Several mistakes were fixed

2024-11-08 02:08:54 +00:00 · 2019-10-28 08:43:58 +03:00 · 2019-10-28 08:43:58 +03:00 · 32b0a3987e
commit 32b0a3987e
parent 3125b39239
2 changed files with 8 additions and 4 deletions
--- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@ -21,10 +21,12 @@ detection:
            - '*cmd*'
            - '*COMSPEC*'
    getsystem_technique_1:
-        ServiceFileName: '*/c echo * > \\.\pipe\*'      #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+        ServiceFileName: '*cmd* /c echo * > \\.\pipe\*'      #cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a    cmd /c echo 559891bb017 > \\.\pipe\5e120a
+    getsystem_cobaltstrike_technique_1:
+        ServiceFileName: '%COMSPEC% /c echo * > \\.\pipe\*'      #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
    getsystem_technique_2:
        ServiceFileName: '*rundll32*.dll,a /p:*'        #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
-    condition: service_installation_event and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2)
+    condition: service_installation_event and (getsystem_technique_1 or getsystem_cobaltstrike_technique_1 or getsystem_technique_2)
 fields:
    - ServiceFileName
 falsepositives:
--- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
@ -19,10 +19,12 @@ detection:
            - '*cmd*'
            - '*COMSPEC*'
    getsystem_technique_1:
-        CommandLine: '*/c echo * > \\.\pipe\*'      #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+        CommandLine: '*cmd* /c echo * > \\.\pipe\*'      #cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a    cmd /c echo 559891bb017 > \\.\pipe\5e120a
+    getsystem_cobaltstrike_technique_1:
+        CommandLine: '%COMSPEC% /c echo * > \\.\pipe\*'      #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
    getsystem_technique_2:
        CommandLine: '*rundll32*.dll,a /p:*'        #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
-    condition: service_start and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2)
+    condition: service_start and (getsystem_technique_1 or getsystem_cobaltstrike_technique_1 or getsystem_technique_2)
 falsepositives:
    - Penetration Test
    - Unknown