security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2405 from mlp1515/sysmon_volume_shadow_copy_service_keys-false-positif

Browse Source 
False positives on sysmon_volume_shadow_copy_service_keys.yml
This commit is contained in:
frack113
2021-12-08 18:28:49 +01:00
committed by GitHub
parent f59124e0ad 2e92bdb43b
commit 61a0f1a706
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml → rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml
+6 -5
View File
@@ -1,9 +1,9 @@
title: Volume Shadow Copy Service Keys
title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
description: Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
status: experimental
date: 2020/10/20
modified: 2021/06/02
modified: 2021/12/08
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.credential_access
@@ -16,9 +16,10 @@ logsource:
detection:
selection:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
filter:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
condition: selection and not filter
falsepositives:
- Other services accessing that key or sub keys
- Unknown
level: high