security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] LSASS Process Access via Windows API (#3824)

Browse Source 
* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* fix merge

* newline

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Joe Desimone
2024-07-04 16:45:46 -04:00
committed by GitHub
parent 208e330b44
commit 8dc0963ae6
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_lsass_openprocess_api.toml
+12 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/02"
integration = ["endpoint", "m365_defender"]
maturity = "production"
updated_date = "2024/06/27"
updated_date = "2024/07/04"
[transform]
[[transform.osquery]]
@@ -138,6 +138,7 @@ api where host.os.type == "windows" and
"?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
"?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe",
"?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe",
@@ -156,9 +157,18 @@ api where host.os.type == "windows" and
"?:\\Windows\\System32\\csrss.exe",
"?:\\Windows\\System32\\MRT.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\taskhostw.exe",
"?:\\Windows\\System32\\RtkAudUService64.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe"
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
"?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe",
"?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe",
"?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe",
"?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe",
"?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe",
"?:\\Program Files (x86)\\Kaspersky Lab\\KES*\\avp.exe",
"?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe",
"?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe"
) and not ?process.code_signature.trusted == false
)
'''