security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c0e89ccc8584b59bee3ae4c8aabd2a9df87f8af
blue-team-tools/rules/windows/process_creation/win_shell_spawn_susp_program.yml
T

46 lines
1.2 KiB
YAML
Raw Normal View History

Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
title: Windows Shell Spawning Suspicious Program
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
status: experimental
description: Detects a suspicious child process of a Windows shell
references:
Increased indentation to 4
2019-03-02 00:14:20 +01:00
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
author: Florian Roth
date: 2018/04/06
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
modified: 2020/09/06
Added missing tags and some minor improvements
2019-03-05 23:25:49 +01:00
tags:
- attack.execution
- attack.defense_evasion
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
- attack.t1064 # an old one
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
- attack.t1059.005
- attack.t1059.001
att&ck tags review: windows/process_creation part 5
2020-09-07 02:00:41 +04:00
- attack.t1218
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
logsource:
Increased indentation to 4
2019-03-02 00:14:20 +01:00
category: process_creation
product: windows
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
detection:
Increased indentation to 4
2019-03-02 00:14:20 +01:00
selection:
Update win_shell_spawn_susp_program.yml
2020-10-15 18:25:59 -03:00
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
fix: fixed false positive in suspicious shell spawn rule
2019-11-09 10:45:46 +01:00
# - '*\cmd.exe' # too many false positives
Update win_shell_spawn_susp_program.yml
2020-10-15 18:25:59 -03:00
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
Increased indentation to 4
2019-03-02 00:14:20 +01:00
falsepositives:
Remove additional backlash
2020-11-20 02:16:51 -03:00
CurrentDirectory|contains: '\ccmcache\'
Increased indentation to 4
2019-03-02 00:14:20 +01:00
condition: selection and not falsepositives
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
fields:
Increased indentation to 4
2019-03-02 00:14:20 +01:00
- CommandLine
- ParentCommandLine
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
falsepositives:
Increased indentation to 4
2019-03-02 00:14:20 +01:00
- Administrative scripts
- Microsoft SCCM
Converted Sysmon/1 and Security/4688 to generic process creation rules
2019-01-16 23:36:31 +01:00
level: high
Reference in New Issue Copy Permalink