From 01c6e5f6e3d12640f00330986d3c627185c3f36d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 9 Jan 2022 12:37:23 +0100 Subject: [PATCH 01/16] Windows Redcannary --- .../win_fe_csharp_compile_artefact.yml | 24 +++++++++++++++++ .../posh_ps_suspicious_iofilestream.yml | 25 ++++++++++++++++++ .../win_pc_iis_http_logging.yml | 26 +++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 rules/windows/file_event/win_fe_csharp_compile_artefact.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml create mode 100644 rules/windows/process_creation/win_pc_iis_http_logging.yml diff --git a/rules/windows/file_event/win_fe_csharp_compile_artefact.yml b/rules/windows/file_event/win_fe_csharp_compile_artefact.yml new file mode 100644 index 000000000..1123d72d7 --- /dev/null +++ b/rules/windows/file_event/win_fe_csharp_compile_artefact.yml @@ -0,0 +1,24 @@ +title: Dynamic C Sharp Compile Artefact +id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0 +status: experimental +description: | + When C# is compiled dynamically, a .cmdline file will be created as a part of the process. + Certain processes are not typically observed compiling C# code, but can do so without touching disk. + This can be used to unpack a payload for execution +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile +date: 2022/01/09 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '.cmdline' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1027.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml new file mode 100644 index 000000000..bbe35a286 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml @@ -0,0 +1,25 @@ +title: Suspicious IO.FileStream +id: 70ad982f-67c8-40e0-a955-b920c2fa05cb +status: experimental +description: open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. +date: 2022/01/09 +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - New-Object + - IO.FileStream + - '"\\.\' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1070.003 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_iis_http_logging.yml b/rules/windows/process_creation/win_pc_iis_http_logging.yml new file mode 100644 index 000000000..e02dc92da --- /dev/null +++ b/rules/windows/process_creation/win_pc_iis_http_logging.yml @@ -0,0 +1,26 @@ +title: Disable Windows IIS HTTP Logging +id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e +status: experimental +description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging +date: 2022/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: \appcmd.exe + CommandLine|contains|all: + - set + - config + - '/section:httplogging' + - '/dontLog:true' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1562.002 From da5c01507c711a2ad8ad575f86c71f199d319a8b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 9 Jan 2022 16:11:54 +0100 Subject: [PATCH 02/16] Update win_fe_csharp_compile_artefact.yml --- rules/windows/file_event/win_fe_csharp_compile_artefact.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_fe_csharp_compile_artefact.yml b/rules/windows/file_event/win_fe_csharp_compile_artefact.yml index 1123d72d7..8fdf2aa2d 100644 --- a/rules/windows/file_event/win_fe_csharp_compile_artefact.yml +++ b/rules/windows/file_event/win_fe_csharp_compile_artefact.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Unknown -level: medium +level: low tags: - attack.defense_evasion - attack.t1027.004 From 68fea9577257664b7935293a9ee460a635699d7a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 9 Jan 2022 16:12:31 +0100 Subject: [PATCH 03/16] Update posh_ps_suspicious_iofilestream.yml --- .../powershell_script/posh_ps_suspicious_iofilestream.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml index bbe35a286..0b9ef3b71 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml @@ -1,7 +1,7 @@ title: Suspicious IO.FileStream id: 70ad982f-67c8-40e0-a955-b920c2fa05cb status: experimental -description: open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. +description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. date: 2022/01/09 author: frack113 references: @@ -22,4 +22,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1070.003 \ No newline at end of file + - attack.t1070.003 From ebb3f54d6716702b2a1359af9f9ded445df5ac5f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 9 Jan 2022 16:13:00 +0100 Subject: [PATCH 04/16] Update win_pc_iis_http_logging.yml --- rules/windows/process_creation/win_pc_iis_http_logging.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_iis_http_logging.yml b/rules/windows/process_creation/win_pc_iis_http_logging.yml index e02dc92da..4843a988b 100644 --- a/rules/windows/process_creation/win_pc_iis_http_logging.yml +++ b/rules/windows/process_creation/win_pc_iis_http_logging.