Updated Rule

Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section.
2021-08-31 22:28:34 -06:00
parent e0e1396dff
commit 470d64e66c
1 changed files with 12 additions and 12 deletions
@@ -1,15 +1,15 @@
-title: monitor executable and script files creation by Office applications, using file extensions and Magic Bytes (EDR).
+title: Executable and Files creation by Office Applications
 description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice.  
 references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: "Idea by: Vadim Khrykov"
+    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)"
 tags:
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
- attack.defence_evasion
+    - attack.t1204.002
+    - attack.t1047
+    - attack.t1218.010
+    - attack.execution
+    - attack.defence_evasion
 status: experimental
 Date: 2021/23/8
 logsource:
@@ -17,7 +17,7 @@ logsource:
  service: Sysmon
  category: process_creation
 detection:
-  description: Please add more file extentions and magic bytes to the logic of your choice. 
+  #useful_information: Please add more file extentions and magic bytes to the logic of your choice. 
  selection1:
    EventType:
      - FileCreate
@@ -45,5 +45,5 @@ detection:
    - "4D5A"
  condition: selection1 AND selection2 AND (selection3 OR selection4)
 falsepositives:
- ""
-level: high
+- Unknown
+level: high