security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious Process Access via Direct System Call (#2204)

Browse Source 
Excluding some FPs by calltrace.
This commit is contained in:
Samirbous
2022-08-01 18:16:08 +02:00
committed by GitHub
parent 6f69695820
commit a22fef8723
1 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
+17 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/10/11"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/30"
[rule]
author = ["Elastic"]
@@ -35,7 +35,22 @@ process where event.code == "10" and
length(winlog.event_data.CallTrace) > 0 and
/* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */
not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*")
not winlog.event_data.CallTrace :
("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*",
"?:\\WINDOWS\\SysWOW64\\ntdll.dll*",
"?:\\Windows\\System32\\wow64cpu.dll*",
"?:\\WINDOWS\\System32\\wow64win.dll*",
"?:\\Windows\\System32\\win32u.dll*") and
not winlog.event_data.TargetImage :
("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe",
"?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
"?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe",
"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and
not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe",
"?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and
not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe")
'''