From e542c10e8e951a8839e65bfc404e17673f99df7b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 20 Dec 2021 11:35:12 +0100 Subject: [PATCH] Fix error --- ...ershell_ps_access_to_chrome_login_data.yml | 2 +- .../win_pc_false_sysinternalsuite.yml | 304 +++++++++--------- 2 files changed, 153 insertions(+), 153 deletions(-) diff --git a/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml b/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml index 87c0b306d..bb2c80c5b 100644 --- a/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml +++ b/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml @@ -28,4 +28,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.tT1555.003 \ No newline at end of file + - attack.t1555.003 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml b/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml index 2f5fe36f8..2f1f8182e 100644 --- a/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml +++ b/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml @@ -1,4 +1,4 @@ -title: False Sysinternals Suite tools +title: False Sysinternals Suite Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental description: Rename as a legitim Sysinternals Suite tools to evade detection @@ -10,160 +10,160 @@ logsource: category: process_creation product: windows detection: - exe: + selection_exe: Image|endswith: - - accesschk.exe - - accesschk64.exe - - AccessEnum.exe - - ADExplorer.exe - - ADExplorer64.exe - - ADInsight.exe - - ADInsight64.exe - - adrestore.exe - - adrestore64.exe - - Autologon.exe - - Autologon64.exe - - Autoruns.exe - - Autoruns64.exe - - autorunsc.exe - - autorunsc64.exe - - Bginfo.exe - - Bginfo64.exe - - Cacheset.exe - - Cacheset64.exe - - Clockres.exe - - Clockres64.exe - - Contig.exe - - Contig64.exe - - Coreinfo.exe - - Coreinfo64.exe - - CPUSTRES.EXE - - CPUSTRES64.EXE - - ctrl2cap.exe - - Dbgview.exe - - dbgview64.exe - - Desktops.exe - - Desktops64.exe - - disk2vhd.exe - - disk2vhd64.exe - - diskext.exe - - diskext64.exe - - Diskmon.exe - - Diskmon64.exe - - DiskView.exe - - DiskView64.exe - - du.exe - - du64.exe - - efsdump.exe - - FindLinks.exe - - FindLinks64.exe - - handle.exe - - handle64.exe - - hex2dec.exe - - hex2dec64.exe - - junction.exe - - junction64.exe - - ldmdump.exe - - listdlls.exe - - listdlls64.exe - - livekd.exe - - livekd64.exe - - loadOrd.exe - - loadOrd64.exe - - loadOrdC.exe - - loadOrdC64.exe - - logonsessions.exe - - logonsessions64.exe - - movefile.exe - - movefile64.exe - - notmyfault.exe - - notmyfault64.exe - - notmyfaultc.exe - - notmyfaultc64.exe - - ntfsinfo.exe - - ntfsinfo64.exe - - pendmoves.exe - - pendmoves64.exe - - pipelist.exe - - pipelist64.exe - - portmon.exe - - procdump.exe - - procdump64.exe - - procexp.exe - - procexp64.exe - - Procmon.exe - - Procmon64.exe - - psExec.exe - - psExec64.exe - - psfile.exe - - psfile64.exe - - psGetsid.exe - - psGetsid64.exe - - psInfo.exe - - psInfo64.exe - - pskill.exe - - pskill64.exe - - pslist.exe - - pslist64.exe - - psLoggedon.exe - - psLoggedon64.exe - - psloglist.exe - - psloglist64.exe - - pspasswd.exe - - pspasswd64.exe - - psping.exe - - psping64.exe - - psService.exe - - psService64.exe - - psshutdown.exe - - psshutdown64.exe - - pssuspend.exe - - pssuspend64.exe - - RAMMap.exe - - RDCMan.exe - - RegDelNull.exe - - RegDelNull64.exe - - regjump.exe - - ru.exe - - ru64.exe - - sdelete.exe - - sdelete64.exe - - ShareEnum.exe - - ShareEnum64.exe - - shellRunas.exe - - sigcheck.exe - - sigcheck64.exe - - streams.exe - - streams64.exe - - strings.exe - - strings64.exe - - sync.exe - - sync64.exe - - Sysmon.exe - - Sysmon64.exe - - tcpvcon.exe - - tcpvcon64.exe - - tcpview.exe - - tcpview64.exe - - Testlimit.exe - - Testlimit64.exe - - vmmap.exe - - vmmap64.exe - - Volumeid.exe - - Volumeid64.exe - - whois.exe - - whois64.exe - - Winobj.exe - - Winobj64.exe - - ZoomIt.exe - - ZoomIt64.exe - valid: + - '\accesschk.exe' + - '\accesschk64.exe' + - '\AccessEnum.exe' + - '\ADExplorer.exe' + - '\ADExplorer64.exe' + - '\ADInsight.exe' + - '\ADInsight64.exe' + - '\adrestore.exe' + - '\adrestore64.exe' + - '\Autologon.exe' + - '\Autologon64.exe' + - '\Autoruns.exe' + - '\Autoruns64.exe' + - '\autorunsc.exe' + - '\autorunsc64.exe' + - '\Bginfo.exe' + - '\Bginfo64.exe' + - '\Cacheset.exe' + - '\Cacheset64.exe' + - '\Clockres.exe' + - '\Clockres64.exe' + - '\Contig.exe' + - '\Contig64.exe' + - '\Coreinfo.exe' + - '\Coreinfo64.exe' + - '\CPUSTRES.EXE' + - '\CPUSTRES64.EXE' + - '\ctrl2cap.exe' + - '\Dbgview.exe' + - '\dbgview64.exe' + - '\Desktops.exe' + - '\Desktops64.exe' + - '\disk2vhd.exe' + - '\disk2vhd64.exe' + - '\diskext.exe' + - '\diskext64.exe' + - '\Diskmon.exe' + - '\Diskmon64.exe' + - '\DiskView.exe' + - '\DiskView64.exe' + - '\du.exe' + - '\du64.exe' + - '\efsdump.exe' + - '\FindLinks.exe' + - '\FindLinks64.exe' + - '\handle.exe' + - '\handle64.exe' + - '\hex2dec.exe' + - '\hex2dec64.exe' + - '\junction.exe' + - '\junction64.exe' + - '\ldmdump.exe' + - '\listdlls.exe' + - '\listdlls64.exe' + - '\livekd.exe' + - '\livekd64.exe' + - '\loadOrd.exe' + - '\loadOrd64.exe' + - '\loadOrdC.exe' + - '\loadOrdC64.exe' + - '\logonsessions.exe' + - '\logonsessions64.exe' + - '\movefile.exe' + - '\movefile64.exe' + - '\notmyfault.exe' + - '\notmyfault64.exe' + - '\notmyfaultc.exe' + - '\notmyfaultc64.exe' + - '\ntfsinfo.exe' + - '\ntfsinfo64.exe' + - '\pendmoves.exe' + - '\pendmoves64.exe' + - '\pipelist.exe' + - '\pipelist64.exe' + - '\portmon.exe' + - '\procdump.exe' + - '\procdump64.exe' + - '\procexp.exe' + - '\procexp64.exe' + - '\Procmon.exe' + - '\Procmon64.exe' + - '\psExec.exe' + - '\psExec64.exe' + - '\psfile.exe' + - '\psfile64.exe' + - '\psGetsid.exe' + - '\psGetsid64.exe' + - '\psInfo.exe' + - '\psInfo64.exe' + - '\pskill.exe' + - '\pskill64.exe' + - '\pslist.exe' + - '\pslist64.exe' + - '\psLoggedon.exe' + - '\psLoggedon64.exe' + - '\psloglist.exe' + - '\psloglist64.exe' + - '\pspasswd.exe' + - '\pspasswd64.exe' + - '\psping.exe' + - '\psping64.exe' + - '\psService.exe' + - '\psService64.exe' + - '\psshutdown.exe' + - '\psshutdown64.exe' + - '\pssuspend.exe' + - '\pssuspend64.exe' + - '\RAMMap.exe' + - '\RDCMan.exe' + - '\RegDelNull.exe' + - '\RegDelNull64.exe' + - '\regjump.exe' + - '\ru.exe' + - '\ru64.exe' + - '\sdelete.exe' + - '\sdelete64.exe' + - '\ShareEnum.exe' + - '\ShareEnum64.exe' + - '\shellRunas.exe' + - '\sigcheck.exe' + - '\sigcheck64.exe' + - '\streams.exe' + - '\streams64.exe' + - '\strings.exe' + - '\strings64.exe' + - '\sync.exe' + - '\sync64.exe' + - '\Sysmon.exe' + - '\Sysmon64.exe' + - '\tcpvcon.exe' + - '\tcpvcon64.exe' + - '\tcpview.exe' + - '\tcpview64.exe' + - '\Testlimit.exe' + - '\Testlimit64.exe' + - '\vmmap.exe' + - '\vmmap64.exe' + - '\Volumeid.exe' + - '\Volumeid64.exe' + - '\whois.exe' + - '\whois64.exe' + - '\Winobj.exe' + - '\Winobj64.exe' + - '\ZoomIt.exe' + - '\ZoomIt64.exe' + selection_valid: Company: - - "Sysinternals - www.sysinternals.com" - - "Sysinternals" - condition: exe and not valid + - 'Sysinternals - www.sysinternals.com' + - 'Sysinternals' + condition: selection_exe and not selection_valid falsepositives: - - unknown + - Unknown level: medium tags: - attack.execution