From e0e1396dffd48408b984dff37862e90dad46f511 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:26:44 -0600 Subject: [PATCH] Updated Rule Completed the following updates on the rule: - Modified the title - incremented 4 spaces for references and tags - updated false positives - updated author - updated description in detection section. --- ...mmand_execution_by_Office_Applications.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml index 565467ed3..0b20eece5 100644 --- a/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml +++ b/rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml @@ -1,22 +1,22 @@ -title: Monitor WMI "Win32_Process::Create" command execution by Office Applications. -description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +title: WMI Command Execution by Office Applications +description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32 references: -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ -- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: "Idea by: Vadim Khrykov" + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)" tags: -- attack.t1204.002 -- attack.t1047 -- attack.t1218.010 -- attack.execution -- attack.defence_evasion + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defence_evasion status: experimental Date: 2021/23/8 logsource: product: EndPoint Detection Logs category: process_creation detection: - description: Add more office applications to the rule logic of choice + #useful_information: Add more office applications to the rule logic of choice selection1: EventLog: EDR EventType: WMIExecution @@ -28,5 +28,5 @@ detection: - '*\powerpnt.exe' condition: selection1 AND selection2 falsepositives: -- "" -level: high \ No newline at end of file +- Unknown +level: high