From f7394d09e00f8ceeec418c8495a2f345abe1ccd0 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 3 Feb 2020 22:41:55 +0100 Subject: [PATCH] Deduplication --- .../process_creation/win_whoami_as_system.yml | 24 --------------- ...sysmon_alternate_powershell_hosts_pipe.yml | 2 +- .../sysmon_powershell_execution_pipe.yml | 30 ------------------- 3 files changed, 1 insertion(+), 55 deletions(-) delete mode 100644 rules/windows/process_creation/win_whoami_as_system.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_execution_pipe.yml diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml deleted file mode 100644 index 65e6ad64..00000000 --- a/rules/windows/process_creation/win_whoami_as_system.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Run whoami as SYSTEM -id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 -status: experimental -description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. -references: - - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -author: Teymur Kheirkhabarov -date: 2019/10/23 -modified: 2019/11/11 -tags: - - attack.discovery - - attack.privilege_escalation - - attack.t1033 -logsource: - category: process_creation - product: windows -detection: - selection: - User: 'NT AUTHORITY\SYSTEM' - Image|endswith: '\whoami.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index 58baa892..b96fcf27 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -27,4 +27,4 @@ fields: - PipeName falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter. -level: high +level: medium diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml deleted file mode 100644 index d41b96f5..00000000 --- a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: PowerShell Execution -id: d32b53ce-2a41-4db0-a42a-fb574d819d97 -description: Detects execution of PowerShell -status: experimental -date: 2019/09/12 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md -tags: - - attack.execution - - attack.t1086 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 17 - PipeName|startswith: '\PSHost' - filter: - Image|endswith: '*\\powershell.exe' - condition: selection and not filter -fields: - - ComputerName - - Image - - ProcessID - - PipeName -falsepositives: - - Unknown -level: medium