valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add netsh to renamed binary rule

Browse Source
This commit is contained in:
Andreas Hunkeler 2020-04-20 17:12:25 +02:00 committed by GitHub
parent 514bd8657b
commit 7d437c2969
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/process_creation/win_renamed_binary.yml
View File

@ -2,7 +2,7 @@ title: Renamed Binary
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
status: experimental
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)
date: 2019/06/15
modified: 2019/11/11
references:
@ -37,6 +37,7 @@ detection:
- 'wevtutil.exe'
- 'net.exe'
- 'net1.exe'
- 'netsh.exe'
filter:
Image|endswith:
- '\cmd.exe'
@ -58,6 +59,7 @@ detection:
- '\wevtutil.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist