From ae5b89dc95db6df3c817bf5d5e8bac9b8377ccaf Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 14 Dec 2023 19:50:25 +0100 Subject: [PATCH] Merge PR #4627 from @phantinuss - Add additional filters to cover both program file folders fix: Suspicious SYSTEM User Process Creation - add additional filters to cover both program file folders for FP with Java process --- .../proc_creation_win_susp_system_user_anomaly.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 3f143bed4..4d0c67a36 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021/12/20 -modified: 2023/01/19 +modified: 2023/12/14 tags: - attack.credential_access - attack.defense_evasion @@ -79,11 +79,15 @@ detection: Image|endswith: '\PING.EXE' ParentCommandLine|contains: '\DismFoDInstall.cmd' filter_config_mgr: - ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_java: - ParentImage|startswith: 'C:\Program Files (x86)\Java\' + ParentImage|contains: + - ':\Program Files (x86)\Java\' + - ':\Program Files\Java\' ParentImage|endswith: '\bin\javaws.exe' - Image|startswith: 'C:\Program Files (x86)\Java\' + Image|contains: + - ':\Program Files (x86)\Java\' + - ':\Program Files\Java\' Image|endswith: '\bin\jp2launcher.exe' CommandLine|contains: ' -ma ' condition: all of selection* and not 1 of filter_*