From f0253eb67dee09ca38ef809e51eaeb0ffecd96e2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 26 Apr 2022 15:32:56 +0200 Subject: [PATCH] some fixes and refactoring --- ...driver_load_invoke_obfuscation_via_use_clip_services.yml | 4 ++-- rules/windows/builtin/security/win_dcsync.yml | 4 ++-- ...in_invoke_obfuscation_via_use_clip_services_security.yml | 4 ++-- .../system/win_invoke_obfuscation_via_use_clip_services.yml | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml index 1d3a652f4..6660b03e1 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2022/04/26 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -20,7 +20,7 @@ logsource: category: driver_load detection: selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + ImagePath|contains: '(Clipboard|i' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_dcsync.yml b/rules/windows/builtin/security/win_dcsync.yml index b51e24c5c..4bc9b53db 100644 --- a/rules/windows/builtin/security/win_dcsync.yml +++ b/rules/windows/builtin/security/win_dcsync.yml @@ -3,7 +3,7 @@ id: 611eab06-a145-4dfa-a295-3ccc5c20f59a description: Detects Mimikatz DC sync security events status: experimental date: 2018/06/03 -modified: 2022/03/15 +modified: 2022/04/26 author: Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu references: - https://twitter.com/gentilkiwi/status/1003236624925413376 @@ -31,7 +31,7 @@ detection: SubjectDomainName: 'Window Manager' filter2: SubjectUserName|startswith: - - 'NT AUTHORITY' + - 'NT AUT' - 'MSOL_' filter3: SubjectUserName|endswith: '$' diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml index ba8f04600..302f7f1eb 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2022/04/26 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + ServiceFileName|contains: '(Clipboard|i' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml index 30e6cf454..ac4e8e0c7 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/11/30 +modified: 2022/04/26 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -19,8 +19,8 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection + ImagePath|contains: '(Clipboard|i' + condition: selection falsepositives: - Unknown level: high \ No newline at end of file