security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More FP tuning

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-20 11:51:06 +02:00
parent 1512c50b4d
commit a13a5efd47
3 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml
+11 -3
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects shellcode injection by Metasploit's migrate and Empire's psinject
author: Bhabesh Raj
date: 2022/03/11
modified: 2022/09/21
modified: 2022/10/20
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -41,10 +41,18 @@ detection:
GrantedAccess: 0x1F3FFF
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
filter_dell_specifc:
SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe
TargetImage: C:\Windows\Explorer.EXE
SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
TargetImage: 'C:\Windows\Explorer.EXE'
GrantedAccess: 0x1F3FFF
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
filter_visual_studio:
SourceImage:
- 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe'
- 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe'
TargetImage:
- 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
- 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well
rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
+6 -2
View File
@@ -10,7 +10,7 @@ references:
- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
date: 2020/05/02
modified: 2022/09/21
modified: 2022/10/20
logsource:
product: windows
category: registry_delete
@@ -44,9 +44,13 @@ detection:
Image|contains: 'peazip'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\PeaZip.'
filter_everything:
Image|endswith: '\Everything.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Everything.'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
- Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered
level: medium
tags:
- attack.defense_evasion
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
+2 -2
View File
@@ -12,7 +12,7 @@ references:
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
date: 2019/10/25
modified: 2022/10/18
modified: 2022/10/20
logsource:
category: registry_set
product: windows
@@ -135,7 +135,7 @@ detection:
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details: '"C:\Program Files\Everything\Everything.exe" -startup'
Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
condition: all of current_version_* and not 1 of filter_*
fields:
- SecurityID