security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing

Browse Source
This commit is contained in:
Florian Roth
2021-12-07 10:38:11 +01:00
parent 506631485e 28664dbf5a
commit 8700a144b6
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+2 -1
View File
@@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c
description: Raw disk access using illegitimate tools, possible defence evasion
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2021/12/04
modified: 2021/12/06
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
@@ -37,6 +37,7 @@ detection:
- '\svchost.exe'
- 'C:\Windows\System32\taskhostw.exe'
- 'C:\Windows\System32\SrTasks.exe'
- 'C:\Windows\System32\dllhost.exe'
filter_3:
ProcessId: 4
condition: not filter_1 and not filter_2 and not filter_3
rules/windows/registry_event/sysmon_taskcache_entry.yml
+2 -1
View File
@@ -7,7 +7,7 @@ tags:
- attack.t1053
- attack.t1053.005
date: 2021/06/18
modified: 2021/12/04
modified: 2021/12/06
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
author: Syed Hasan (@syedhasan009)
@@ -22,6 +22,7 @@ detection:
TargetObject|contains:
- 'Microsoft\Windows\UpdateOrchestrator'
- 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
- 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
condition: selection and not filter
falsepositives:
- Unknown