security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs noticed with Aurora

Browse Source
This commit is contained in:
Florian Roth
2021-11-28 01:16:18 +01:00
parent 91c83bbe09
commit 8f22165f26
2 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+2 -1
View File
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
oscd.community (update)
date: 2017/02/16
modified: 2021/11/22
modified: 2021/11/27
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -51,6 +51,7 @@ detection:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
- 'C:\WINDOWS\system32\taskhostw.exe'
GrantedAccess: '0x1410'
filter5:
SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
rules/windows/process_access/win_susp_proc_access_lsass.yml
+1
View File
@@ -55,6 +55,7 @@ detection:
- 'C:\WINDOWS\system32\taskmgr.exe'
- 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
- 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
- 'C:\WINDOWS\system32\taskhostw.exe'
# Windows Defender
filter2:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'