From 0dd089db47e4f7a86f3573a481a67eabb2a234de Mon Sep 17 00:00:00 2001 From: ecco Date: Mon, 18 May 2020 20:29:53 -0400 Subject: [PATCH] various rules cleaning --- ...sysmon_susp_office_dotnet_assembly_dll_load.yml | 10 +++++----- .../sysmon_susp_office_dotnet_gac_dll_load.yml | 10 +++++----- .../sysmon_susp_office_kerberos_dll_load.yml | 10 +++++----- .../sysmon/sysmon_susp_winword_vbadll_load.yml | 14 +++++++------- .../sysmon_svchost_dll_search_order_hijack.yml | 5 +---- 5 files changed, 23 insertions(+), 26 deletions(-) diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml index 6017a7162..1c63a4c5a 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -16,12 +16,12 @@ detection: selection: EventID: 7 Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' ImageLoaded: - - '*C:\Windows\assembly\*' + - 'C:\Windows\assembly\*' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml index a0f3ddae2..354d7e8a4 100644 --- a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -16,12 +16,12 @@ detection: selection: EventID: 7 Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' ImageLoaded: - - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' + - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml index 86aedc7e2..77aaf3262 100644 --- a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml @@ -16,12 +16,12 @@ detection: selection: EventID: 7 Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' ImageLoaded: - - '*\kerberos.dll*' + - '*\kerberos.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml index b371692e1..c792c8c21 100644 --- a/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml @@ -16,14 +16,14 @@ detection: selection: EventID: 7 Image: - - '*\winword.exe*' - - '*\powerpnt.exe*' - - '*\excel.exe*' - - '*\outlook.exe*' + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' ImageLoaded: - - '*\VBE7.DLL*' - - '*\VBEUI.DLL*' - - '*\VBE7INTL.DLL*' + - '*\VBE7.DLL' + - '*\VBEUI.DLL' + - '*\VBE7INTL.DLL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml index ef3fc978e..9dbbf96a8 100644 --- a/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml @@ -27,12 +27,9 @@ detection: - '*\tsvipsrv.dll' - '*\wlbsctrl.dll' filter: - EventID: 7 - Image: - - '*\svchost.exe' ImageLoaded: - 'C:\Windows\WinSxS\*' condition: selection and not filter falsepositives: - Pentest -level: high \ No newline at end of file +level: high