security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel

Browse Source
This commit is contained in:
Florian Roth
2022-10-11 11:40:07 +02:00
parent 5ad51c4dea 0df87d76f2
commit 8d9c11b26e
3 changed files with 4 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_pchunter_execution.yml
-24
View File
@@ -1,24 +0,0 @@
title: PCHunter Execution
id: df5daa7b-c2d5-4a4d-972b-5f85febe56bc
status: experimental
description: Detects the execution PCHunter based on image and Original File Name fields.
references:
- http://www.xuetr.com/
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Nasreddine Bencherchali
date: 2022/10/05
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\PCHunter32.exe'
- '\PCHunter64.exe'
- OriginalFileName: 'PCHunter.exe'
condition: selection
falsepositives:
- Unlikely
level: high
rules/windows/process_creation/proc_creation_win_susp_pchunter.yml
+3 -2
View File
@@ -5,7 +5,8 @@ status: experimental
references:
- http://www.xuetr.com/
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
author: Florian Roth
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth, Nasreddine Bencherchali
date: 2022/10/10
logsource:
category: process_creation
@@ -19,7 +20,7 @@ detection:
- OriginalFileName: 'PCHunter.exe'
- Description: 'Epoolsoft Windows Information View Tools'
selection_hashes:
- Hashes|contains:
Hashes|contains:
- 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
- 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
- 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml
+1 -1
View File
@@ -20,7 +20,7 @@ detection:
- Description: 'Process Hacker'
- Product: 'Process Hacker'
selection_hashes:
- Hashes|contains:
Hashes|contains:
- 'MD5=68F9B52895F4D34E74112F3129B3B00D'
- 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
- 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'