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - Unknown -level: medium +level: high tags: - attack.defense_evasion - attack.t1562.002 From f96a5ce9ff6f9d3a79724fb8cdcf3f67692ebb0c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 9 Jan 2022 19:24:38 +0100 Subject: [PATCH 05/16] Fix detection --- .../win_susp_firewall_disable.yml | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml index 59eefccbb..fb6ac6868 100644 --- a/rules/windows/process_creation/win_susp_firewall_disable.yml +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -6,17 +6,28 @@ author: Fatih Sirin references: - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall date: 2019/11/01 -modified: 2021/11/27 +modified: 2022/01/09 logsource: category: process_creation product: windows detection: - selection: - CommandLine: - - netsh firewall set opmode mode=disable - - netsh advfirewall set * state off - condition: selection + selection_1: + CommandLine|contains|all: + - netsh + - firewall + - set + - opmode + - 'mode=disable' + selection_2: + CommandLine|contains|all: + - netsh + - advfirewall + - set + - state + - off + condition: 1 of selection_* falsepositives: - Legitimate administration level: medium From ae0dc802267a01adb00749a78e4756b3c5bd74e4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 9 Jan 2022 19:48:22 +0100 Subject: [PATCH 06/16] Microsoft Defender Firewall --- .../win_pc_netsh_fw_enable_group_rule.yml | 30 +++++++++++++++++++ .../win_re_disable_defender_firewall.yml | 27 +++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml create mode 100644 rules/windows/registry_event/win_re_disable_defender_firewall.yml diff --git a/rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml new file mode 100644 index 000000000..d42eda483 --- /dev/null +++ b/rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml @@ -0,0 +1,30 @@ +title: Netsh Allow Group Policy on Microsoft Defender Firewall +id: 347906f3-e207-4d18-ae5b-a9403d6bcdef +status: experimental +description: Adversaries may modify system firewalls in order to bypass controls limiting network usage +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall + - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +date: 2022/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - advfirewall + - firewall + - set + - rule + - 'group=' + - new + - 'enable=Yes' + condition: selection +falsepositives: + - Legitimate administration +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 \ No newline at end of file diff --git a/rules/windows/registry_event/win_re_disable_defender_firewall.yml b/rules/windows/registry_event/win_re_disable_defender_firewall.yml new file mode 100644 index 000000000..522cd2799 --- /dev/null +++ b/rules/windows/registry_event/win_re_disable_defender_firewall.yml @@ -0,0 +1,27 @@ +title: Disable Microsoft Defender Firewall via Registry +id: 974515da-6cc5-4c95-ae65-f97f9150ec7f +description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage +author: frack113 +date: 2022/01/09 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall + #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall + #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall + TargetObject|startswith: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ + TargetObject|endswith: \EnableFirewall + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 From 7a164e61dd6a011fcb1ebf53def0d027808ea944 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 9 Jan 2022 19:58:54 +0100 Subject: [PATCH 07/16] fix 'off' error --- rules/windows/process_creation/win_susp_firewall_disable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml index fb6ac6868..ebcb5e299 100644 --- a/rules/windows/process_creation/win_susp_firewall_disable.yml +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -26,7 +26,7 @@ detection: - advfirewall - set - state - - off + - 'off' condition: 1 of selection_* falsepositives: - Legitimate administration From 798c447317545a9b39bf96e4d424be7da9cd4e7b Mon Sep 17 00:00:00 2001 From: Bhabesh Date: Mon, 10 Jan 2022 12:02:01 +0545 Subject: [PATCH 08/16] Added new reference for Office Security Settings Changed --- rules/windows/registry_event/sysmon_reg_office_security.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index eac91c79d..1ef9cf359 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -4,10 +4,11 @@ status: experimental description: Detects registry changes to Office macro settings author: Trent Liffick (@tliffick) date: 2020/05/22 -modified: 2021/07/12 +modified: 2022/01/10 references: - Internal Research - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ + - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ tags: - attack.defense_evasion - attack.t1112 From 16f3fdb9228ad3c6e431f8102c498a2c009ebe23 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 10 Jan 2022 17:48:46 +0100 Subject: [PATCH 09/16] fix detection --- .../powershell_script/posh_ps_suspicious_iofilestream.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml index 0b9ef3b71..c9913e6b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml @@ -3,6 +3,7 @@ id: 70ad982f-67c8-40e0-a955-b920c2fa05cb status: experimental description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. date: 2022/01/09 +modified: 2022/01/10 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md @@ -15,7 +16,7 @@ detection: ScriptBlockText|contains|all: - New-Object - IO.FileStream - - '"\\.\' + - '\\.\' condition: selection falsepositives: - Legitimate PowerShell scripts From fa19eeb0f844ad7499bf30449b3c6afa168719c6 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 20:44:35 +0000 Subject: [PATCH 10/16] checks for join with space or quote or double quote in order to reduce fps --- .../process_creation/win_powershell_xor_commandline.