security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some fixes and refactoring

Browse Source
This commit is contained in:
Florian Roth
2022-04-26 15:32:56 +02:00
parent 9b2c35daa1
commit f0253eb67d
4 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml
+2 -2
View File
@@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: unsupported
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/09/18
modified: 2022/04/26
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
@@ -20,7 +20,7 @@ logsource:
category: driver_load
detection:
selection:
ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
ImagePath|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/security/win_dcsync.yml
+2 -2
View File
@@ -3,7 +3,7 @@ id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
description: Detects Mimikatz DC sync security events
status: experimental
date: 2018/06/03
modified: 2022/03/15
modified: 2022/04/26
author: Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
@@ -31,7 +31,7 @@ detection:
SubjectDomainName: 'Window Manager'
filter2:
SubjectUserName|startswith:
- 'NT AUTHORITY'
- 'NT AUT'
- 'MSOL_'
filter3:
SubjectUserName|endswith: '$'
rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml
+2 -2
View File
@@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/09/18
modified: 2022/04/26
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
@@ -21,7 +21,7 @@ logsource:
detection:
selection:
EventID: 4697
ServiceFileName|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
ServiceFileName|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml
+3 -3
View File
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: experimental
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/11/30
modified: 2022/04/26
references:
- https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
@@ -19,8 +19,8 @@ detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
condition: selection
ImagePath|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
level: high