From b0c1c3e7265827cc2694a2450827459a8b61776a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 4 Apr 2022 15:10:58 +0200 Subject: [PATCH 1/4] workflow: new baseline check against Windows 11 --- .github/workflows/known-FPs.csv | 11 +++++++++- .github/workflows/sigma-test.yml | 18 ++++++++++++++++ tests/check-baseline-local.sh | 35 ++++++++++++++++++++++++-------- 3 files changed, 55 insertions(+), 9 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 9dee7530a..ade97f076 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -11,4 +11,13 @@ e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote 6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe -00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0 \ No newline at end of file +00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0 +162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe +cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241 +bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223 +9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe +9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe +81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore +6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey +43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index f726a7e76..e438a369e 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -55,3 +55,21 @@ jobs: ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + check-baseline-win11: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker + - name: Download and extract Windows 11 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz + tar xzf win11-client.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 86a5c5ae9..c51fed48e 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -51,27 +51,46 @@ echo echo "Copy rules from ${SIGMA} to ${TMP}" cp -r "${RULES}"/windows . echo +echo "Remove deprecated rules" +grep -ERl "^status: deprecated" windows | xargs -r rm -v +echo echo "Download evtx-sigma-checker" if [[ "${OS}" == "Linux" ]]; then wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker elif [[ "${OS}" == "Darwin" ]]; then wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker-darwin -O evtx-sigma-checker fi +chmod +x evtx-sigma-checker + +# Windows 10 echo -echo "Download and extract Windows 10 baseline events" +echo "Download Windows 10 baseline events" wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz +echo "Extract Windows 10 baseline events" tar xzf win10-client.tgz echo -echo "Remove deprecated rules" -grep -ERl "^status: deprecated" windows | xargs -r rm -v +echo "Check for Sigma matches in Windows 10 baseline (this takes at least 2 minutes)" +./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Client/ --rule-path windows/ > findings-win10.json + +# Windows 11 echo -echo "Check for Sigma matches in baseline (this takes at least 2 minutes)" -chmod +x evtx-sigma-checker -./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Client/ --rule-path windows/ > findings.json +echo "Download Windows 11 baseline events" +wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz +echo "Extract Windows 11 baseline events" +tar xzf win11-client.tgz +echo +echo "Check for Sigma matches in Windows 11 baseline (this takes at least 6 minutes)" +./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ > findings-win11.json + echo -echo "Checking for matches:" -"${SIGMA}"/.github/workflows/matchgrep.sh findings.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo "## MATCHES ##" +echo +echo "Windows 10:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win10.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo +echo "Windows 11:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win11.json "${SIGMA}"/.github/workflows/known-FPs.csv echo read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s From 7edf04d9ff170dc0b8f9b6c6e46533708b03314b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 4 Apr 2022 15:36:43 +0200 Subject: [PATCH 2/4] fix: FPs from fresh Windows install --- .../registry_event_runonce_persistence.yml | 7 ++++++- ...egistry_set_asep_reg_keys_modification_common.yml | 12 ++++++++---- ...set_asep_reg_keys_modification_currentversion.yml | 11 +++++++++-- ...ry_set_asep_reg_keys_modification_wow6432node.yml | 8 +++++--- .../registry_set_change_security_zones.yml | 5 +++-- .../registry_set_persistence_search_order.yml | 8 +++++--- .../registry_set/registry_set_set_servicedll.yml | 6 ++++-- .../registry_set/registry_set_taskcache_entry.yml | 10 +++++++++- .../sysmon/sysmon_config_modification_error.yml | 12 ++++++++---- 9 files changed, 57 insertions(+), 22 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index a24b3fe5b..d243647c2 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/pabraeken/status/990717080805789697 - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml date: 2020/11/15 -modified: 2022/02/15 +modified: 2022/04/04 logsource: product: windows category: registry_event @@ -18,6 +18,11 @@ detection: filter_chrome: Details|startswith: '"C:\Program Files\Google\Chrome\Application\' Details|endswith: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' + filter_edge: + Details|startswith: + - '"C:\Program Files (x86)\Microsoft\Edge\Application\' + - '"C:\Program Files\Microsoft\Edge\Application\' + Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' condition: selection and not 1 of filter_* falsepositives: - Legitimate modification of the registry key by legitimate program diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index f6fffa858..40c1242ce 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/26 +modified: 2022/04/04 logsource: category: registry_set product: windows @@ -51,15 +51,19 @@ detection: - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' + filter_edge: + TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\' + filter_IE: + TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\' filter_image: - Image: + Image: - 'C:\Windows\System32\poqexec.exe' - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' filter_office: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' + Image|endswith: '\OfficeClickToRun.exe' condition: main_selection and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 4b5ea7b5a..164a12c22 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/26 +modified: 2022/04/04 logsource: category: registry_set product: windows @@ -50,6 +50,13 @@ detection: - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe' - 'C:\Program Files\Everything\Everything.exe' - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_logonui: + Image: 'C:\Windows\system32\LogonUI.exe' + TargetObject|contains: + - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN + - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint + - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion + - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location) filter_edge: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\' @@ -90,7 +97,7 @@ detection: Details|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' Details|endswith: '.exe" /burn.runonce' filter_officeclicktorun: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index f57f6345e..2d981d2c7 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/26 +modified: 2022/04/04 logsource: category: registry_set product: windows @@ -62,10 +62,12 @@ detection: - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-' Details|endswith: '.exe" /burn.runonce' filter_office: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' + Image|endswith: '\OfficeClickToRun.exe' + filter_ms_win_desktop_runtime: + Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' condition: wow_current_version_base and wow_current_version and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index 67a307e6b..f3b69b64c 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -3,7 +3,7 @@ id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 description: Hides the file extension through modification of the registry author: frack113 date: 2022/01/22 -modified: 2022/03/26 +modified: 2022/04/04 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone @@ -19,7 +19,8 @@ detection: Details: - DWORD (0x00000000) # My Computer - DWORD (0x00000001) # Local Intranet Zone - condition: selection_domains + - '(Empty)' + condition: selection_domains and not filter falsepositives: - Administrative scripts level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index f3724cc84..aad55f31b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,14 +7,14 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/03/26 +modified: 2022/04/04 logsource: category: registry_set product: windows detection: selection: # Detect new COM servers in the user hive EventType: SetValue - TargetObject|startswith: + TargetObject|startswith: - 'HKCR\CLSID\' - 'HKCU\Software\Classes\CLSID\' TargetObject|endswith: '\InprocServer32\(Default)' @@ -23,7 +23,7 @@ detection: - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' filterOneDrive: - Details|contains: + Details|contains: - '\AppData\Local\Microsoft\OneDrive\' - '\FileCoAuthLib64.dll' - '\FileSyncShell64.dll' @@ -62,6 +62,8 @@ detection: Details: - 'C:\Windows\system32\dnssdX.dll' - 'C:\Windows\SysWOW64\dnssdX.dll' + filter_printextensionmanager: + Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll' filter_programfiles: Details|startswith: - 'C:\Program Files\' diff --git a/rules/windows/registry/registry_set/registry_set_set_servicedll.yml b/rules/windows/registry/registry_set/registry_set_set_servicedll.yml index a215afdad..796cb7b13 100644 --- a/rules/windows/registry/registry_set/registry_set_set_servicedll.yml +++ b/rules/windows/registry/registry_set/registry_set_set_servicedll.yml @@ -3,7 +3,7 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6 description: Detects the modification of a ServiceDLL value in the service settings author: