From 470d64e66cb1114341eded853155ceed2bc17835 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:28:34 -0600 Subject: [PATCH] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...ice_applications_using_file_extentions.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml index c4293b6ab..e2411d65f 100644 --- a/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml +++ b/rules/windows/process_creation/Monitor_executable_and_script_files_creation_by_Office_applications_using_file_extentions.yml @@ -1,15 +1,15 @@ -title: monitor executable and script files creation by Office applications, using file extensions and Magic Bytes (EDR). +title: Executable and Files creation by Office Applications description: This rule will monitor executable and script file creation by office applications. Please add more file extentions or magic bytes to the logic of your choice. references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: @@ -17,7 +17,7 @@ logsource: service: Sysmon category: process_creation detection: - description: Please add more file extentions and magic bytes to the logic of your choice. + #useful_information: Please add more file extentions and magic bytes to the logic of your choice. selection1: EventType: - FileCreate @@ -45,5 +45,5 @@ detection: - "4D5A" condition: selection1 AND selection2 AND (selection3 OR selection4) falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high