diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml index f48851ebd..81b77d8fa 100644 --- a/rules/linux/lnx_file_copy.yml +++ b/rules/linux/lnx_file_copy.yml @@ -9,17 +9,14 @@ references: logsource: product: linux detection: - keywords: - - Scp|contains: - - 'scp' - - Rsync|contains: - - 'rsync -r' - - Sftp|contains: - - 'sftp' + tools: + - 'scp ' + - 'rsync ' + - 'sftp ' filter: - '@' - ':' - condition: keywords and filter + condition: tools and filter falsepositives: - Legitimate administration activities level: low diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index 90af91660..b1728cb41 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -17,6 +17,11 @@ logsource: detection: selection: EventID: 4738 + # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties + # and the actual flags that are used are quite different and, unfortunately, not documented. + # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract + # the following values. olduac_des: # 0x8000 OldUacValue|endswith: - 8??? diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 0cd77d6d8..0c3281a6e 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -54,4 +54,4 @@ detection: keywords: - 'Windows Defender Antivirus Service' - 'stopped' - condition: selection3 and keywords \ No newline at end of file + condition: selection3 and all of keywords \ No newline at end of file