From c1cfbacd243d6a332373ebb1b520b6285e46df10 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 13:18:57 +0300 Subject: [PATCH] fix --- .../process_creation/minidumpwritedump.yml | 4 +- .../renamed_binary_description.yml | 46 +++++++++---------- .../sysmon/cobalt_execute_assembly.yml | 2 +- .../sysmon/win_sysmon_driver_unload.yml | 2 +- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index 4e0765755..2e73e1c01 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -6,7 +6,7 @@ tags: - attack.credential_access - attack.t1003 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: category: process_creation @@ -14,7 +14,7 @@ logsource: detection: selection: Image: '*\rundll32.exe' - CommandLine: '*comsvcs.dll*minidump*' + CommandLine: '*comsvcs.dll*minidump*' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index ed74e8d14..9d31a8b66 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -13,7 +13,7 @@ logsource: product: windows service: sysmon detection: - selection: + selection: Description: - "active directory editor" - "sysinternals process dump utility" @@ -34,27 +34,27 @@ detection: - "windows ® installer" - "7-zip console" - filter: - Image: - - '*\adexplorer.exe' - - '*\procdump.exe' - - '*\msbuild.exe' - - '*\dotnet.exe' - - '*\cmd.exe' - - '*\powershell.exe' - - '*\psexec.exe' - - '*\installutil.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' - - '*\7z.exe' - condition: selection and not filter + filter: + Image: + - '*\adexplorer.exe' + - '*\procdump.exe' + - '*\msbuild.exe' + - '*\dotnet.exe' + - '*\cmd.exe' + - '*\powershell.exe' + - '*\psexec.exe' + - '*\installutil.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\mshta.exe' + - '*\regsvr32.exe' + - '*\wmic.exe' + - '*\certutil.exe' + - '*\rundll32.exe' + - '*\cmstp.exe' + - '*\msiexec.exe' + - '*\7z.exe' + condition: selection and not filter falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: medium \ No newline at end of file diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml index 954b6bff6..3d1b82b47 100644 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -6,7 +6,7 @@ tags: - attack.defense_evasion - attack.t1055 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: product: windows diff --git a/rules/windows/sysmon/win_sysmon_driver_unload.yml b/rules/windows/sysmon/win_sysmon_driver_unload.yml index c7323366c..e4f509878 100644 --- a/rules/windows/sysmon/win_sysmon_driver_unload.yml +++ b/rules/windows/sysmon/win_sysmon_driver_unload.yml @@ -16,7 +16,7 @@ detection: selection: EventID: 4688 ProcessName: '*\fltMC.exe' - CommandLine: '*unload*Sys*' + CommandLine: '*unload*Sys*' selection1: EventID: 4673 PrivilegeList: '*\SeLoadDriverPrivilege'