diff --git a/rules/apt/apt_equationgroup_lnx.yml b/rules/apt/apt_equationgroup_lnx.yml index 1ed7f871d..ccac67e02 100755 --- a/rules/apt/apt_equationgroup_lnx.yml +++ b/rules/apt/apt_equationgroup_lnx.yml @@ -68,7 +68,6 @@ detection: - 'chmod 755 /usr/vmsys/bin/pipe' - 'chmod -R 755 /usr/vmsys' - 'chmod 755 $opbin/*tunnel' - - '< /dev/console | uudecode && uncompress' - 'chmod 700 sendmail' - 'chmod 0700 sendmail' - '/usr/bin/wget http*sendmail;chmod +x sendmail;' diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 83143db4e..a4058fa04 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -56,7 +56,6 @@ detection: - '*.mooo.com' - '*.dns-dns.com' - '*.strangled.net' - - '*.ddns.info' - '*.adultdns.net' - '*.craftx.biz' - '*.ddns01.com' diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index f91cfc2ec..bc7df9abd 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -53,14 +53,12 @@ detection: - '*.vip' - '*.party' - '*.tech' - - '*.tech' - '*.xyz' - '*.date' - '*.faith' - '*.zip' - '*.cricket' - '*.space' - - '*.top' # McAfee report - '*.info' - '*.vn' @@ -94,7 +92,6 @@ detection: - '*.trade' - '*.accountant' # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ - - '*.click' - '*.cf' - '*.gq' - '*.ml' diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index 7b741ebfb..d8d5205c0 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -54,7 +54,6 @@ detection: - Check-VM - Get-LSASecret - Get-PassHashes - - Invoke-Mimikatz - Show-TargetScreen - Port-Scan - Invoke-PoshRatHttp @@ -64,19 +63,13 @@ detection: - Add-Persistence - Do-Exfiltration - Start-CaptureServer - - Invoke-DllInjection - - Invoke-ReflectivePEInjection - - Invoke-ShellCode - Get-ChromeDump - Get-ClipboardContents - Get-FoxDump - Get-IndexedItem - - Get-Keystrokes - Get-Screenshot - Invoke-Inveigh - Invoke-NetRipper - - Invoke-NinjaCopy - - Out-Minidump - Invoke-EgressCheck - Invoke-PostExfil - Invoke-PSInject @@ -84,11 +77,8 @@ detection: - MailRaider - New-HoneyHash - Set-MacAttribute - - Get-VaultCredential - Invoke-DCSync - - Invoke-Mimikatz - Invoke-PowerDump - - Invoke-TokenManipulation - Exploit-Jboss - Invoke-ThunderStruck - Invoke-VoiceTroll @@ -100,7 +90,6 @@ detection: - Install-SSP - Invoke-BackdoorLNK - PowerBreach - - Get-GPPPassword - Get-SiteListPassword - Get-System - Invoke-BypassUAC diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml index 5d0aa64b5..76d6d850e 100644 --- a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml @@ -55,7 +55,6 @@ detection: - '*\Check-VM.ps1' - '*\Get-LSASecret.ps1' - '*\Get-PassHashes.ps1' - - '*\Invoke-Mimikatz.ps1' - '*\Show-TargetScreen.ps1' - '*\Port-Scan.ps1' - '*\Invoke-PoshRatHttp.ps1'