security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: more fp and duplicate id

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-01-11 23:47:12 +01:00
parent b6b1eba014
commit d0b2e2cbba
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml
+5 -4
View File
@@ -1,5 +1,5 @@
title: Uncommon AppX Package Locations
id: 5cdeaf3d-1489-477c-95ab-c318559fc051
id: c977cb50-3dff-4a9f-b873-9290f56132f1
status: experimental
description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
references:
@@ -25,10 +25,11 @@ detection:
- 'C:\Windows\PrintDialog\'
- 'C:\Windows\ImmersiveControlPanel\'
- 'x-windowsupdate://'
- 'file:///C:/Program%20Files%20(x86)/'
- 'file:///C:/Program%20Files%20/'
- 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
filter_specific:
Path|contains: 'https://statics.teams.cdn.office.net/'
Path|contains:
- 'https://statics.teams.cdn.office.net/'
- 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml
+3 -1
View File
@@ -32,7 +32,9 @@ detection:
- 'RemoteSigned'
- 'Unrestricted'
filter_svchost:
Image: 'C:\Windows\system32\svchost.exe'
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown