fix: apply suggestions from code review
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
committed by
GitHub
GitHub
parent
72b658b4c2
commit
ad0d3f58ac
@@ -4,7 +4,7 @@ related:
|
||||
- id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
|
||||
type: derived
|
||||
status: experimental
|
||||
description: Detects file write event from/to a fake recycle bin folder that's often used as a staging directory for malware
|
||||
description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
|
||||
references:
|
||||
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
|
||||
author: X__Junior (Nextron Systems)
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
title: Potential Suspicious Call To Win32_NTEventlogFile Class - PSScript
|
||||
title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
|
||||
id: e2812b49-bae0-4b21-b366-7c142eafcde2
|
||||
status: experimental
|
||||
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
|
||||
|
||||
+1
-1
@@ -1,7 +1,7 @@
|
||||
title: Suspicious Ping/Copy Command Combination
|
||||
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
|
||||
status: experimental
|
||||
description: Detects uncommon one liner command having ping and copy at the same time usually used by malware.
|
||||
description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.
|
||||
references:
|
||||
- Internal Research
|
||||
author: X__Junior (Nextron Systems)
|
||||
|
||||
@@ -20,5 +20,5 @@ detection:
|
||||
- CommandLine|contains: '--insecure'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
- Access to badly maintained internal or development systems
|
||||
level: medium
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
title: Potential Suspicious Findstr.EXE Execution
|
||||
title: Potentially Suspicious Findstr.EXE Execution
|
||||
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
|
||||
related:
|
||||
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
|
||||
type: derived
|
||||
status: experimental
|
||||
description: Detects execution of "findstr" as a child process of potentially suspicious parent command line. This is often the case when "findstr" is used to filter out the results of certain recon commands such as "tasklist" or "ipconfig /all"
|
||||
description: Detects execution of "findstr" as a child process of potentially suspicious parent command lines. This is often the case when "findstr" is used to filter out the results of certain reconnaissance commands such as "tasklist" or "ipconfig /all"
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
|
||||
author: frack113
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: PowerShell Execution With Potential Decryption Capabilities
|
||||
id: 434c08ba-8406-4d15-8b24-782cb071a691
|
||||
status: experimental
|
||||
description: Detects powershell command that decrypts an ".LNK" "file to drop next stage of the malware.
|
||||
description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
|
||||
references:
|
||||
- https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
|
||||
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
|
||||
@@ -23,10 +23,14 @@ detection:
|
||||
CommandLine|contains:
|
||||
- "Get-ChildItem "
|
||||
- "dir "
|
||||
- "gci "
|
||||
- "ls "
|
||||
selection_cli_gc:
|
||||
CommandLine|contains:
|
||||
- "Get-Content "
|
||||
- "gc "
|
||||
- 'cat '
|
||||
- 'type '
|
||||
selection_cli_specific:
|
||||
CommandLine|contains|all:
|
||||
- ' ^| '
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
title: Potential Suspicious Call To Win32_NTEventlogFile Class
|
||||
title: Potentially Suspicious Call To Win32_NTEventlogFile Class
|
||||
id: caf201a9-c2ce-4a26-9c3a-2b9525413711
|
||||
related:
|
||||
- id: e2812b49-bae0-4b21-b366-7c142eafcde2
|
||||
|
||||
@@ -4,7 +4,7 @@ related:
|
||||
- id: 0cf2e1c6-8d10-4273-8059-738778f981ad
|
||||
type: derived
|
||||
status: experimental
|
||||
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in ReflectDebugger key which could be store malware path
|
||||
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
|
||||
references:
|
||||
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
|
||||
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
|
||||
@@ -12,6 +12,8 @@ author: X__Junior (Nextron Systems)
|
||||
date: 2023/06/30
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.defense_evasion
|
||||
- attack.t1036
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
|
||||
@@ -4,7 +4,7 @@ related:
|
||||
- id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
|
||||
type: derived
|
||||
status: experimental
|
||||
description: Detects Potential WerFault "ReflectDebugger" registry value abuse for persistence.
|
||||
description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
|
||||
references:
|
||||
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
|
||||
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
|
||||
|
||||
Reference in New Issue
Block a user