From feded2fc13daf059c80fcfe43137c8ae1480de41 Mon Sep 17 00:00:00 2001 From: tr0mb1r Date: Mon, 15 Jan 2024 18:25:04 +0400 Subject: [PATCH] Merge PR #4672 from @tr0mb1r - move to TH and filter vmware tools fix: System Information Discovery Via Wmic.EXE - Move to threat hunting and add additional filter to reduce noise coming from VMware Tools --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_wmic_recon_system_info.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) rename {rules => rules-threat-hunting}/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml (86%) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml similarity index 86% rename from rules/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml index 3e15a560c..ebf076959 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -17,9 +17,11 @@ references: - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior author: Joseliyo Sanchez, @Joseliyo_Jstnk date: 2023/12/19 +updated: 2024/01/15 tags: - attack.discovery - attack.t1082 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -55,8 +57,10 @@ detection: - 'smbiosbiosversion' - 'version' - 'videomodedescription' - condition: all of selection_* + filter_optional_vmtools: + ParentCommandLine|contains: '\VMware\VMware Tools\serviceDiscovery\scripts\' + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - - Unknown -# Note: Might be upgraded to medium after some time + - VMWare Tools serviceDiscovery scripts +# Note: Might be upgraded to a medium detection rules after some time level: low