Deduplication

rules/windows/process_creation/win_whoami_as_system.yml

@@ -1,24 +0,0 @@
-title: Run whoami as SYSTEM
-id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
-status: experimental
-description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
-author: Teymur Kheirkhabarov
-date: 2019/10/23
-modified: 2019/11/11
-tags:
-    - attack.discovery
-    - attack.privilege_escalation
-    - attack.t1033
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        User: 'NT AUTHORITY\SYSTEM'
-        Image|endswith: '\whoami.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high

rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml

@@ -27,4 +27,4 @@ fields:
     - PipeName
 falsepositives:
     - Programs using PowerShell directly without invocation of a dedicated interpreter.
-level: high
+level: medium

rules/windows/sysmon/sysmon_powershell_execution_pipe.yml

@@ -1,30 +0,0 @@
-title: PowerShell Execution
-id: d32b53ce-2a41-4db0-a42a-fb574d819d97
-description: Detects execution of PowerShell
-status: experimental
-date: 2019/09/12
-modified: 2019/11/10
-author: Roberto Rodriguez @Cyb3rWard0g
-references:
-    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
-tags:
-    - attack.execution
-    - attack.t1086
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection: 
-        EventID: 17
-        PipeName|startswith: '\PSHost'
-    filter:
-        Image|endswith: '*\\powershell.exe'
-    condition: selection and not filter
-fields:
-    - ComputerName
-    - Image
-    - ProcessID
-    - PipeName
-falsepositives:
-    - Unknown
-level: medium