Sigma Rule Update (2023-12-14 20:07:42) (#548)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 14, 2023 · 82e975e · 82e975e
1 parent c89c9ad
commit 82e975e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 8 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -8,7 +8,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021/12/20
-modified: 2023/01/19
+modified: 2023/12/14
 tags:
     - attack.credential_access
     - attack.defense_evasion
@@ -82,12 +82,16 @@ detection:
         ParentCommandLine|contains: \DismFoDInstall.cmd
         NewProcessName|endswith: \PING.EXE
     filter_config_mgr:
-        ParentProcessName|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
+        ParentProcessName|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
     filter_java:
         CommandLine|contains: ' -ma '
-        ParentProcessName|startswith: C:\Program Files (x86)\Java\
+        ParentProcessName|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         ParentProcessName|endswith: \bin\javaws.exe
-        NewProcessName|startswith: C:\Program Files (x86)\Java\
+        NewProcessName|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         NewProcessName|endswith: \bin\jp2launcher.exe
     condition: process_creation and (all of selection* and not 1 of filter_*)
 falsepositives:

diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml
@@ -8,7 +8,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021/12/20
-modified: 2023/01/19
+modified: 2023/12/14
 tags:
     - attack.credential_access
     - attack.defense_evasion
@@ -83,11 +83,15 @@ detection:
         Image|endswith: \PING.EXE
         ParentCommandLine|contains: \DismFoDInstall.cmd
     filter_config_mgr:
-        ParentImage|startswith: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
+        ParentImage|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
     filter_java:
-        ParentImage|startswith: C:\Program Files (x86)\Java\
+        ParentImage|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         ParentImage|endswith: \bin\javaws.exe
-        Image|startswith: C:\Program Files (x86)\Java\
+        Image|contains:
+            - :\Program Files (x86)\Java\
+            - :\Program Files\Java\
         Image|endswith: \bin\jp2launcher.exe
         CommandLine|contains: ' -ma '
     condition: process_creation and (all of selection* and not 1 of filter_*)