From 2fc8d513d6bab5e194271a20e544b42f3d921878 Mon Sep 17 00:00:00 2001 From: neu5ron <> Date: Tue, 19 May 2020 04:35:30 -0400 Subject: [PATCH] zeek, swap `path` and `name` --- rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml | 4 ++-- .../zeek/zeek_smb_converted_win_impacket_secretdump.yml | 4 ++-- rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml | 6 +++--- rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml | 4 ++-- .../zeek_smb_converted_win_susp_raccess_sensitive_fext.yml | 2 +- ...onverted_win_transferring_files_with_credential_data.yml | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 69ef0801..17a3704f 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -16,8 +16,8 @@ logsource: service: smb_files detection: selection: - name: \\*\IPC$ - path: atsvc + path: \\*\IPC$ + name: atsvc #Accesses: '*WriteData*' condition: selection falsepositives: diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 35552f34..16e2f318 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -13,8 +13,8 @@ logsource: service: smb_files detection: selection: - name: '\\*ADMIN$' - path: '*SYSTEM32\\*.tmp' + path: '\\*ADMIN$' + name: '*SYSTEM32\\*.tmp' condition: selection falsepositives: - 'unknown' diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 1b0b92b5..eecef7a9 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -14,10 +14,10 @@ logsource: service: smb_files detection: selection1: - name: \\*\IPC$ + path: \\*\IPC$ selection2: - name: \\*\IPC$ - path: + path: \\*\IPC$ + name: - 'atsvc' - 'samr' - 'lsarpc' diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 2086a287..044d6f96 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -13,8 +13,8 @@ logsource: service: smb_files detection: selection1: - name: \\*\IPC$ - path: + path: \\*\IPC$ + name: - '*-stdin' - '*-stdout' - '*-stderr' diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 95045f9d..fa7f41f0 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -11,7 +11,7 @@ logsource: service: smb_files detection: selection: - path: + name: - '*.pst' - '*.ost' - '*.msg' diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 7724e097..060189f4 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -13,7 +13,7 @@ logsource: service: smb_files detection: selection: - path: + name: - '\mimidrv' - '\lsass' - '\windows\minidump\'