security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2894 from SigmaHQ/rule-devel

Browse Source 
Reworked some rules and meta data
This commit is contained in:
Florian Roth
2022-04-09 19:30:56 +02:00
committed by GitHub
parent 8030af2ea8 ed90f8eefc
commit e8378779ea
2 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/etw/file_access/file_access_win_browser_credential_stealing.yml
+6 -6
View File
@@ -1,11 +1,14 @@
title: Browser Credential Stealing
title: Browser Credential Store Access
id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
status: experimental
description: Steals cookies and credentials from the user
description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing
references:
- https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
author: frack113
date: 2022/04/09
tags:
- attack.t1003
- attack.credential_access
logsource:
category: file_access
product: windows
@@ -34,9 +37,6 @@ detection:
TargetFilename|endswith: '\APPDATA\LOCAL\MICROSOFT\WINDOWS\WEBCACHE\WEBCACHEV01.DAT'
condition: selection and not 1 of filter_*
falsepositives:
- Very Probably
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
level: medium
tags:
- attack.t1003
- attack.credential_access
rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml
+4 -1
View File
@@ -4,6 +4,7 @@ status: experimental
description: Detects programs that use base64 encoded values provided via command line, which is often an indicator of obfuscation but could also be used for legitimate purposes (e.g. if certain special characters would mess with the command line interface, enccrypted keys etc.)
author: Florian Roth
date: 2022/04/05
modified: 2022/04/08
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/d
logsource:
@@ -13,7 +14,9 @@ detection:
selection:
- CommandLine|endswith: '=='
- CommandLine|contains: '== -'
condition: selection
filter:
Image|endswith: '\VeeamAgent.exe'
condition: selection and not 1 of filter*
falsepositives:
- Legitimate software that uses base64 encoded values in its command line
level: medium