security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tunings] System Time & Service Discovery (#2589)

Browse Source 
* [Rule Tuning] System Time Discovery

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_system_time_discovery.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-03-14 19:43:21 +01:00
committed by GitHub
parent 1a5bc7e924
commit 295fc323a1
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/discovery_system_service_discovery.toml
+1 -1
View File
@@ -30,7 +30,7 @@ process where host.os.type == "windows" and event.type == "start" and
((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or
((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or
((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc")
)
) and not user.id : "S-1-5-18"
'''
[[rule.threat]]
rules/windows/discovery_system_time_discovery.toml
+1 -1
View File
@@ -29,7 +29,7 @@ process where host.os.type == "windows" and event.type == "start" and
((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or
(process.name: "w32tm.exe" and process.args: "/tz") or
(process.name: "tzutil.exe" and process.args: "/g")
)
) and not user.id : "S-1-5-18"
'''
[[rule.threat]]