Merge pull request #3282 from phantinuss/master

fix FPs
2022-07-27 14:39:50 +02:00
parent e7a4a71e33 b40d9951c4
commit 4ed94a2ee2
2 changed files with 9 additions and 5 deletions
@@ -4,7 +4,7 @@ status: test
 description: Detects SQL Injection attempts via GET requests in access logs
 author: Saw Win Naung, Nasreddine Bencherchali
 date: 2020/02/22
-modified: 2022/06/27
+modified: 2022/07/25
 references:
    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
@@ -16,7 +16,9 @@ detection:
    select_method:
        cs-method: 'GET'
    keywords:
-        - '=select'
+        - '=select '
+        - '=select%20'
+        - '=select('
        - 'UNION SELECT'
        - 'UNION%20SELECT'
        - 'UNION ALL SELECT'
@@ -38,8 +40,6 @@ detection:
        - 'or%201=1#'
    filter:
        sc-status: 404
-    filter_fps:
-        - '=select2'
    condition: select_method and keywords and not 1 of filter*
 fields:
    - client_ip
@@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
 description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
 status: experimental
 date: 2021/06/18
-modified: 2022/05/23
+modified: 2022/07/27
 references:
  - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
  - https://labs.f-secure.com/blog/scheduled-task-tampering/
@@ -26,6 +26,10 @@ detection:
    TargetObject|contains: '\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{1A552422-F571-4376-A7F1-5941E63D7B40}'
  filter_svchost:
    Image: 'C:\WINDOWS\system32\svchost.exe'
+  filter_ngen:
+    Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
+    Image|endswith: '\ngen.exe'
+    TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
  condition: selection and not 1 of filter*
 falsepositives:
  - Unknown