fix: delete duplicate rules

2024-11-06 09:25:17 +00:00 · 2020-05-11 10:55:02 +02:00 · 2020-05-11 10:55:02 +02:00 · 1104044f53
commit 1104044f53
parent 2b18b66c16
3 changed files with 0 additions and 74 deletions
--- a/rules/proxy/proxy_implant_teardown.yml
+++ b/rules/proxy/proxy_implant_teardown.yml
@ -1,20 +0,0 @@
-title: Teardown Implant URL Pattern
-status: experimental
-description: Detects URL pattern used by Teardown Implant
-references:
-    - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
-author: Florian Roth
-date: 2019/08/30
-logsource:
-    category: proxy
-detection:
-    selection:
-        c-uri-query: '*/list/suc?name=*'
-    condition: selection
-fields:
-    - ClientIP
-    - URL
-    - UserAgent
-falsepositives:
-    - Unknown
-level: critical
--- a/rules/windows/process_creation/win_susp_msbuild_folder.yml
+++ b/rules/windows/process_creation/win_susp_msbuild_folder.yml
@ -1,23 +0,0 @@
-title: Suspicious Csc.exe Source File Folder 
-description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
-status: experimental
-references:
-    - https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html
-author: Florian Roth
-date: 2019/08/24
-tags:
-    - attack.defense_evasion
-    - attack.t1500
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image: '*\MSBuild.exe'
-        CommandLine: 
-          - '*\AppData\*'
-          - '*\Windows\Temp\*'
-    condition: selection
-falsepositives:
-    - Unkown
-level: high
--- a/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
+++ b/rules/windows/sysmon/sysmon_reg_debugger_backdoor.yml
@ -1,31 +0,0 @@
-title: Suspicious Debugger Registration Registry
-status: experimental
-description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor)
-references: 
-    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1015
-author: Florian Roth
-date: 2019/09/06
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID:
-            - 12
-            - 13
-        TargetObject: 
-            - '*\CurrentVersion\Image File Execution Options\sethc.exe*'
-            - '*\CurrentVersion\Image File Execution Options\utilman.exe*'
-            - '*\CurrentVersion\Image File Execution Options\osk.exe*'
-            - '*\CurrentVersion\Image File Execution Options\magnify.exe*'
-            - '*\CurrentVersion\Image File Execution Options\narrator.exe*'
-            - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*'
-    condition: selection
-falsepositives:
-    - Penetration Tests
-level: high
-