security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Remote Execution via File Shares (#4067)

Browse Source 
* [Rule Tuning] Remote Execution via File Shares

* Update lateral_movement_execution_via_file_shares_sequence.toml
This commit is contained in:
Jonhnathan
2024-09-11 10:49:41 -03:00
committed by GitHub
parent a8dd78d834
commit 127a56aede
1 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
+19 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/08/06"
updated_date = "2024/09/11"
[transform]
[[transform.osquery]]
@@ -115,7 +115,7 @@ sequence with maxspan=1m
/* Veeam related processes */
(
process.name : (
"VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint2010.exe"
"VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint20??.exe"
) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH"
) or
/* PDQ related processes */
@@ -131,7 +131,23 @@ sequence with maxspan=1m
process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or
(process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and
process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher")
)
) or
/* MS related processes */
(
process.executable == "System" or
(process.executable : "?:\\Windows\\ccmsetup\\ccmsetup.exe" and
process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Corporation")
) or
/* CyberArk processes */
(
process.executable : "?:\\Windows\\CAInvokerService.exe" and
process.code_signature.trusted == true and process.code_signature.subject_name : "CyberArk Software Ltd."
) or
/* Sophos processes */
(
process.executable : "?:\\ProgramData\\Sophos\\AutoUpdate\\Cache\\sophos_autoupdate1.dir\\SophosUpdate.exe" and
process.code_signature.trusted == true and process.code_signature.subject_name : "Sophos Ltd"
)
)
] by host.id, process.executable
'''