security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: apply suggestions from code review

Browse Source 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-03-15 19:27:57 +01:00
committed by GitHub
parent 3ca27207be
commit 77cd0bf6c0
4 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_csvde_export.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Active Directory Structure Export Via Csvde.EXE
id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
status: experimental
description: Detects execution of "csvde.exe" in order to export organizational Active Directory structure.
description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
references:
- https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
rules/windows/process_creation/proc_creation_win_ldifde_export.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Active Directory Structure Export Via Ldifde.EXE
id: 4f7a6757-ff79-46db-9687-66501a02d9ec
status: experimental
description: Detects execution of "ldifde.exe" in order to export organizational Active Directory structure.
description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
references:
- https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml
+1 -1
View File
@@ -28,5 +28,5 @@ detection:
- '-f'
condition: all of selection_*
falsepositives:
- Since the content of the files are Unknown, false positives are expected
- Since the content of the files are unknown, false positives are expected
level: medium
rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: experimental
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Nasreddine Bencherchali (Nextron Systems)