security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1418 from SigmaHQ/rule-devel

Browse Source 
Fixing false positives with newest OSCD rules
This commit is contained in:
Florian Roth
2021-04-09 17:26:02 +02:00
committed by GitHub
parent 08ca62cc88 897da252f1
commit 4abebd98d9
7 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/net_mal_dns_cobaltstrike.yml
+3 -2
View File
@@ -4,9 +4,10 @@ status: experimental
description: Detects suspicious DNS queries known from Cobalt Strike beacons
author: Florian Roth
date: 2018/05/10
modified: 2020/08/27
modified: 2021/03/24
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
logsource:
category: dns
detection:
@@ -17,7 +18,7 @@ detection:
condition: selection
falsepositives:
- Unknown
level: high
level: critical
tags:
- attack.command_and_control
- attack.t1071 # an old one
rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
+1 -1
View File
@@ -17,7 +17,7 @@ falsepositives:
level: high
detection:
selection_1:
- ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
- ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection and selection_1
---
logsource:
rules/windows/powershell/powershell_cmdline_special_characters.yml
+1 -1
View File
@@ -26,7 +26,7 @@ detection:
CommandLine|re: '.*{.*{.*{.*{.*{.*'
selection4:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*^.*^.*^.*^.*^.*'
CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
selection5:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*`.*`.*`.*`.*`.*'
rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
+2 -2
View File
@@ -17,10 +17,10 @@ logsource:
detection:
selection_1:
EventID: 4104
ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r
selection_2:
EventID: 4103
Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection_1 or selection_2
falsepositives:
- Unknown
rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
+2 -2
View File
@@ -33,5 +33,5 @@ fields:
- Image
falsepositives:
- System administrator Usage
- Penetration test
level: high
- Penetration test
level: medium
rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
+1 -1
View File
@@ -16,7 +16,7 @@ logsource:
product: windows
detection:
selection:
CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/win_susp_rar_flags.yml
+1 -2
View File
@@ -11,8 +11,7 @@ tags:
- attack.collection
- attack.t1560.001
- attack.exfiltration # an old one
- attack.t1002 # an old one
- attack.t1002 # an old one
logsource:
category: process_creation
product: windows