security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix TargetFilename case error

Browse Source
This commit is contained in:
frack113
2021-08-06 08:43:05 +02:00
parent eb247704fe
commit cf8d8d3ed4
5 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml
+1 -1
View File
@@ -30,6 +30,6 @@ detection:
condition: selection and not filter
fields:
- ComputerName
- TargetFileName
- TargetFilename
falsepositives:
- Unknown
rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml
+1 -1
View File
@@ -20,7 +20,7 @@ detection:
condition: selection
fields:
- ComputerName
- TargetFileName
- TargetFilename
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
level: medium
rules/windows/file_event/win_cve_2021_1675_printspooler.yml
+1 -1
View File
@@ -24,6 +24,6 @@ detection:
condition: selection
fields:
- ComputerName
- TargetFileName
- TargetFilename
falsepositives:
- Unknown
rules/windows/other/win_tool_psexec.yml
+3 -3
View File
@@ -5,7 +5,7 @@ status: experimental
description: Detects PsExec service installation and execution events (service and Sysmon)
author: Thomas Patzke
date: 2017/06/12
modified: 2021/05/16
modified: 2021/08/06
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
@@ -22,7 +22,7 @@ fields:
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFileName
- TargetFilename
- PipeName
falsepositives:
- unknown
@@ -60,4 +60,4 @@ logsource:
product: windows
detection:
sysmon_filecreation:
TargetFileName|endswith: '\PSEXESVC.exe'
TargetFilename|endswith: '\PSEXESVC.exe'
rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml
+2 -1
View File
@@ -5,6 +5,7 @@ status: experimental
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
author: Sittikorn S
date: 2021/07/16
modified: 2021/08/06
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
@@ -24,7 +25,7 @@ logsource:
category: file_event
detection:
selection:
TargetFileName|contains:
TargetFilename|contains:
- 'C:\Windows\system32\physmem.sys'
- 'C:\Windows\System32\IME\IMEJP\imjpueact.dll'
- 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'