split global win_software_discovery.yml

2024-11-06 17:35:19 +00:00 · 2021-09-21 13:28:47 +02:00 · 2021-09-21 13:28:47 +02:00 · 6368a88ad3
commit 6368a88ad3
parent 332bed7906
2 changed files with 37 additions and 21 deletions
--- a/rules/windows/builtin/win_software_discovery.yml
+++ b/rules/windows/builtin/win_software_discovery.yml
@ -1,22 +1,16 @@
-action: global
 title: Detected Windows Software Discovery
+id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/16
+modified: 2021/09/21
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
 tags:
    - attack.discovery
    - attack.t1518
-level: medium
-falsepositives:
-    - Legitimate administration activities
-detection:
-    condition: 1 of them
---
-id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
 logsource:
    product: windows
    service: powershell
@ -29,16 +23,7 @@ detection:
          - '\software\'
          - 'select-object'
          - 'format-table'
---
-id: e13f668e-7f95-443d-98d2-1816a7648a7b
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\reg.exe'    # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
-        CommandLine|contains|all:
-            - 'query'
-            - '\software\'
-            - '/v'
-            - 'svcversion'
+    condition: selection
+level: medium
+falsepositives:
+    - Legitimate administration activities
--- a/rules/windows/process_creation/process_creation_software_discovery.yml
+++ b/rules/windows/process_creation/process_creation_software_discovery.yml
@ -0,0 +1,31 @@
+title: Detected Windows Software Discovery
+id: e13f668e-7f95-443d-98d2-1816a7648a7b
+related:
+    - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
+      type: derived
+description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+modified: 2021/09/21
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
+tags:
+    - attack.discovery
+    - attack.t1518
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\reg.exe'    # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
+        CommandLine|contains|all:
+            - 'query'
+            - '\software\'
+            - '/v'
+            - 'svcversion'
+    condition: selection
+level: medium
+falsepositives:
+    - Legitimate administration activities