diff --git a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 7e06fd83b..84fc5ff19 100644 --- a/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -8,7 +8,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) date: 2022/11/10 -modified: 2023/09/13 +modified: 2023/10/18 tags: - attack.privilege_escalation - attack.t1068 @@ -30,6 +30,7 @@ detection: - 'wevtutil.exe' - 'C:\WINDOWS\system32\wevtutil.exe' - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes + - 'C:\Windows\System32\WerFaultSecure.ex' # When Sysmon crashes - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. filter_main_null: Image: null diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 2feb13fcf..5af203cdb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -7,7 +7,7 @@ references: - https://asec.ahnlab.com/en/39828/ author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2023/01/10 +modified: 2023/10/18 tags: - attack.defense_evasion - attack.t1036 @@ -78,6 +78,7 @@ detection: - Image: - 'C:\Windows\explorer.exe' - 'C:\Program Files\PowerShell\7\pwsh.exe' + - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' filter_wsl_windowsapps: Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux' Image|endswith: '\wsl.exe'