diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index f3915298f..bbbc5cf51 100755 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -4,7 +4,7 @@ status: test description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali date: 2020/05/26 -modified: 2022/10/28 +modified: 2022/11/07 tags: - attack.defense_evasion - attack.t1036.005 @@ -14,78 +14,78 @@ logsource: detection: selection: TargetFilename|endswith: - - '\svchost.exe' - - '\rundll32.exe' - - '\services.exe' - - '\powershell.exe' - - '\pwsh.exe' - - '\regsvr32.exe' - - '\spoolsv.exe' - - '\lsass.exe' - - '\smss.exe' - - '\csrss.exe' - - '\conhost.exe' - - '\wininit.exe' - - '\lsm.exe' - - '\winlogon.exe' - - '\explorer.exe' - - '\taskhost.exe' - - '\Taskmgr.exe' - - '\sihost.exe' - - '\RuntimeBroker.exe' - - '\smartscreen.exe' - - '\dllhost.exe' - - '\audiodg.exe' - - '\wlanext.exe' - '\AtBroker.exe' + - '\audiodg.exe' + - '\backgroundTaskHost.exe' - '\bcdedit.exe' - '\bitsadmin.exe' + - '\cmdl32.exe' + - '\cmstp.exe' + - '\conhost.exe' + - '\csrss.exe' + - '\dasHost.exe' + - '\dfrgui.exe' + - '\dllhost.exe' + - '\dwm.exe' + - '\eventcreate.exe' + - '\eventvwr.exe' + - '\explorer.exe' + - '\extrac32.exe' + - '\fontdrvhost.exe' - '\ipconfig.exe' - - '\LsaIso.exe' - - '\LogonUI.exe' + - '\iscsicli.exe' + - '\iscsicpl.exe' - '\logman.exe' + - '\LogonUI.exe' + - '\LsaIso.exe' + - '\lsass.exe' + - '\lsm.exe' + - '\msiexec.exe' - '\msinfo32.exe' - '\mstsc.exe' - - '\msiexec.exe' - '\nbtstat.exe' - - '\regini.exe' - - '\TiWorker.exe' - - '\WmiPrvSE.exe' - - '\WUDFHost.exe' - - '\taskhostw.exe' - - '\dasHost.exe' - - '\wslhost.exe' - - '\fontdrvhost.exe' - - '\dwm.exe' - - '\backgroundTaskHost.exe' - - '\SystemSettingsBroker.exe' - '\odbcconf.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regini.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\RuntimeBroker.exe' - '\schtasks.exe' - - '\SearchProtocolHost.exe' - - '\SearchIndexer.exe' - '\SearchFilterHost.exe' - - '\SecurityHealthSystray.exe' + - '\SearchIndexer.exe' + - '\SearchProtocolHost.exe' - '\SecurityHealthService.exe' + - '\SecurityHealthSystray.exe' + - '\services.exe' - '\ShellAppRuntime.exe' + - '\sihost.exe' + - '\smartscreen.exe' + - '\smss.exe' + - '\spoolsv.exe' + - '\svchost.exe' + - '\SystemSettingsBroker.exe' + - '\taskhost.exe' + - '\taskhostw.exe' + - '\Taskmgr.exe' + - '\TiWorker.exe' - '\vssadmin.exe' - '\w32tm.exe' - '\WerFault.exe' - '\WerFaultSecure.exe' - '\wermgr.exe' - '\wevtutil.exe' + - '\wininit.exe' + - '\winlogon.exe' - '\winrshost.exe' - - '\wlrmdr.exe' - '\WinRTNetMUAHostServer.exe' + - '\wlanext.exe' + - '\wlrmdr.exe' + - '\WmiPrvSE.exe' + - '\wslhost.exe' - '\WSReset.exe' + - '\WUDFHost.exe' - '\WWAHost.exe' - - '\iscsicpl.exe' - - '\iscsicli.exe' - - '\extrac32.exe' - - '\eventvwr.exe' - - '\eventcreate.exe' - - '\dfrgui.exe' - - '\cmdl32.exe' - - '\cmstp.exe' filter1: TargetFilename|startswith: - 'C:\Windows\System32\' @@ -95,6 +95,7 @@ detection: Image|endswith: - '\Windows\System32\dism.exe' - '\TiWorker.exe' + - '\bcdedit.exe' filter2: TargetFilename|startswith: 'C:\$WINDOWS.~BT\' Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'