security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: more Aurora FP fixes

Browse Source
This commit is contained in:
Florian Roth
2022-02-16 17:16:50 +01:00
parent 2500c16aea
commit 51bbe21c70
3 changed files with 19 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml
+6 -2
View File
@@ -9,6 +9,7 @@ references:
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022/01/07
modified: 2022/02/16
logsource:
category: network_connection
product: windows
@@ -20,11 +21,14 @@ detection:
- 465
- 2525
Initiated: 'true'
filter:
filter_clients:
Image|endswith:
- \thunderbird.exe
- \outlook.exe
condition: selection and not filter
filter_mailserver:
Image|startswith:
- 'C:\Program Files\Microsoft\Exchange Server\'
condition: selection and not 1 of filter*
falsepositives:
- Other SMTP tools
level: medium
rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
+9 -1
View File
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
date: 2019/09/12
modified: 2022/01/19
modified: 2022/02/16
logsource:
product: windows
category: pipe_created
@@ -21,6 +21,8 @@ detection:
- '\WINDOWS\System32\wsmprovhost.exe'
- '\Windows\system32\dsac.exe'
- '\Windows\system32\wbem\wmiprvse.exe'
- '\ForefrontActiveDirectoryConnector.exe'
- 'c:\windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
filter2:
Image: null
filter3: # Microsoft SQL Server\130\Tools\
@@ -28,6 +30,12 @@ detection:
- ':\Program Files'
- '\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
filter4:
Image|startswith:
- 'C:\Program Files\Citrix\'
- 'C:\Program Files\Microsoft\Exchange Server\'
filter_commandline:
CommandLine
condition: selection and not 1 of filter*
fields:
- ComputerName
rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+4 -2
View File
@@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
modified: 2021/10/16
modified: 2022/02/16
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
@@ -19,7 +19,9 @@ detection:
ContextInfo: '*'
filter:
ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
condition: selection and not filter
filter_citrix:
ContextInfo|contains: 'ConfigSyncRun.exe'
condition: selection and not 1 of filter*
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher