security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing

Browse Source
This commit is contained in:
Florian Roth
2021-12-04 14:28:54 +01:00
parent 9a06cf2da5 0bc0502b24
commit bbddf205ca
2 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
+6 -3
View File
@@ -3,13 +3,13 @@ id: fe6e002f-f244-4278-9263-20e4b593827f
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/09/12
modified: 2021/12/03
modified: 2021/12/04
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
- attack.t1059.001
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
logsource:
product: windows
category: image_load
@@ -18,9 +18,12 @@ detection:
Description: 'System.Management.Automation'
ImageLoaded|contains: 'System.Management.Automation'
filter:
Image|endswith:
- Image|endswith:
- '\powershell.exe'
- '\mscorsvw.exe'
- Image|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
condition: selection and not filter
falsepositives:
- Unknown
rules/windows/image_load/sysmon_susp_system_drawing_load.yml
+3 -8
View File
@@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
status: experimental
date: 2020/05/02
modified: 2021/12/03
modified: 2021/12/04
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.collection
@@ -18,13 +18,8 @@ detection:
selection:
ImageLoaded|endswith: '\System.Drawing.ni.dll'
filter:
Image|endswith:
- '\WmiPrvSE.exe'
- '\mmc.exe'
- '\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
- '\mscorsvw.exe'
- '\ServiceHub.Host.CLR.x86.exe'
- '\ServiceHub.ThreadedWaitDialog.exe'
# The number of false positives was too high - we had to do this broader filter
# based on the following paths that shouldn't be writable to an unprivileged user
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'