From 007a24f5695e2a1e7b9bdec8c90db779b48e9713 Mon Sep 17 00:00:00 2001 From: mlp1515 Date: Wed, 8 Dec 2021 08:49:16 +0000 Subject: [PATCH 1/2] Replace sysmon_volume_shadow_copy_service_keys.yml rule by sysmon_esentutl_volume_shadow_copy_service_keys.yml because of too many false positives --- ...smon_esentutl_volume_shadow_copy_service_keys.yml} | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) rename rules/windows/registry_event/{sysmon_volume_shadow_copy_service_keys.yml => sysmon_esentutl_volume_shadow_copy_service_keys.yml} (71%) diff --git a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml similarity index 71% rename from rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml rename to rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml index eb48e9352..691748fe8 100644 --- a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml @@ -1,9 +1,9 @@ -title: Volume Shadow Copy Service Keys +title: Esentutl Volume Shadow Copy Service Keys id: 5aad0995-46ab-41bd-a9ff-724f41114971 -description: Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. status: experimental date: 2020/10/20 -modified: 2021/06/02 +modified: 2021/12/08 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -16,9 +16,10 @@ logsource: detection: selection: TargetObject|contains: 'System\CurrentControlSet\Services\VSS' + Image|endswith: 'esentutl.exe' filter: - TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' + TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' condition: selection and not filter falsepositives: - - Other services accessing that key or sub keys + - Unknown level: high From 2e92bdb43b4f659f5961a9c60392f32ed983138b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 8 Dec 2021 17:25:03 +0100 Subject: [PATCH 2/2] Update sysmon_esentutl_volume_shadow_copy_service_keys.yml --- .../sysmon_esentutl_volume_shadow_copy_service_keys.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml b/rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml index 691748fe8..0be34ed13 100644 --- a/rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry_event/sysmon_esentutl_volume_shadow_copy_service_keys.yml @@ -16,7 +16,7 @@ logsource: detection: selection: TargetObject|contains: 'System\CurrentControlSet\Services\VSS' - Image|endswith: 'esentutl.exe' + Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter filter: TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' condition: selection and not filter