security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c73a9e416422b8a53bde037be1cf46ae0206f2ef
blue-team-tools/rules
T
History
Karneades c73a9e4164 Fix CommandLine in rule sysmon/sysmon_susp_certutil_command 
Below is an example of a test - the command line does not
include the path nor the .exe. I think this comes from the
initial detection on the Image path and the later switch to
command line.

We could also use both the Image path and the Command Line.

Message     : Process Create:
              Image: C:\Windows\SysWOW64\certutil.exe
              CommandLine: certutil  xx -decode xxx
              Hashes: SHA1=8186D64DD28CD63CA883B1D3CE5F07AEABAD67C0
              ParentImage: C:\Windows\System32\cmd.exe
              ParentCommandLine: "C:\Windows\system32\cmd.exe"
2018-09-23 20:28:56 +02:00
..
application
Fixes for Elasticsearch query correctness CI tests
2018-04-09 22:33:29 +02:00
apt
Rule fix
2018-08-26 22:35:35 +02:00
linux
Update lnx_buffer_overflows.yml
2018-08-25 00:20:34 +02:00
network
Fixed ATT&CK tagging
2018-08-08 15:58:19 +02:00
proxy
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
web
ATT&CK tagging QA
2018-09-20 12:44:44 +02:00
windows
Fix CommandLine in rule sysmon/sysmon_susp_certutil_command
2018-09-23 20:28:56 +02:00