From 307ecf56940220193ef97e46137ee54ef8f2f93e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 2 Feb 2023 19:40:01 +0100 Subject: [PATCH] fix: typos in titles and descriptions of rules Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../win_security_susp_outbound_kerberos_connection.yml | 2 ++ .../proc_creation_win_net_groups_and_accounts_recon.yml | 2 +- .../proc_creation_win_net_share_and_sessions_enum.yml | 4 ++-- .../process_creation/proc_creation_win_net_start_service.yml | 2 +- rules/windows/process_creation/proc_creation_win_nimgrab.yml | 2 +- .../registry_set/registry_set_terminal_server_suspicious.yml | 4 ++-- .../registry_set/registry_set_terminal_server_tampering.yml | 2 +- 7 files changed, 10 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml index 400077e7e..d5d019a1c 100644 --- a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -24,7 +24,9 @@ detection: Application: - 'C:\Windows\System32\lsass.exe' - 'C:\Program Files\Google\Chrome\Application\chrome.exe' + - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' - 'C:\Program Files\Mozilla Firefox\firefox.exe' + - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe' #filter_browsers: #Application|endswith: # - '\opera.exe' diff --git a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index f76664b5c..f370c1458 100644 --- a/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -1,4 +1,4 @@ -title: Suspicious Groups And Accounts Reconnaissance Activity Using Net.EXE +title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE diff --git a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml b/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml index 79cee598f..7935e83cb 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml @@ -1,7 +1,7 @@ -title: Shares And Sessions Enumeration Using Net.EXE +title: Share And Session Enumeration Using Net.EXE id: 62510e69-616b-4078-b371-847da438cc03 status: stable -description: Detects attempts to enumerate file Shares, printer shares and sessions using "net.exe" with the "view" flag. +description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md diff --git a/rules/windows/process_creation/proc_creation_win_net_start_service.yml b/rules/windows/process_creation/proc_creation_win_net_start_service.yml index 272d215ed..1b53f8c2c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_start_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_start_service.yml @@ -1,7 +1,7 @@ title: Services Started Via Net.EXE id: 2a072a96-a086-49fa-bcb5-15cc5a619093 status: test -description: Detects usage of the "net.exe" command to start a service using the "start" flag +description: Detects the usage of the "net.exe" command to start a service using the "start" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community diff --git a/rules/windows/process_creation/proc_creation_win_nimgrab.yml b/rules/windows/process_creation/proc_creation_win_nimgrab.yml index e67d52d42..13eb68842 100644 --- a/rules/windows/process_creation/proc_creation_win_nimgrab.yml +++ b/rules/windows/process_creation/proc_creation_win_nimgrab.yml @@ -1,7 +1,7 @@ title: File Downloaded Using Nimgrab id: 74a12f18-505c-4114-8d0b-8448dd5485c6 status: experimental -description: Detects usage of nimgrab, a tool bundled with the Nim programming framework, used for downloading files. +description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml index ab96b5eb0..451e5b37c 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -5,8 +5,8 @@ related: type: similar status: test description: | - Detects tampering to RDP Terminal Service/Server sensitive settings. - Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc + Detects tampering of RDP Terminal Service/Server sensitive settings. + Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index f8684a393..879f2ff58 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -9,7 +9,7 @@ related: type: similar status: test description: | - Detects tampering to RDP Terminal Service/Server sensitive settings. + Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key