security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4484 From @phantinuss - Fix FP Found In Testing

Browse Source 
fix: Direct Syscall of NtOpenProcess - falsepositives meta data
fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
This commit is contained in:
phantinuss
2023-10-17 17:01:34 +02:00
committed by GitHub
parent 020fc8061f
commit 79bce2c04e
3 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
+1 -1
View File
@@ -79,6 +79,6 @@ detection:
TargetImage: C:\Windows\system32\svchost.exe
GrantedAccess: '0x1000'
condition: selection and not 1 of filter_main_*
filter_main_:
falsepositives:
- Unknown
level: high
rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml
+1 -2
View File
@@ -4,7 +4,7 @@ status: test
description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
author: Bhabesh Raj
date: 2022/03/11
modified: 2022/12/20
modified: 2023/10/17
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -61,7 +61,6 @@ detection:
SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
TargetImage: 'C:\Windows\system32\lsass.exe'
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll'
CallTrace|contains: '\System.ni.dll+'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml
+6 -2
View File
@@ -11,7 +11,7 @@ references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/01
modified: 2023/10/06
modified: 2023/10/17
tags:
- attack.persistence
- attack.privilege_escalation
@@ -25,10 +25,14 @@ detection:
- OriginalFileName: 'sdbinst.exe'
filter_main_legit_ext:
CommandLine|contains: '.sdb'
filter_main_svchost:
filter_main_svchost1:
ParentImage|endswith: ':\Windows\System32\svchost.exe'
Image|endswith: ':\Windows\System32\sdbinst.exe'
CommandLine|contains: ' -m -bg'
filter_main_svchost2:
ParentImage|endswith: ':\Windows\System32\svchost.exe'
Image|endswith: ':\Windows\System32\sdbinst.exe'
CommandLine|endswith: ' -mm'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown