Sigma Rule Update (2023-11-21 20:07:03) (#537)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Nov 21, 2023 · af9aefa · af9aefa
1 parent 273462e
commit af9aefa
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/.../threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/.../threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/swagkarna/Defeat-Defender-V1.2.0
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/23
-modified: 2023/11/06
+modified: 2023/11/21
 tags:
     - attack.defense_evasion
     - attack.t1222.001
@@ -46,11 +46,11 @@ detection:
     filter_optional_vscode:
         CommandLine|contains:
             - \AppData\Local\Programs\Microsoft VS Code
-            - :\Program Files\Microsoft VS Code\
+            - :\Program Files\Microsoft VS Code
     filter_optional_avira:
         CommandLine|contains:
-            - :\Program Files (x86)\Avira\
-            - :\Program Files\Avira\
+            - :\Program Files (x86)\Avira
+            - :\Program Files\Avira
     condition: process_creation and (1 of selection_* and not 1 of filter_optional_*)
 falsepositives:
     - Users interacting with the files on their own (unlikely unless privileged users).

diff --git a/.../threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/.../threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/swagkarna/Defeat-Defender-V1.2.0
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/23
-modified: 2023/11/06
+modified: 2023/11/21
 tags:
     - attack.defense_evasion
     - attack.t1222.001
@@ -47,11 +47,11 @@ detection:
     filter_optional_vscode:
         CommandLine|contains:
             - \AppData\Local\Programs\Microsoft VS Code
-            - :\Program Files\Microsoft VS Code\
+            - :\Program Files\Microsoft VS Code
     filter_optional_avira:
         CommandLine|contains:
-            - :\Program Files (x86)\Avira\
-            - :\Program Files\Avira\
+            - :\Program Files (x86)\Avira
+            - :\Program Files\Avira
     condition: process_creation and (1 of selection_* and not 1 of filter_optional_*)
 falsepositives:
     - Users interacting with the files on their own (unlikely unless privileged users).