From 98f313526dc22809b9760fe0670f8ead6dbccbec Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Wed, 13 Apr 2022 08:57:23 +0200 Subject: [PATCH] fix: copy / paste issues --- .../proc_creation_win_malware_conti_7zip.yml | 4 ++-- .../proc_creation_win_malware_conti_shadowcopy.yml | 6 +++--- .../proc_creation_win_susp_cmd_shadowcopy_access.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml index aff67440f..23a992248 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml @@ -1,4 +1,4 @@ -title: Conti Volume Shadow Listing +title: Conti NTDS Exfiltration Command id: aa92fd02-09f2-48b0-8a93-864813fb8f41 description: Detects a command used by conti to exfiltrate NTDS author: Max Altgelt, Tobias Michalski @@ -20,5 +20,5 @@ falsepositives: - Unknown level: high tags: - - attack.collection + - attack.collection - attack.t1560 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 4d3de67a2..36f686290 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -1,6 +1,6 @@ -title: Conti Volume Shadow Listing +title: Sensitive Registry Access via Volume Shadow Copy id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d -description: Detects a command used by conti to access volume shadow backups +description: Detects a command that accesses password storing registry hives via volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 modified: 2021/12/02 @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml index 9b475340a..a03d6071b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml @@ -1,6 +1,6 @@ -title: Conti Volume Shadow Listing +title: Copy from Volume Shadow Copy id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 -description: Detects a command used by conti to access volume shadow backups +description: Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use) author: Max Altgelt, Tobias Michalski date: 2021/08/09 status: experimental @@ -19,4 +19,4 @@ falsepositives: level: medium tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 \ No newline at end of file