security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FP: System image (driver) restoring files. Valid behavior

Browse Source
This commit is contained in:
Tim Shelton
2022-05-24 22:31:05 +00:00
parent c7b90f108f
commit 9a3fc4f543
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file_event/file_event_win_webshell_creation_detect.yml
+4 -2
View File
@@ -2,11 +2,11 @@ title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Possible webshell file creation on a static web site
author: Beyu Denis, oscd.community
author: Beyu Denis, oscd.community, Tim Shelton
references:
- PT ESC rule and personal experience
date: 2019/10/22
modified: 2021/11/27
modified: 2022/05/24
logsource:
product: windows
category: file_event
@@ -34,6 +34,8 @@ detection:
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
Image:
- 'System' # fp : backup/restore from drivers
# kind of ugly but sigmac seems not to handle double parenthesis "(("
# we should prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives)