diff --git a/rules/windows/process_creation/proc_creation_win_csvde_export.yml b/rules/windows/process_creation/proc_creation_win_csvde_export.yml index 79a17aa52..7502db2be 100644 --- a/rules/windows/process_creation/proc_creation_win_csvde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_csvde_export.yml @@ -1,7 +1,7 @@ title: Active Directory Structure Export Via Csvde.EXE id: e5d36acd-acb4-4c6f-a13f-9eb203d50099 status: experimental -description: Detects execution of "csvde.exe" in order to export organizational Active Directory structure. +description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. references: - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml index 8bec0216e..258c699c3 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_export.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_export.yml @@ -1,7 +1,7 @@ title: Active Directory Structure Export Via Ldifde.EXE id: 4f7a6757-ff79-46db-9687-66501a02d9ec status: experimental -description: Detects execution of "ldifde.exe" in order to export organizational Active Directory structure. +description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index dde1563c2..b4692b468 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -28,5 +28,5 @@ detection: - '-f' condition: all of selection_* falsepositives: - - Since the content of the files are Unknown, false positives are expected + - Since the content of the files are unknown, false positives are expected level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 14f243210..569ab46d8 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -4,7 +4,7 @@ related: - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 type: derived status: experimental -description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. +description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems)