security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2469 from frack113/aurora_fp

Browse Source 
Aurora FP
This commit is contained in:
frack113
2021-12-20 08:39:13 +01:00
committed by GitHub
parent cea0a760d7 f8962bec98
commit ffc87968cf
3 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml
+7 -3
View File
@@ -11,7 +11,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
date: 2019/10/25
modified: 2021/12/18
modified: 2021/12/19
logsource:
category: registry_event
product: windows
@@ -36,13 +36,17 @@ detection:
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter:
filter_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
condition: current_version_base and current_version and not filter
filter_edge:
Image|contains|all:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
- '\setup.exe'
condition: current_version_base and current_version and not 1 of filter_*
fields:
- SecurityID
- ObjectName
rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml
+7 -3
View File
@@ -11,7 +11,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
date: 2019/10/25
modified: 2021/12/05
modified: 2021/12/19
logsource:
category: registry_event
product: windows
@@ -27,9 +27,13 @@ detection:
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
filter:
filter_empty:
Details: '(Empty)'
condition: wow_current_version_base and wow_current_version and not filter
filter_edge:
Image|contains|all:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
- '\setup.exe'
condition: wow_current_version_base and wow_current_version and not 1 of filter_*
fields:
- SecurityID
- ObjectName
rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+5 -1
View File
@@ -7,7 +7,7 @@ references:
- https://attack.mitre.org/techniques/T1546/015/
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020/04/14
modified: 2021/12/16
modified: 2021/12/19
tags:
- attack.persistence
- attack.t1546.015
@@ -48,6 +48,10 @@ detection:
Image|contains|all:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- '\MsMpEng.exe'
filter_edge:
Image|contains|all:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
- '\setup.exe'
condition: selection and not 1 of filter*
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level