security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4716 from @qasimqlf - Update rule condition and filter

Browse Source 
update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly
fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Qasim Qlf
2024-02-12 15:06:39 +05:00
committed by GitHub
parent 9ae511ec6f
commit cf84dcda62
2 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/security/win_security_external_device.yml
+7 -7
View File
@@ -1,12 +1,12 @@
title: External Disk Drive Or USB Storage Device Was Recognized By The System
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
status: test
description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later
description: Detects external disk drives or plugged-in USB devices.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
author: Keith Wright
date: 2019/11/20
modified: 2024/01/16
modified: 2024/02/09
tags:
- attack.t1091
- attack.t1200
@@ -16,12 +16,12 @@ logsource:
product: windows
service: security
detection:
selection_disk:
selection_eid:
EventID: 6416
ClassName: 'DiskDrive'
selection_usb:
DeviceDescription: 'USB Mass Storage Device'
condition: 1 of selection_*
selection_field:
- ClassName: 'DiskDrive'
- DeviceDescription: 'USB Mass Storage Device'
condition: all of selection_*
falsepositives:
- Likely
level: low
rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml
+3 -3
View File
@@ -12,7 +12,7 @@ references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022/03/18
modified: 2023/12/04
modified: 2024/02/09
tags:
- attack.persistence
- attack.privilege_escalation
@@ -42,9 +42,9 @@ detection:
- ' SQBFAFgA' # PowerShell encoded commands
- ' SUVYI' # PowerShell encoded commands
filter_optional_thor_remote:
ImagePath|startswith: ':\WINDOWS\TEMP\thor10-remote\thor64.exe'
ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
filter_main_defender_def_updates:
ImagePath|contains: ':\ProgramData\Microsoft\Windows Defender\Definition Updates\'
ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown