security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Unusual File Creation - Alternate Data Stream (#3848)

Browse Source 
(cherry picked from commit d5c34b5750)
This commit is contained in:
Jonhnathan
2024-07-01 13:45:19 -03:00
committed by github-actions[bot]
parent 0b808211f6
commit c4caabfe07
1 changed files with 30 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_unusual_ads_file_creation.toml
+30 -25
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/21"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/28"
[transform]
[[transform.osquery]]
@@ -126,36 +126,41 @@ file where host.os.type == "windows" and event.type == "creation" and
file.path : "C:\\*:*" and
not file.path :
("C:\\*:zone.identifier*",
"C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA") and
"C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA",
"C:\\Windows\\CSC\\*:CscBitmapStream") and
not process.executable :
("?:\\windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\inetsrv\\w3wp.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\System32\\sihost.exe",
"?:\\Windows\\System32\\PickerHost.exe",
"?:\\Windows\\System32\\SearchProtocolHost.exe",
"?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe",
"?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe",
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe",
"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files(x86)\\Microsoft Office\\root\\*\\EXCEL.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE") and
not process.executable : (
"?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe",
"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\EXCEL.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE",
"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe",
"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE",
"?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE",
"?:\\Program Files\\Mozilla Firefox\\firefox.exe",
"?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\System32\\DataExchangeHost.exe",
"?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnectivityNetworkService.exe",
"?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KillerNetworkService.exe",
"?:\\Windows\\System32\\inetsrv\\w3wp.exe",
"?:\\Windows\\System32\\PickerHost.exe",
"?:\\Windows\\System32\\RuntimeBroker.exe",
"?:\\Windows\\System32\\SearchProtocolHost.exe",
"?:\\Windows\\System32\\sihost.exe",
"?:\\windows\\System32\\svchost.exe"
) and
file.extension :
(
"pdf",
"dll",
"png",
"exe",
"dat",
"com",