diff --git a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml index 2e18fec75..0b4ba06e9 100644 --- a/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml +++ b/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml @@ -30,6 +30,6 @@ detection: condition: selection and not filter fields: - ComputerName - - TargetFileName + - TargetFilename falsepositives: - Unknown diff --git a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml index b61b425a7..6db46020d 100755 --- a/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file_event/sysmon_lsass_memory_dump_file_creation.yml @@ -20,7 +20,7 @@ detection: condition: selection fields: - ComputerName - - TargetFileName + - TargetFilename falsepositives: - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator level: medium diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml index 74ae412fb..60ee7dca1 100644 --- a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -24,6 +24,6 @@ detection: condition: selection fields: - ComputerName - - TargetFileName + - TargetFilename falsepositives: - Unknown diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 3dee48d03..22a4d3da1 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2021/05/16 +modified: 2021/08/06 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -22,7 +22,7 @@ fields: - ParentCommandLine - ServiceName - ServiceFileName - - TargetFileName + - TargetFilename - PipeName falsepositives: - unknown @@ -60,4 +60,4 @@ logsource: product: windows detection: sysmon_filecreation: - TargetFileName|endswith: '\PSEXESVC.exe' + TargetFilename|endswith: '\PSEXESVC.exe' diff --git a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml index cdede4a80..f2ec067cb 100644 --- a/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/sysmon/sysmon_cve_2021_31979_cve_2021_33771_exploits.yml @@ -5,6 +5,7 @@ status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S date: 2021/07/16 +modified: 2021/08/06 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -24,7 +25,7 @@ logsource: category: file_event detection: selection: - TargetFileName|contains: + TargetFilename|contains: - 'C:\Windows\system32\physmem.sys' - 'C:\Windows\System32\IME\IMEJP\imjpueact.dll' - 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'