security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667)

Browse Source
This commit is contained in:
Justin Ibarra
2020-12-03 11:00:24 +01:00
committed by GitHub
parent 3ac232085b
commit 4b6ad77338
10 changed files with 10 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
+1 -2
View File
@@ -23,8 +23,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe or
winlog.event_data.OriginalFileName:desktopimgdownldr.exe) and
(process.name:desktopimgdownldr.exe or process.pe.original_file_name:desktopimgdownldr.exe) and
process.args:/lockscreenurl\:http*
'''
rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
+1 -2
View File
@@ -25,8 +25,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe or
winlog.event_data.OriginalFileName:MpCmdRun.exe) and
(process.name:MpCmdRun.exe or process.pe.original_file_name:MpCmdRun.exe) and
process.args:(("-DownloadFile" or "-downloadfile") and "-url" and "-path")
'''
rules/windows/credential_access_credential_dumping_msbuild.toml
+1 -1
View File
@@ -23,7 +23,7 @@ type = "query"
query = '''
event.category:process and event.type:change and
(winlog.event_data.OriginalFileName:(vaultcli.dll or SAMLib.DLL) or
(process.pe.original_file_name:(vaultcli.dll or SAMLib.DLL) or
dll.name:(vaultcli.dll or SAMLib.DLL)) and
process.name: MSBuild.exe
'''
rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
+1 -2
View File
@@ -24,8 +24,7 @@ type = "query"
query = '''
event.category:process AND event.type:(start OR process_started) AND
(process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe or
winlog.event_data.OriginalFileName:appcmd.exe) AND
(process.name:appcmd.exe OR process.pe.original_file_name:appcmd.exe) AND
process.args:(/[lL][iI][sS][tT]/ AND /\/[tT][eE][xX][tT]\:[pP][aA][sS][sS][wW][oO][rR][dD]/)
'''
rules/windows/credential_access_iis_connectionstrings_dumping.toml
+1 -2
View File
@@ -28,8 +28,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe or
winlog.event_data.OriginalFileName:aspnet_regiis.exe) and
(process.name:aspnet_regiis.exe or process.pe.original_file_name:aspnet_regiis.exe) and
process.args:(connectionStrings and "-pdf")
'''
rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
+1 -1
View File
@@ -23,7 +23,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.pe.original_file_name:MSBuild.exe or winlog.event_data.OriginalFileName:MSBuild.exe) and
process.pe.original_file_name:MSBuild.exe and
not process.name: MSBuild.exe
'''
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
+1 -2
View File
@@ -23,8 +23,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) or
winlog.event_data.OriginalFileName:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE)) and
process.pe.original_file_name:(WinWord.exe or EXPLORER.EXE or w3wp.exe or DISM.EXE) and
not (process.name:(winword.exe or WINWORD.EXE or explorer.exe or w3wp.exe or Dism.exe) or
process.executable:("C:\Windows\explorer.exe" or
C\:\\Program?Files\\Microsoft?Office\\root\\Office*\\WINWORD.EXE or
rules/windows/defense_evasion_iis_httplogging_disabled.toml
+1 -2
View File
@@ -23,8 +23,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe or
winlog.event_data.OriginalFileName:appcmd.exe) and
(process.name:appcmd.exe or process.pe.original_file_name:appcmd.exe) and
process.args:/dontLog\:\"True\" and
not process.parent.name:iissetup.exe
'''
rules/windows/defense_evasion_masquerading_renamed_autoit.toml
+1 -2
View File
@@ -22,8 +22,7 @@ type = "query"
query = '''
event.category:process AND event.type:(start OR process_started) AND
(process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ OR
winlog.event_data.OriginalFileName:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/) AND
process.pe.original_file_name:/[aA][uU][tT][oO][iI][tT]\d\.[eE][xX][eE]/ AND
NOT process.name:/[aA][uU][tT][oO][iI][tT]\d{1,3}\.[eE][xX][eE]/
'''
rules/windows/execution_suspicious_psexesvc.toml
+1 -2
View File
@@ -22,8 +22,7 @@ type = "query"
query = '''
event.category:process and event.type:(start or process_started) and
(process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) or
winlog.event_data.OriginalFileName:(psexesvc.exe or PSEXESVC.exe)) and
process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) and
process.parent.name:services.exe and
not process.name:(psexesvc.exe or PSEXESVC.exe)
'''