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c3eaa2599..62cd4da79 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -2,9 +2,9 @@ title: Suspicious XOR Encoded PowerShell Command Line id: bb780e0c-16cf-4383-8383-1e5471db6cf9 status: test description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -author: Sami Ruohonen, Harish Segar (improvement) +author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton date: 2018/09/05 -modified: 2021/11/27 +modified: 2022/01/10 logsource: category: process_creation product: windows @@ -15,7 +15,8 @@ detection: filter: CommandLine|contains: - 'bxor' - - 'join' + - '-join ' + - '-join\'' - 'char' false_positives: ParentImage: From eaf49e36974952a9f8a311c475f39c332de5421a Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 20:44:59 +0000 Subject: [PATCH 11/16] adding double quote --- .../windows/process_creation/win_powershell_xor_commandline.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 62cd4da79..d0c2fc453 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -17,6 +17,7 @@ detection: - 'bxor' - '-join ' - '-join\'' + - '-join"' - 'char' false_positives: ParentImage: From 4a110e369cef3b0f4625492e3f985447a98771a3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 20:45:55 +0000 Subject: [PATCH 12/16] fixing yaml --- .../windows/process_creation/win_powershell_xor_commandline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index d0c2fc453..4a31990d8 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -16,7 +16,7 @@ detection: CommandLine|contains: - 'bxor' - '-join ' - - '-join\'' + - "-join'" - '-join"' - 'char' false_positives: From 4d0f62aff786a8cfc1b8c7f3316fdcbc47af3a32 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 20:51:28 +0000 Subject: [PATCH 13/16] adding back tick per https://docs.microsoft.com/en-us/powershell/scripting/lang-spec/chapter-02?view=powershell-7.2 --- .../windows/process_creation/win_powershell_xor_commandline.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 4a31990d8..55ed270f2 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -18,6 +18,7 @@ detection: - '-join ' - "-join'" - '-join"' + - '-join`' - 'char' false_positives: ParentImage: From 90929580190025dcc0c0e82c15bb0bb1ff1916b5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 10 Jan 2022 22:25:47 +0100 Subject: [PATCH 14/16] fix quote --- rules/linux/builtin/lnx_susp_dev_tcp.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index 53880d80c..3c9b00d8c 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -8,20 +8,21 @@ references: - https://book.hacktricks.xyz/shells/shells/linux - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-1---port-scan date: 2021/12/10 +modified: 2022/01/10 logsource: product: linux detection: keyword: - - "cat /dev/tcp/" - - "echo >/dev/tcp/" - - "bash -i >& /dev/tcp/" - - "sh -i >& /dev/udp/" - - "0<&196;exec 196<>/dev/tcp/" - - "exec 5<>/dev/tcp/" - - "(sh)0>/dev/tcp/" - - "bash -c 'bash -i >& /dev/tcp/" - - "echo -e '#!/bin/bash\nbash -i >& /dev/tcp/" + - 'cat /dev/tcp/' + - 'echo >/dev/tcp/' + - 'bash -i >& /dev/tcp/' + - 'sh -i >& /dev/udp/' + - '0<&196;exec 196<>/dev/tcp/' + - 'exec 5<>/dev/tcp/' + - '(sh)0>/dev/tcp/' + - 'bash -c ''bash -i >& /dev/tcp/' + - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' condition: 1 of keyword falsepositives: - Unknown From ff41473423659090890777b96cc795107105d9e0 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 22:57:14 +0000 Subject: [PATCH 15/16] filtering fp where symantec apparently performs this behavior --- rules/windows/file_event/win_fe_creation_scr_binary_file.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml index 30dbc30b7..39444325e 100644 --- a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml +++ b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml @@ -8,7 +8,7 @@ author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md date: 2021/12/29 -modified: 2022/01/08 +modified: 2022/01/10 logsource: product: windows category: file_event @@ -17,10 +17,11 @@ detection: TargetFilename|endswith: '.scr' filter: Image|endswith: '\Kindle.exe' + Image|endswith: '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection condition: selection and not 1 of filter* falsepositives: - Unkown level: medium tags: - attack.persistence - - attack.t1546.002 \ No newline at end of file + - attack.t1546.002 From 194519eadb8ae8b45a184efc070594c64f67e682 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 23:00:24 +0000 Subject: [PATCH 16/16] oops, duh... --- rules/windows/file_event/win_fe_creation_scr_binary_file.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml index 39444325e..bc300a247 100644 --- a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml +++ b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml @@ -16,8 +16,9 @@ detection: selection: TargetFilename|endswith: '.scr' filter: - Image|endswith: '\Kindle.exe' - Image|endswith: '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection + Image|endswith: + - '\Kindle.exe' + - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection condition: selection and not 1 of filter* falsepositives: - Unkown