From e7aff17e72167fd0a449330ab798e89d62b9fa2f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 Feb 2020 09:26:19 +0100 Subject: [PATCH] FP: OneDrive setup --- .../sysmon/sysmon_susp_run_key_img_folder.yml | 35 ++++++++++--------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 5d5dbd17a..c0fb30f85 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -9,7 +9,7 @@ tags: - attack.persistence - attack.t1060 date: 2018/25/08 -modified: 2019/10/01 +modified: 2020/02/26 logsource: product: windows service: sysmon @@ -17,23 +17,26 @@ detection: selection: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' Details: - - '*C:\Windows\Temp\\*' - - '*\AppData\\*' - - '%AppData%\\*' - - '*C:\$Recycle.bin\\*' - - '*C:\Temp\\*' - - '*C:\Users\Public\\*' - - '%Public%\\*' - - '*C:\Users\Default\\*' - - '*C:\Users\Desktop\\*' - - 'wscript*' - - 'cscript*' - condition: selection + - '*C:\Windows\Temp\\*' + - '*\AppData\\*' + - '%AppData%\\*' + - '*C:\$Recycle.bin\\*' + - '*C:\Temp\\*' + - '*C:\Users\Public\\*' + - '%Public%\\*' + - '*C:\Users\Default\\*' + - '*C:\Users\Desktop\\*' + - 'wscript*' + - 'cscript*' + filter: + Details|contains: + - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # OneDrive False Positives + condition: selection and not filter fields: - Image falsepositives: - - Software with rare behaviour + - Software using the AppData folders for updates level: high