frack113 date: 2022/02/04 -modified: 2022/03/26 +modified: 2022/04/04 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time @@ -15,7 +15,9 @@ detection: EventType: SetValue TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' TargetObject|endswith: '\Parameters\ServiceDll' - condition: selection + filter_printextensionmanger: + Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll' + condition: selection and not 1 of filter* falsepositives: - Administrative scripts - Installation of a service diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index dbd60de43..8fd55d7c6 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered status: experimental date: 2021/06/18 -modified: 2022/03/26 +modified: 2022/04/04 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ author: Syed Hasan (@syedhasan009) @@ -29,6 +29,7 @@ detection: - '\TaskCache\Tree\Opera scheduled assistant Autoupdate' - '\TaskCache\Tree\OneDrive Reporting' - '\TaskCache\Tree\OneDrive Standalone Update Task' + - '\TaskCache\Tree\OneDrive Per-Machine Standalone Update Task\' - '\TaskCache\Tree\Mozilla\SD' - '\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework ' - '\TaskCache\Tree\Microsoft\Office\OfficeOsfInstaller\' @@ -42,6 +43,7 @@ detection: - '\TaskCache\Tree\Microsoft\Office\OfficeTelemetry' # *AgentLogOn and *AgentFallBack - '\TaskCache\Tree\Microsoft\Office\Office ClickToRun Service Monitor\' - '\TaskCache\Tree\Microsoft\Office\Office Automatic Updates 2.0\' + - '\TaskCache\Tree\Microsoft\Office\Office Feature Updates' - '\TaskCache\Tree\klcp_update\' - '\TaskCache\Tree\Apple\SD' - '\TaskCache\Tree\Apple\AppleSoftwareUpdate\' @@ -49,6 +51,12 @@ detection: - '\TaskCache\Tree\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance\' - '\TaskCache\Tree\Microsoft\Windows\Windows Defender\Windows Defender Cleanup\' - '\TaskCache\Tree\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan\' + - '\TaskCache\Tree\TVInstallRestore\' + - '\TaskCache\Tree\Microsoft\Windows\InstallService\SmartRetry\' + - '\TaskCache\Tree\Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePeriodic24\' + - '\TaskCache\Tree\Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceLocationRightsChange\' + - '\TaskCache\Tree\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser\' + - '\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachine' # *Core and *UA condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index a02ae3f99..464faf721 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon status: experimental author: frack113 date: 2021/06/04 -modified: 2022/02/09 +modified: 2022/04/04 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html @@ -19,11 +19,15 @@ detection: Description|contains: - 'Failed to open service configuration with error' - 'Failed to connect to the driver to update configuration' - selection_filter: + filter_generic_english: Description|contains|all: - 'Failed to open service configuration with error' - 'Last error: The media is write protected.' - condition: selection_error and not selection_filter + filter_by_errorcode: + Description|contains: + - 'Failed to open service configuration with error 19' + - 'Failed to open service configuration with error 93' + condition: selection_error and not 1 of filter* falsepositives: - Legitimate administrative action -level: high +level: high From 49a38185b2c7c0776fbbcfd90e2d5b21c5c1883a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 6 Apr 2022 12:01:08 +0200 Subject: [PATCH 3/4] workflow: add known FP --- .github/workflows/known-FPs.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index ade97f076..86422b4e6 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -21,3 +21,4 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223 81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore 6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore +c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe From c2c3fff071201a9e5b82b1da9248605efddea9c6 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 6 Apr 2022 12:01:28 +0200 Subject: [PATCH 4/4] fix: typo in description --- .../builtin/firewall_as/win_firewall_as_delete_rule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml index 5d6115995..a7ff62301 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,7 +1,7 @@ title: Deteled Rule in Windows Firewall with Advanced Security id: c187c075-bb3e-4c62-b4fa-beae0ffc211f status: experimental -description: DA rule has been deleted in the Windows Firewall exception list. +description: A rule has been deleted in the Windows Firewall exception list. author: frack113 date: 2022/02/19 modified: 2022/02/22 @@ -13,9 +13,9 @@ logsource: # EventID 49xx and 50xx are not used in the rule, please don't use Windows Server 2008 R2 detection: selection: - EventID: + EventID: - 2006 - - 2033 #All rules + - 2033 #All rules filter: - ModifyingApplication: 'C:\Windows\System32\svchost.exe' - ModifyingApplication|startswith: