From 295fc323a18bde405e83797adf815b87ee6dd52f Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 14 Mar 2023 19:43:21 +0100 Subject: [PATCH] [Rule Tunings] System Time & Service Discovery (#2589) * [Rule Tuning] System Time Discovery * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_system_time_discovery.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- rules/windows/discovery_system_service_discovery.toml | 2 +- rules/windows/discovery_system_time_discovery.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 83a45eb7e..15640d92d 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -30,7 +30,7 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") - ) + ) and not user.id : "S-1-5-18" ''' [[rule.threat]] diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index 7f29c8c8e..8489b4981 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -29,7 +29,7 @@ process where host.os.type == "windows" and event.type == "start" and ((process.name: "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : "time") or (process.name: "w32tm.exe" and process.args: "/tz") or (process.name: "tzutil.exe" and process.args: "/g") -) +) and not user.id : "S-1-5-18" ''' [[rule.threat]]