security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #811 from svnscha/fix/field-TargetFileName-to-TargetFilename

Browse Source 
All Rules use 'TargetFilename' instead of 'TargetFileName'.
This commit is contained in:
Florian Roth
2020-06-03 10:48:05 +02:00
committed by GitHub
parent 0cbc099def 4ed512011a
commit 022d73f842
5 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
other/godmode_sigma_rule.yml
+1 -1
View File
@@ -104,7 +104,7 @@ logsource:
detection:
selection_file_creation:
EventID: 11
TargetFileName|contains:
TargetFilename|contains:
- '.dmp' # dump process memory
- 'Desktop\how' # Ransomware
- 'Desktop\decrypt' # Ransomware
rules-unsupported/sysmon_process_reimaging.yml
+2 -2
View File
@@ -5,7 +5,7 @@ description: Detects process reimaging defense evasion technique
# where
# selection1: ImageFileName != selection1: OriginalFileName
# selection1: ParentProcessGuid = selection2: ProcessGuid
# selection1: Image = selection2: TargetFileName
# selection1: Image = selection2: TargetFilename
# and new field ImageFileName is coming from enrichment
# selection1: Image = ^.+\\<ImageFileName>$
# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
@@ -45,4 +45,4 @@ detection:
EventID: 11
fields:
- ProcessGuid
- TargetFileName
- TargetFilename
rules/windows/process_creation/win_hktl_createminidump.yml
+1 -1
View File
@@ -29,5 +29,5 @@ logsource:
detection:
selection:
EventID: 11
TargetFileName|contains: '*\lsass.dmp'
TargetFilename|contains: '*\lsass.dmp'
condition: 1 of them
rules/windows/sysmon/sysmon_lsass_memory_dump_file_creation.yml
+1 -1
View File
@@ -20,7 +20,7 @@ detection:
condition: selection
fields:
- ComputerName
- TargetFileName
- TargetFilename
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
level: medium
rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml
+1 -1
View File
@@ -11,7 +11,7 @@ detection:
selection:
EventID: 11
Image: '*\mstsc.exe'
TargetFileName: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*'
condition: selection
falsepositives:
- unknown