security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4219 from SigmaHQ/rule-devel

Browse Source 
feat: add Imphash and some minor changes
This commit is contained in:
Nasreddine Bencherchali
2023-05-05 10:49:54 +02:00
committed by GitHub
parent 796fa721fd 91956f8058
commit 9aebdb7a11
3 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml
+5 -3
View File
@@ -6,7 +6,7 @@ references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
author: Florian Roth (Nextron Systems)
date: 2022/08/24
modified: 2022/12/30
modified: 2023/05/05
tags:
- attack.defense_evasion
- attack.s0139
@@ -36,8 +36,8 @@ detection:
- b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
- d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
- fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
- 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato
- a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato
- 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato
- a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato
- f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
- 6118619783fc175bc7ebecff0769b46e # RoguePotato
- 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
@@ -108,6 +108,7 @@ detection:
- 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
- 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
- 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
- 96df3a3731912449521f6f8d183279b1 # Backstab
- Hash|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
@@ -199,6 +200,7 @@ detection:
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
condition: selection
fields:
- TargetFilename
rules/windows/driver_load/driver_load_win_process_hacker.yml
-1
View File
@@ -11,7 +11,6 @@ date: 2022/11/16
modified: 2022/12/30
tags:
- attack.privilege_escalation
- cve.2021.21551
- attack.t1543
logsource:
category: driver_load
rules/windows/process_creation/proc_creation_win_susp_progname.yml
+1 -1
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Florian Roth (Nextron Systems)
date: 2022/02/11
modified: 2023/03/02
modified: 2023/03/22
logsource:
category: process_creation
product: windows