valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

zeek, swap path and name

Browse Source
This commit is contained in:
neu5ron 2020-05-19 04:35:30 -04:00
parent 4446c4cd4e
commit 2fc8d513d6
6 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml
View File

@ -16,8 +16,8 @@ logsource:
service: smb_files
detection:
selection:
name: \\*\IPC$
path: atsvc
path: \\*\IPC$
name: atsvc
#Accesses: '*WriteData*'
condition: selection
falsepositives:

4
rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml
View File

@ -13,8 +13,8 @@ logsource:
service: smb_files
detection:
selection:
name: '\\*ADMIN$'
path: '*SYSTEM32\\*.tmp'
path: '\\*ADMIN$'
name: '*SYSTEM32\\*.tmp'
condition: selection
falsepositives:
- 'unknown'

6
rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml
View File

@ -14,10 +14,10 @@ logsource:
service: smb_files
detection:
selection1:
name: \\*\IPC$
path: \\*\IPC$
selection2:
name: \\*\IPC$
path:
path: \\*\IPC$
name:
- 'atsvc'
- 'samr'
- 'lsarpc'

4
rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
View File

@ -13,8 +13,8 @@ logsource:
service: smb_files
detection:
selection1:
name: \\*\IPC$
path:
path: \\*\IPC$
name:
- '*-stdin'
- '*-stdout'
- '*-stderr'

2
rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml
View File

@ -11,7 +11,7 @@ logsource:
service: smb_files
detection:
selection:
path:
name:
- '*.pst'
- '*.ost'
- '*.msg'

2
rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml
View File

@ -13,7 +13,7 @@ logsource:
service: smb_files
detection:
selection:
path:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'