security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2005 from frack113/tags_end

Browse Source 
Add  missing tags to rule
This commit is contained in:
frack113
2021-09-09 15:04:26 +02:00
committed by GitHub
parent e8b633f54f 8eb527d042
commit 217be6cd8a
12 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/process_mailboxexport_share.yml
+3
View File
@@ -24,3 +24,6 @@ level: critical
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.collection
- attack.t1114
rules/windows/process_creation/win_apt_hafnium.yml
+4
View File
@@ -70,3 +70,7 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.t1546
- attack.t1053
rules/windows/process_creation/win_malware_conti_7zip.yml
+3
View File
@@ -19,3 +19,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.collection
- attack.t1560
rules/windows/process_creation/win_malware_formbook.yml
+3
View File
@@ -49,3 +49,6 @@ fields:
falsepositives:
- Unknown
level: critical
tags:
- attack.develop_capabilities
- attack.t1587.001
rules/windows/process_creation/win_reg_add_run_key.yml
+3
View File
@@ -20,3 +20,6 @@ detection:
falsepositives:
- Unknown
level: medium
tags:
- attack.persistence
- attack.t1547.001
rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
+3
View File
@@ -32,3 +32,6 @@ falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
tags:
- attack.develop_capabilities
- attack.t1587.001
rules/windows/process_creation/win_susp_renamed_debugview.yml
+3
View File
@@ -21,3 +21,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.lateral_movement
- attack.discovery
rules/windows/process_creation/win_susp_renamed_paexec.yml
+3
View File
@@ -24,3 +24,6 @@ falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
level: high
tags:
- attack.defense_evasion
- attack.t1202
rules/windows/process_creation/win_susp_rundll32_no_params.yml
+3
View File
@@ -25,3 +25,6 @@ fields:
falsepositives:
- Possible but rare
level: high
tags:
- attack.defense_evasion
- attack.t1202
rules/windows/process_creation/win_susp_service_dir.yml
+3
View File
@@ -30,3 +30,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1202
rules/windows/process_creation/win_susp_splwow64.yml
+3
View File
@@ -18,3 +18,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1202
rules/windows/process_creation/win_susp_vbscript_unc2452.yml
+3
View File
@@ -24,3 +24,6 @@ detection:
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.t1547.001