Merge pull request #1474 from frack113/Check_category

Check category
2021-05-14 08:58:46 +02:00
parent 33d9d6876e cccfb3e59e
commit 09e32ae02e
7 changed files with 14 additions and 8 deletions
@@ -5,6 +5,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's
 status: experimental
 author: Bhabesh Raj
 date: 2021/05/06
+modified: 2021/05/12
 level: critical
 falsepositives:
    - None
@@ -26,7 +27,7 @@ detection:
 ---
 logsource:
    product: windows
-    service: file_event
+    category: file_event
 detection:
    selection:
        TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
@@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
 date: 2019/09/12
+modified: 2021/05/12
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.execution
@@ -11,7 +12,7 @@ references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
 logsource:
    product: windows
-    service: image_load
+    category: image_load
 detection:
    selection:
        Description: 'system.management.automation'
@@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83
 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
 status: experimental
 date: 2020/05/03
+modified: 2021/05/12
 author: Patrick St. John, OTR (Open Threat Research)
 tags:
  - attack.defense_evasion
@@ -12,7 +13,7 @@ references:
  - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
 logsource:
  product: windows
-  service: image_load
+  category: image_load
 detection:
  selection:
    Description: 'Python Core'
@@ -8,7 +8,7 @@ references:
    - https://thedfirreport.com/2020/05/08/adfind-recon/
 author: FPT.EagleEye Team, omkar72, oscd.community
 date: 2020/09/26
-modified: 2020/10/11
+modified: 2021/05/12
 tags:
    - attack.discovery
    - attack.t1018
@@ -17,7 +17,7 @@ tags:
    - attack.t1069.002
 logsource:
    product: windows
-    service: process_creation
+    category: process_creation
 detection:
    selection:
        CommandLine|contains:
@@ -6,6 +6,7 @@ references:
    - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
+modified: 2021/05/12
 tags:
    - attack.command_and_control
    - attack.execution
@@ -13,7 +14,7 @@ tags:
    - attack.t1218
 logsource:
    product: windows
-    service: process_creation
+    category: process_creation
 detection:
    selection:
        ProcessCommandLine|contains|all: 
@@ -3,6 +3,7 @@ id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
 description: Sysmon registry detection of a local hidden user account.
 status: experimental
 date: 2021/05/03
+modified: 2021/05/12
 author: Christian Burkard
 tags:
    - attack.persistence
@@ -11,7 +12,7 @@ references:
    - https://twitter.com/SBousseaden/status/1387530414185664538
 logsource:
    product: windows
-    service: registry_event
+    category: registry_event
 detection:
    selection:
        TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\'
@@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014
 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
 status: experimental
 date: 2020/05/02
+modified: 2021/05/12
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.defense_evasion
@@ -12,7 +13,7 @@ references:
    - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
 logsource:
    product: windows
-    service: registry_event
+    category: registry_event
 detection:
    selection:
        TargetObject|contains: '\Software\Sysinternals\SDelete'