diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws_sts_assumedrole_misuse.yml index a4b2c5b90..98906891e 100644 --- a/rules/cloud/aws_sts_assumedrole_misuse.yml +++ b/rules/cloud/aws_sts_assumedrole_misuse.yml @@ -1,5 +1,5 @@ title: AWS STS AssumedRole Misuse -id: 216e11fa-2796-4fb0-8416-8910b63faec4 +id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49 description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges. author: Austin Songer status: experimental diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml index dbdd9a215..0e7c4fff6 100644 --- a/tools/config/carbon-black-eedr.yml +++ b/tools/config/carbon-black-eedr.yml @@ -16,68 +16,56 @@ fieldmappings: - process_product_version - process_publisher - process_file_description - DestPort: - - netconn_port - - netconn_remote_port + DestPort: netconn_port Destination: - netconn_domain DestinationAddress: - netconn_domain - netconn_ipv4 - netconn_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 - DestinationHostname: + DestinationHostname: - netconn_domain - netconn_proxy_domain DestinationIp: - netconn_ipv4 - netconn_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 - DestinationPort: - - netconn_port - - netconn_remote_port + DestinationPort: netconn_port Device: device_name FileName: - - process_internal_name - process_name - process_original_filename FileVersion: process_product_version Image: - process_name - - process_internal_name IntegrityLevel: process_integrity_level IpAddress: - netconn_ipv4 - netconn_ipv6 - netconn_local_ipv4 - netconn_local_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 LogonId: - childproc_username - process_username md5: hash - NewName: regmod_new_name + NewName: regmod_name OriginalFileName: process_original_filename ParentCommandLine: parent_cmdline ParentImage: parent_name ParentIntegrityLevel: process_integrity_level ProcessCommandLine: process_cmdline ProcessName: process_name - Product: + Product: - process_product_name - process_file_description RelativeTargetName: childproc_name - ScriptBlockText: + ScriptBlockText: - childproc_cmdline - crossproc_cmdline - process_cmdline ServiceFileName: process_service_name ServiceName: process_service_name sha256: hash - Signature: + Signature: - childproc_publisher - filemod_publisher - modload_publisher @@ -98,27 +86,17 @@ fieldmappings: - netconn_local_port - netconn_port SourceWorkstation: device_name - TargetFilename: - - filemod_name - - crossproc_name - TargetImage: - - filemod_name - - crossproc_name - TargetName: - - filemod_name - - crossproc_name + TargetFilename: filemod_name + TargetImage: filemod_name + TargetName: filemod_name TargetUserName: - childproc_username - process_username - TargetObject: - - regmod_name - - regmod_new_name + TargetObject: regmod_name User: - childproc_username - process_username - Value: - - regmod_name - - regmod_new_name + Value: regmod_name Workstation: device_name WorkstationName: device_name @@ -127,15 +105,9 @@ fieldmappings: - netconn_ipv6 - netconn_local_ipv4 - netconn_local_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 - dst_port: - - netconn_port - - netconn_remote_port + dst_port: netconn_port src_ip: - netconn_ipv4 - netconn_ipv6 - netconn_local_ipv4 - netconn_local_ipv6 - - netconn_remote_ipv4 - - netconn_remote_ipv6 \ No newline at end of file diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py index 1a1476290..cf5175777 100644 --- a/tools/sigma/backends/carbonblack.py +++ b/tools/sigma/backends/carbonblack.py @@ -81,6 +81,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB '|', ';', ':', + '-' ] def __init__(self, *args, **kwargs):