From a1697230053a10f42abce1a370a0845e62d63a13 Mon Sep 17 00:00:00 2001 From: megan201296 Date: Fri, 13 Jul 2018 13:53:21 -0500 Subject: [PATCH 1/4] fixed typo --- rules/windows/builtin/win_susp_net_recon_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index ad857762a..2928e37a7 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -7,7 +7,7 @@ author: Florian Roth (rule), Jack Croock (method) logsource: product: windows service: security - description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems + description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems detection: selection: - EventID: 4661 From 8944be1efdf04e8f104fa01e246044ff20eda4a4 Mon Sep 17 00:00:00 2001 From: megan201296 Date: Fri, 13 Jul 2018 18:36:12 -0500 Subject: [PATCH 2/4] Update sysmon_susp_driver_load.yml --- rules/windows/sysmon/sysmon_susp_driver_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1e6e4ede1..1bd365f63 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -10,5 +10,5 @@ detection: ImageLoaded: '*\Temp\*' condition: selection falsepositives: - - there is a relevant set of false positives depending on applications in the envirnment + - there is a relevant set of false positives depending on applications in the environment level: medium From a6455cc6122764a245eb2912138d42abcc0e1fb9 Mon Sep 17 00:00:00 2001 From: megan201296 Date: Fri, 13 Jul 2018 18:48:36 -0500 Subject: [PATCH 3/4] typo fix --- rules/windows/sysmon/sysmon_susp_mmc_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index f31d0bf06..3231f9a4c 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,6 +1,6 @@ title: Processes created by MMC status: experimental -description: Processes started by MMC could by a sign of lateral movement using MMC application COM object +description: Processes started be MMC could by a sign of lateral movement using MMC application COM object references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: From be7a3b0774ac40caf929f96efb23e6c45ebc2df0 Mon Sep 17 00:00:00 2001 From: megan201296 Date: Fri, 13 Jul 2018 18:49:08 -0500 Subject: [PATCH 4/4] Update sysmon_susp_mmc_source.yml --- rules/windows/sysmon/sysmon_susp_mmc_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml index 3231f9a4c..7cbc0c82e 100644 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ b/rules/windows/sysmon/sysmon_susp_mmc_source.yml @@ -1,6 +1,6 @@ title: Processes created by MMC status: experimental -description: Processes started be MMC could by a sign of lateral movement using MMC application COM object +description: Processes started by MMC could be a sign of lateral movement using MMC application COM object references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: