security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs found in production environment

Browse Source
This commit is contained in:
phantinuss
2023-04-27 16:40:07 +02:00
parent cf585abe51
commit 941d02dbe5
2 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+6 -7
View File
@@ -7,7 +7,7 @@ references:
- https://twitter.com/SBousseaden/status/1483810148602814466
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
date: 2022/01/20
modified: 2023/01/25
modified: 2023/04/27
tags:
- attack.execution
logsource:
@@ -76,15 +76,14 @@ detection:
- 12
ValidatedPolicy: 1
filter_gac:
# If other DLLs show up from this process. Filter the path containing this string `\Windows\assembly\GAC\`
FileNameBuffer|endswith:
- '\stdole.dll'
- '\msdatasrc.dll'
- '\adodb.dll'
# Filtering the path containing this string because of multiple possible DLLs in that location
FileNameBuffer|contains: '\Windows\assembly\GAC\'
ProcessNameBuffer|endswith: '\mscorsvw.exe'
ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
RequestedPolicy: 8
ValidatedPolicy: 2
ValidatedPolicy:
- 1
- 2
filter_google_drive:
# Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml
+3 -3
View File
@@ -1,12 +1,12 @@
title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
id: 52a85084-6989-40c3-8f32-091e12e17692
status: experimental
description: During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation.Viewed on 2008 Server
description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
references:
- https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
author: Cybex
date: 2022/08/16
modified: 2022/10/21
modified: 2023/04/27
tags:
- attack.execution
logsource:
@@ -18,5 +18,5 @@ detection:
Provider_Name: 'Microsoft-Windows-User Profiles Service'
condition: selection
falsepositives:
- Unknown
- Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
level: high