security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2698 from frack113/aurora_fp

Browse Source 
win_proc_wrong_parent.yml FP
This commit is contained in:
frack113
2022-02-15 19:11:38 +01:00
committed by GitHub
parent e50ca5893e ce8cdf24ec
commit cbeab02748
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_proc_wrong_parent.yml
+10 -9
View File
@@ -9,11 +9,7 @@ references:
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
- https://attack.mitre.org/techniques/T1036/
date: 2019/02/23
modified: 2021/11/24
tags:
- attack.defense_evasion
- attack.t1036.003
- attack.t1036.005
modified: 2022/02/14
logsource:
category: process_creation
product: windows
@@ -29,21 +25,26 @@ detection:
- '\csrss.exe'
- '\wininit.exe'
- '\winlogon.exe'
filter1:
filter_sys:
- ParentImage|endswith:
- '\SavService.exe'
- '\ngen.exe'
- ParentImage|contains:
- '\System32\'
- '\SysWOW64\'
filter2:
filter_msmpeng:
ParentImage|contains:
- '\Windows Defender\'
- '\Microsoft Security Client\'
ParentImage|endswith: '\MsMpEng.exe'
filter_null:
ParentImage: null
condition: selection and not filter1 and not filter2 and not filter_null
- ParentImage: null
- ParentImage: '-'
condition: selection and not 1 of filter_*
falsepositives:
- Some security products seem to spawn these
level: low
tags:
- attack.defense_evasion
- attack.t1036.003
- attack.t1036.005