diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index bc9e26624..24fa51e81 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 date: 2017/11/04 -modified: 2021/11/27 +modified: 2021/12/16 logsource: category: network_connection product: windows @@ -15,7 +15,7 @@ detection: Image|endswith: '\rundll32.exe' Initiated: 'true' filter: - DestinationIp|startswith: + - DestinationIp|startswith: - '10.' - '192.168.' - '172.16.' @@ -35,6 +35,8 @@ detection: - '172.30.' - '172.31.' - '127.' + - CommandLine|contains: + - 'PcaSvc.dll,PcaPatchSdbTask' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 9d2c8e508..0712e079b 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2021/12/03 +modified: 2021/12/16 tags: - attack.persistence - attack.t1546.015 @@ -44,6 +44,10 @@ detection: Image: - C:\WINDOWS\system32\wuauclt.exe - C:\WINDOWS\system32\svchost.exe + filter_defender: + Image|contains|all: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - '\MsMpEng.exe' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level