valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e94c47e74e
SigmaHQ/rules/windows/process_creation/win_renamed_paexec.yml

36 lines
1.1 KiB
YAML
Raw Normal View History

Added UUIDs to rules
2019-11-12 22:12:27 +00:00
title: Execution of Renamed PaExec
id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
status: experimental
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
description: Detects execution of renamed paexec via imphash and executable product string
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
references:
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
- sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
tags:
- attack.defense_evasion
att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-09-06 21:19:41 +00:00
- attack.t1036 # an old one
- attack.t1036.003
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
- FIN7
First Pass
2019-06-14 04:15:38 +00:00
- car.2013-05-009
Modifications
2019-04-17 21:29:29 +00:00
date: 2019/04/17
att&ck tags review: windows/process_creation part 5 added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-09-06 21:19:41 +00:00
modified: 2020/09/06
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
author: Jason Lynch
falsepositives:
Modifications
2019-04-17 21:29:29 +00:00
- Unknown imphashes
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
level: medium
logsource:
category: process_creation
product: windows
detection:
selection1:
Product:
- '*PAExec*'
selection2:
Imphash:
Modifications
2019-04-17 21:29:29 +00:00
- 11D40A7B7876288F919AB819CC2D9802
- 6444f8a34e99b8f7d9647de66aabe516
- dfd6aa3f7b2b1035b76b718f1ddc689f
- 1a6cca4d5460b1710a12dea39e4a592c
added rules for renamed wscript, cscript and paexec. Added two directories to the existing sysmon_susp_prog_location_network_connection rule. These additions are all fin7 related.
2019-04-08 12:07:30 +00:00
filter1:
Image: '*paexec*'
Modifications
2019-04-17 21:29:29 +00:00
condition: (selection1 and selection2) and not filter1
Reference in New Issue Copy Permalink