security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: fp found in testing

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-01-11 20:05:55 +01:00
parent fbae1f3055
commit f4d4526d0f
2 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
+15 -7
View File
@@ -7,7 +7,7 @@ references:
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: frack113
date: 2023/01/07
modified: 2023/01/09
modified: 2023/01/11
tags:
- attack.defense_evasion
- attack.t1562.002
@@ -20,12 +20,20 @@ detection:
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
filter_msbuild:
SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
SourceImage|endswith:
- '\MSBuild\Current\Bin\amd64\MSBuild.exe'
- '\MSBuild\Current\Bin\MSBuild.exe'
TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_generic:
SourceImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
TargetImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_thor:
SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
SourceImage|endswith: '\thor\thor64.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_susp_cmd.yml
+5 -1
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Wh04m1001/SysmonEoP
author: frack113, Tim Shelton (update fp)
date: 2022/12/05
modified: 2023/01/10
modified: 2023/01/11
tags:
- attack.privilege_escalation
- attack.defense_evasion
@@ -53,6 +53,10 @@ detection:
ParentImage|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
ParentImage|endswith: '\CitrixReceiverUpdater.exe'
Image|endswith: '\cmd.exe'
filter_thor:
ParentImage|endswith: '\python.exe'
CommandLine: 'C:\WINDOWS\system32\cmd.exe /c "ver"'
CurrentDirectory|contains: 'C:\WINDOWS\Temp\asgard2-agent\'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown