From c0bda80e3e0eccc1cbe3a8ea839404f69cc9b0c6 Mon Sep 17 00:00:00 2001 From: fornotes <125354166+fornotes@users.noreply.github.com> Date: Tue, 14 Feb 2023 15:06:53 +0530 Subject: [PATCH 1/9] Added file_event_win_storsvc_dll_hijack.yml --- .../file_event_win_storsvc_dll_hijack.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml diff --git a/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml new file mode 100644 index 000000000..df17c4894 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml @@ -0,0 +1,21 @@ +title: LPE via StorSvc DLL Hijack +id: 4c009dbf-a5b6-44ac-94e1-eb918d81c997 +status: experimental +description: StorSvc service tries to load a missing named SprintCSP.dll DLL when SvcRebootToFlashingMode RPC method is called. +references: + - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc +author: fornotes +date: 2023/02/14 +tags: + - attack.privilege_escalation + - attack.t1574.002 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: 'SprintCSP.dll' + condition: selection +falsepositives: + - Unknown +level: Medium \ No newline at end of file From cbbf443eb56384283c8f55765ff741f1c4ab2ce8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 14 Feb 2023 19:57:26 +0100 Subject: [PATCH 2/9] feat: add localpotato binary rule --- .../proc_creation_win_hktl_localpotato.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml new file mode 100644 index 000000000..3dd224222 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -0,0 +1,35 @@ +title: HackTool - LocalPotato Execution +id: 6bd75993-9888-4f91-9404-e1e4e4e34b77 +status: experimental +description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples +references: + - https://www.localpotato.com/localpotato_html/LocalPotato.html + - https://github.com/decoder-it/LocalPotato +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/14 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - cve.2023.21746 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\LocalPotato.exe' + selection_cli: + CommandLine|contains|all: + - '.exe -i C:\' + - '-o Windows\' + selection_hash_plain: + Hashes|contains: + - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC' + - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5' + selection_hash_ext: + Imphash: + - 'E1742EE971D6549E8D4D81115F88F1FC' + - 'DD82066EFBA94D7556EF582F247C8BB5' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high From ff4242daddb07721e8dcb1659063fedf4a3271fa Mon Sep 17 00:00:00 2001 From: Moti-H <44621162+Moti-H@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:29:53 +0200 Subject: [PATCH 3/9] feat: add new application vulnerability rules (#4034) --- ...va_jndi_injection_exploitation_attempt.yml | 24 ++++++++++++++++ .../application/jvm/java_local_file_read.yml | 26 +++++++++++++++++ ...va_ognl_injection_exploitation_attempt.yml | 28 +++++++++++++++++++ .../jvm/java_rce_exploitation_attempt.yml | 24 ++++++++++++++++ .../jvm/java_xxe_exploitation_attempt.yml | 25 +++++++++++++++++ .../nodejs_rce_exploitation_attempt.yml | 22 +++++++++++++++ ....yml => spring_application_exceptions.yml} | 0 .../spring/spring_spel_injection.yml | 23 +++++++++++++++ .../sql/app_sqlinjection_errors.yml | 5 ++-- .../velocity/velocity_ssti_injection.yml | 26 +++++++++++++++++ tests/logsource.json | 24 ++++++++++++++++ 11 files changed, 225 insertions(+), 2 deletions(-) create mode 100644 rules/application/jvm/java_jndi_injection_exploitation_attempt.yml create mode 100644 rules/application/jvm/java_local_file_read.yml create mode 100644 rules/application/jvm/java_ognl_injection_exploitation_attempt.yml create mode 100644 rules/application/jvm/java_rce_exploitation_attempt.yml create mode 100644 rules/application/jvm/java_xxe_exploitation_attempt.yml create mode 100644 rules/application/nodejs/nodejs_rce_exploitation_attempt.yml rename rules/application/spring/{appframework_spring_exceptions.yml => spring_application_exceptions.yml} (100%) create mode 100644 rules/application/spring/spring_spel_injection.yml create mode 100644 rules/application/velocity/velocity_ssti_injection.yml diff --git a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml new file mode 100644 index 000000000..cbe9ce0dc --- /dev/null +++ b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml @@ -0,0 +1,24 @@ +title: Potential JNDI Injection Exploitation In JVM Based Application +id: bb0e9cec-d4da-46f5-997f-22efc59f3dca +status: experimental +description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation. +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs + - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0 +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'com.sun.jndi.ldap.' + - 'org.apache.logging.log4j.core.net.JndiManager' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_local_file_read.yml b/rules/application/jvm/java_local_file_read.yml new file mode 100644 index 000000000..ce63649eb --- /dev/null +++ b/rules/application/jvm/java_local_file_read.yml @@ -0,0 +1,26 @@ +title: Potential Local File Read Vulnerability In JVM Based Application +id: e032f5bc-4563-4096-ae3b-064bab588685 +status: experimental +description: | + Detects potential local file read vulnerability in JVM based apps. + If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag. +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords_local_file_read: + '|all': + - 'FileNotFoundException' + - '/../../..' + condition: keywords_local_file_read +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml new file mode 100644 index 000000000..fa109bcf2 --- /dev/null +++ b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml @@ -0,0 +1,28 @@ +title: Potential OGNL Injection Exploitation In JVM Based Application +id: 4d0af518-828e-4a04-a751-a7d03f3046ad +status: experimental +description: | + Detects potential OGNL Injection exploitation, which may lead to RCE. + OGNL is an expression language that is supported in many JVM based systems. + OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134) +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 + - cve.2017.5638 + - cve.2022.26134 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'org.apache.commons.ognl.OgnlException' + - 'ExpressionSyntaxException' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_rce_exploitation_attempt.yml b/rules/application/jvm/java_rce_exploitation_attempt.yml new file mode 100644 index 000000000..c350a2e70 --- /dev/null +++ b/rules/application/jvm/java_rce_exploitation_attempt.yml @@ -0,0 +1,24 @@ +title: Process Execution Error In JVM Based Application +id: d65f37da-a26a-48f8-8159-3dde96680ad2 +status: experimental +description: Detects process execution related exceptions in JVM based apps, often relates to RCE +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'Cannot run program' + - 'java.lang.ProcessImpl' + - 'java.lang.ProcessBuilder' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_xxe_exploitation_attempt.yml b/rules/application/jvm/java_xxe_exploitation_attempt.yml new file mode 100644 index 000000000..b129ff2ec --- /dev/null +++ b/rules/application/jvm/java_xxe_exploitation_attempt.yml @@ -0,0 +1,25 @@ +title: Potential XXE Exploitation Attempt In JVM Based Application +id: c4e06896-e27c-4583-95ac-91ce2279345d +status: experimental +description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely. +references: + - https://rules.sonarsource.com/java/RSPEC-2755 + - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'SAXParseException' + - 'DOMException' + condition: keywords +falsepositives: + - If the application expects to work with XML there may be parsing issues that don't neccecarily mean XXE. +level: high diff --git a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml new file mode 100644 index 000000000..a5426932c --- /dev/null +++ b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml @@ -0,0 +1,22 @@ +title: Potential RCE Exploitation Attempt In NodeJS +id: 97661d9d-2beb-4630-b423-68985291a8af +status: experimental +description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability. +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: nodejs + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'node:child_process' + condition: keywords +falsepositives: + - Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable. +level: high diff --git a/rules/application/spring/appframework_spring_exceptions.yml b/rules/application/spring/spring_application_exceptions.yml similarity index 100% rename from rules/application/spring/appframework_spring_exceptions.yml rename to rules/application/spring/spring_application_exceptions.yml diff --git a/rules/application/spring/spring_spel_injection.yml b/rules/application/spring/spring_spel_injection.yml new file mode 100644 index 000000000..6176cb517 --- /dev/null +++ b/rules/application/spring/spring_spel_injection.yml @@ -0,0 +1,23 @@ +title: Potential SpEL Injection In Spring Framework +id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8 +status: experimental +description: Detects potential SpEL Injection exploitation, which may lead to RCE. +references: + - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: spring + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'org.springframework.expression.ExpressionException' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/sql/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml index f9f4a9be4..f7447aefb 100644 --- a/rules/application/sql/app_sqlinjection_errors.yml +++ b/rules/application/sql/app_sqlinjection_errors.yml @@ -6,13 +6,14 @@ references: - http://www.sqlinjection.net/errors author: Bjoern Kimminich date: 2017/11/27 -modified: 2021/11/27 +modified: 2023/02/12 tags: - attack.initial_access - attack.t1190 logsource: category: application product: sql + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)' detection: keywords: # Oracle @@ -26,5 +27,5 @@ detection: - SELECTs to the left and right of UNION do not have the same number of result columns condition: keywords falsepositives: - - Application bugs + - A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case. level: high diff --git a/rules/application/velocity/velocity_ssti_injection.yml b/rules/application/velocity/velocity_ssti_injection.yml new file mode 100644 index 000000000..70373fb24 --- /dev/null +++ b/rules/application/velocity/velocity_ssti_injection.yml @@ -0,0 +1,26 @@ +title: Potential Server Side Template Injection In Velocity +id: 16c86189-b556-4ee8-b4c7-7e350a195a4f +status: experimental +description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE. +references: + - https://antgarsil.github.io/posts/velocity/ + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: velocity + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'ParseErrorException' + - 'VelocityException' + - 'TemplateInitException' + condition: keywords +falsepositives: + - Application bugs + - Missing .vm files +level: high diff --git a/tests/logsource.json b/tests/logsource.json index 7e05d1e34..a3f8d50e6 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -236,6 +236,30 @@ }, "service":{} }, + "jvm":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "nodejs":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "velocity":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, "aws":{ "commun": [], "empty": [], From 96d774babd0e6c8381cf3284e0a9575889653fad Mon Sep 17 00:00:00 2001 From: fornotes <125354166+fornotes@users.noreply.github.com> Date: Wed, 15 Feb 2023 11:29:57 +0000 Subject: [PATCH 4/9] removed file_event_win_storsvc_dll_hijack.yml as suggested by nasbench --- .../file_event_win_storsvc_dll_hijack.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml diff --git a/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml deleted file mode 100644 index df17c4894..000000000 --- a/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: LPE via StorSvc DLL Hijack -id: 4c009dbf-a5b6-44ac-94e1-eb918d81c997 -status: experimental -description: StorSvc service tries to load a missing named SprintCSP.dll DLL when SvcRebootToFlashingMode RPC method is called. -references: - - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc -author: fornotes -date: 2023/02/14 -tags: - - attack.privilege_escalation - - attack.t1574.002 -logsource: - category: file_event - product: windows -detection: - selection: - TargetFilename|endswith: 'SprintCSP.dll' - condition: selection -falsepositives: - - Unknown -level: Medium \ No newline at end of file From 8876b4ba016fb07eaedc7bf67f3666291fe0efb1 Mon Sep 17 00:00:00 2001 From: fornotes <125354166+fornotes@users.noreply.github.com> Date: Wed, 15 Feb 2023 11:37:18 +0000 Subject: [PATCH 5/9] added SprintCSP.dll for StorSvc DLL Hijack --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index ebf54c4c2..76944cc3c 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -11,6 +11,7 @@ references: - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/01 modified: 2022/12/09 @@ -30,6 +31,7 @@ detection: - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' + TargetFileName|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter From c99d1f1876b5f4a1dc6ca8454fd436d5eaa20474 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:25:59 +0100 Subject: [PATCH 6/9] fix: add some missing fields --- .../file_event_win_create_non_existent_dlls.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 76944cc3c..76f00405a 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -12,9 +12,9 @@ references: - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc -author: Nasreddine Bencherchali (Nextron Systems) +author: Nasreddine Bencherchali (Nextron Systems), fornotes date: 2022/12/01 -modified: 2022/12/09 +modified: 2023/02/15 tags: - attack.defense_evasion - attack.persistence @@ -26,12 +26,12 @@ logsource: category: file_event detection: selection: - TargetFilename: + - TargetFilename: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' - TargetFileName|endswith: '\SprintCSP.dll' + - TargetFileName|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter From 2fd43cbe82ead9bda9879a35ac2f9cbea856a951 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:27:56 +0100 Subject: [PATCH 7/9] fix: typo in field --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 76f00405a..b9bc0a90f 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -31,7 +31,7 @@ detection: - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' - - TargetFileName|endswith: '\SprintCSP.dll' + - TargetFilename|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter From 33207aa7abef709df825ab211564fd4812bfb3d6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:37:05 +0100 Subject: [PATCH 8/9] fix: change link to permalink --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index b9bc0a90f..98958712e 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -11,7 +11,7 @@ references: - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc + - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc author: Nasreddine Bencherchali (Nextron Systems), fornotes date: 2022/12/01 modified: 2023/02/15 From 39e957d7ee700ec27b3e7bcd796e57e4fc444854 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 19:11:39 +0100 Subject: [PATCH 9/9] fix: update title --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 98958712e..8f20d72ee 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,4 +1,4 @@ -title: Creation Of Non-Existent DLLs In System Folders +title: Creation Of Non-Existent System DLL id: df6ecb8b-7822-4f4b-b412-08f524b4576c related: - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771