fix: add bcedit filter and sort selection
This commit is contained in:
phantinuss
@@ -4,7 +4,7 @@ status: test
|
||||
description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
|
||||
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
|
||||
date: 2020/05/26
|
||||
modified: 2022/10/28
|
||||
modified: 2022/11/07
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1036.005
|
||||
@@ -14,78 +14,78 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
TargetFilename|endswith:
|
||||
- '\svchost.exe'
|
||||
- '\rundll32.exe'
|
||||
- '\services.exe'
|
||||
- '\powershell.exe'
|
||||
- '\pwsh.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\spoolsv.exe'
|
||||
- '\lsass.exe'
|
||||
- '\smss.exe'
|
||||
- '\csrss.exe'
|
||||
- '\conhost.exe'
|
||||
- '\wininit.exe'
|
||||
- '\lsm.exe'
|
||||
- '\winlogon.exe'
|
||||
- '\explorer.exe'
|
||||
- '\taskhost.exe'
|
||||
- '\Taskmgr.exe'
|
||||
- '\sihost.exe'
|
||||
- '\RuntimeBroker.exe'
|
||||
- '\smartscreen.exe'
|
||||
- '\dllhost.exe'
|
||||
- '\audiodg.exe'
|
||||
- '\wlanext.exe'
|
||||
- '\AtBroker.exe'
|
||||
- '\audiodg.exe'
|
||||
- '\backgroundTaskHost.exe'
|
||||
- '\bcdedit.exe'
|
||||
- '\bitsadmin.exe'
|
||||
- '\cmdl32.exe'
|
||||
- '\cmstp.exe'
|
||||
- '\conhost.exe'
|
||||
- '\csrss.exe'
|
||||
- '\dasHost.exe'
|
||||
- '\dfrgui.exe'
|
||||
- '\dllhost.exe'
|
||||
- '\dwm.exe'
|
||||
- '\eventcreate.exe'
|
||||
- '\eventvwr.exe'
|
||||
- '\explorer.exe'
|
||||
- '\extrac32.exe'
|
||||
- '\fontdrvhost.exe'
|
||||
- '\ipconfig.exe'
|
||||
- '\LsaIso.exe'
|
||||
- '\LogonUI.exe'
|
||||
- '\iscsicli.exe'
|
||||
- '\iscsicpl.exe'
|
||||
- '\logman.exe'
|
||||
- '\LogonUI.exe'
|
||||
- '\LsaIso.exe'
|
||||
- '\lsass.exe'
|
||||
- '\lsm.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\msinfo32.exe'
|
||||
- '\mstsc.exe'
|
||||
- '\msiexec.exe'
|
||||
- '\nbtstat.exe'
|
||||
- '\regini.exe'
|
||||
- '\TiWorker.exe'
|
||||
- '\WmiPrvSE.exe'
|
||||
- '\WUDFHost.exe'
|
||||
- '\taskhostw.exe'
|
||||
- '\dasHost.exe'
|
||||
- '\wslhost.exe'
|
||||
- '\fontdrvhost.exe'
|
||||
- '\dwm.exe'
|
||||
- '\backgroundTaskHost.exe'
|
||||
- '\SystemSettingsBroker.exe'
|
||||
- '\odbcconf.exe'
|
||||
- '\powershell.exe'
|
||||
- '\pwsh.exe'
|
||||
- '\regini.exe'
|
||||
- '\regsvr32.exe'
|
||||
- '\rundll32.exe'
|
||||
- '\RuntimeBroker.exe'
|
||||
- '\schtasks.exe'
|
||||
- '\SearchProtocolHost.exe'
|
||||
- '\SearchIndexer.exe'
|
||||
- '\SearchFilterHost.exe'
|
||||
- '\SecurityHealthSystray.exe'
|
||||
- '\SearchIndexer.exe'
|
||||
- '\SearchProtocolHost.exe'
|
||||
- '\SecurityHealthService.exe'
|
||||
- '\SecurityHealthSystray.exe'
|
||||
- '\services.exe'
|
||||
- '\ShellAppRuntime.exe'
|
||||
- '\sihost.exe'
|
||||
- '\smartscreen.exe'
|
||||
- '\smss.exe'
|
||||
- '\spoolsv.exe'
|
||||
- '\svchost.exe'
|
||||
- '\SystemSettingsBroker.exe'
|
||||
- '\taskhost.exe'
|
||||
- '\taskhostw.exe'
|
||||
- '\Taskmgr.exe'
|
||||
- '\TiWorker.exe'
|
||||
- '\vssadmin.exe'
|
||||
- '\w32tm.exe'
|
||||
- '\WerFault.exe'
|
||||
- '\WerFaultSecure.exe'
|
||||
- '\wermgr.exe'
|
||||
- '\wevtutil.exe'
|
||||
- '\wininit.exe'
|
||||
- '\winlogon.exe'
|
||||
- '\winrshost.exe'
|
||||
- '\wlrmdr.exe'
|
||||
- '\WinRTNetMUAHostServer.exe'
|
||||
- '\wlanext.exe'
|
||||
- '\wlrmdr.exe'
|
||||
- '\WmiPrvSE.exe'
|
||||
- '\wslhost.exe'
|
||||
- '\WSReset.exe'
|
||||
- '\WUDFHost.exe'
|
||||
- '\WWAHost.exe'
|
||||
- '\iscsicpl.exe'
|
||||
- '\iscsicli.exe'
|
||||
- '\extrac32.exe'
|
||||
- '\eventvwr.exe'
|
||||
- '\eventcreate.exe'
|
||||
- '\dfrgui.exe'
|
||||
- '\cmdl32.exe'
|
||||
- '\cmstp.exe'
|
||||
filter1:
|
||||
TargetFilename|startswith:
|
||||
- 'C:\Windows\System32\'
|
||||
@@ -95,6 +95,7 @@ detection:
|
||||
Image|endswith:
|
||||
- '\Windows\System32\dism.exe'
|
||||
- '\TiWorker.exe'
|
||||
- '\bcdedit.exe'
|
||||
filter2:
|
||||
TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
|
||||
Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'
|
||||
|
||||
Reference in New Issue
Block a user