ tags:
   - DarkGate Malware
   - China-Nexus Threat Activity
   - Earth Estries
-  - Nexus APT Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1560.001
diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml
@@ -1,7 +1,7 @@
 name: Windows Credential Access From Browser Password Store
 id: 72013a8e-5cea-408a-9d51-5585386b4d69
-version: '7'
-date: '2025-02-07'
+version: '8'
+date: '2025-02-24'
 author: Teoderick Contreras, Bhavin Patel Splunk
 data_source:
 - Windows Event Log Security 4663
@@ -66,7 +66,7 @@ tags:
   - Snake Keylogger
   - Meduza Stealer
   - PXA Stealer
-  - Nexus APT Threat Activity
+  - China-Nexus Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
@@ -73,7 +73,6 @@ tags:
   - Ingress Tool Transfer
   - China-Nexus Threat Activity
   - IcedID
-  - Nexus APT Threat Activity
   - Forest Blizzard
   - Earth Estries
   - Compromised Windows Host
diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml
@@ -65,7 +65,6 @@ tags:
   - Chaos Ransomware
   - Derusbi
   - PlugX
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
@@ -1,7 +1,7 @@
 name: Windows Service Created with Suspicious Service Path
 id: 429141be-8311-11eb-adb6-acde48001122
-version: 12
-date: '2025-02-10'
+version: 13
+date: '2025-02-24'
 author: Teoderick Contreras, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -62,7 +62,7 @@ tags:
   - Crypto Stealer
   - Active Directory Lateral Movement
   - Derusbi
-  - Nexus APT Threat Activity
+  - China-Nexus Threat Activity
   - Snake Malware
   - Clop Ransomware
   - Earth Estries
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml
@@ -55,7 +55,6 @@ tags:
   - NjRAT
   - China-Nexus Threat Activity
   - Derusbi
-  - Nexus APT Threat Activity
   - Earth Estries
   asset_type: Endpoint
   mitre_attack_id:
diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml
@@ -60,7 +60,6 @@ tags:
   - Compromised Windows Host
   - Ransomware
   - Windows Persistence Techniques
-  - Nexus APT Threat Activity
   - Ryuk Ransomware
   - Scheduled Tasks
   - Earth Estries
diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml
@@ -69,7 +69,6 @@ tags:
   - Command And Control
   - China-Nexus Threat Activity
   - Backdoor Pingpong
-  - Nexus APT Threat Activity
   asset_type: Endpoint
   mitre_attack_id:
   - T1095
