Updates

SigmaHQ · Oct 4, 2022 · 2ecf9ec · 2ecf9ec
1 parent 48cb483
commit 2ecf9ec
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
@@ -15,7 +15,7 @@ references:
     - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
     - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
 date: 2018/04/07
-modified: 2022/06/22
+modified: 2022/10/04
 logsource:
     category: file_event
     product: windows
@@ -207,6 +207,7 @@ detection:
             - '\Invoke-Zerologon.ps1'
             - '\Get-USBKeystrokes.ps1'
             - '\Start-WebcamRecorder.ps1'
+            - '\PSAsyncShell.ps1'
     condition: selection
 falsepositives:
     - Unknown

diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml
@@ -6,24 +6,23 @@ author: frack113, Florian Roth
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
 date: 2022/09/02
+modified: 2022/10/04
 tags:
     - attack.command_and_control
     - attack.t1105
 logsource:
     category: network_connection
     product: windows
 detection:
-    selection_certutil:
-        - Image|endswith: '\certutil.exe'
-        - OriginalFilename: 'CertUtil.exe'
-    selection_network:
+    selection:
+        Image|endswith: '\certutil.exe'
         Initiated: 'true'
         DestinationPort:
             - 80
             - 443
             - 135
             - 445
-    condition: all of selection*
+    condition: selection
 falsepositives:
     - Legitimate certutil network connection
 level: high
diff --git a/...indows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/...indows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 author: frack113
 date: 2021/07/12
-modified: 2021/09/12
+modified: 2022/10/04
 description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
@@ -18,10 +18,12 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\SyncAppvPublishingServer.exe'
+    selection_img:
+        - Image|endswith: '\SyncAppvPublishingServer.exe'
+        - OriginalFileName: 'syncappvpublishingserver.exe'
+    selection_cli:
         CommandLine|contains: '"n; '
-    condition: selection
+    condition: all of selection_*
 fields:
     - ComputerName
     - User