diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index b39af95943..e9dcfe8fc7 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -14,7 +14,7 @@ data_source: - Sysmon Event ID 9 search: '`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as - lastTime by dest Image Device ProcessGuid ProcessId EventDescription EventCode + lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_master_boot_record_drive_filter`' how_to_implement: To successfully implement this search, you need to be ingesting @@ -41,7 +41,7 @@ tags: asset_type: Endpoint confidence: 100 impact: 90 - message: process accessing MBR $device$ on $dest$ + message: process accessing MBR $Device$ on $dest$ mitre_attack_id: - T1561.002 - T1561 diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index a1126b491e..e637e6c149 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -13,7 +13,7 @@ data_source: - Powershell 4104 search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*" | stats count min(_time) as firstTime - max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | + max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest, user_id as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`