security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2324 from SigmaHQ/rule-devel

Browse Source 
fix: FPs
This commit is contained in:
Florian Roth
2021-11-26 20:39:19 +01:00
committed by GitHub
parent 91f0e03481 1702c057c6
commit 95313aa2f4
3 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/sysmon_susp_system_drawing_load.yml
+1
View File
@@ -21,6 +21,7 @@ detection:
Image|endswith:
- '\WmiPrvSE.exe'
- '\mmc.exe'
- 'C:\Windows\System32\NhNotifSys.exe'
- '\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
- '\mscorsvw.exe'
Image|startswith:
rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+2 -1
View File
@@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 2019/10/27
modified: 2021/11/20
modified: 2021/11/25
author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
@@ -47,6 +47,7 @@ detection:
- '\Microsoft VS Code\Code.exe'
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- 'C:\WINDOWS\system32\NhNotifSys.exe'
- 'C:\Windows\Microsoft.NET\Framework\*\NGenTask.exe'
condition: ( selection1 or selection2 or selection3 ) and not filter
fields:
rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml
+2 -2
View File
@@ -193,7 +193,7 @@ detection:
filter:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
condition: main_selection or
condition: ( main_selection or
session_manager_base and session_manager or
current_version_base and current_version or
nt_current_version_base and nt_current_version or
@@ -205,7 +205,7 @@ detection:
classes_base and classes or
scripts_base and scripts or
winsock_parameters_base and winsock_parameters or
system_control_base and system_control and not filter
system_control_base and system_control ) and not filter
fields:
- SecurityID
- ObjectName