replace equalsfield use with fieldref

Yamato-Security · Nov 25, 2024 · d27d96e · d27d96e
1 parent 17df737
commit d27d96e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/.../LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml b/.../LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml
@@ -1,6 +1,6 @@
 author: Zach Mathis
 date: 2022/04/18
-modified: 2022/12/16
+modified: 2024/11/25
 
 title: Possible Token Impersonation
 description: Tries to detect token impersonation by tools like Cobalt Strike.
@@ -18,7 +18,7 @@ detection:
     selection_TokenImpersonationCharacteristics:
         LogonType: 9        # New Interactive
         ImpersonationLevel|contains: 1833 # It is actually %%1833 for Impersonation level of "Impersonation".
-        SubjectUserName|equalsfield: TargetUserName
+        SubjectUserName|fieldref: TargetUserName
     condition: selection_basic and selection_TokenImpersonationCharacteristics
 falsepositives:
     - normal system usage

diff --git a/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml b/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml
@@ -1,6 +1,6 @@
 author: Zach Mathis
 date: 2022/12/23
-modified: 2023/11/09
+modified: 2023/11/25
 
 title: 'Renamed Exe File'
 description: 'This is to detect when an .exe file was renamed. Attackers will often rename malware and lolbas tools in order not to be detected. %OriginalFileName% is the original filename in the PE header when the .exe was compiled.'
@@ -18,7 +18,7 @@ detection:
         EventID: 1
         OriginalFileName|endswith: '.exe'
     FileNameAndOriginalNameAreSame:
-        Image|endswithfield: OriginalFileName
+        Image|fieldref|endswith: OriginalFileName
     FilterUnknown:
         - OriginalFileName: '\?'
         - OriginalFileName: '-'

diff --git a/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml b/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml
@@ -1,6 +1,6 @@
 author: Zach Mathis
 date: 2022/04/17
-modified: 2024/10/03
+modified: 2024/11/25
 
 title: 'LOLBAS Renamed'
 description: This is to detect when a LOLBAS (default Windows binary or script) was renamed in order to hide its execution. OringalFileName is the original filename in the PE header. From my tests, false positives should be low so I rated this as high.
@@ -136,7 +136,7 @@ detection:
         - OriginalFileName|endswith: 'xcopy.exe'
         - OriginalFileName|endswith: 'RoboCopy.exe'
     filter_OriginalFilenameAndProcessNameIsSame:
-        Image|endswithfield: OriginalFileName
+        Image|fieldref|endswith: OriginalFileName
     condition: selection_basic and selection_OriginalFilenameIsLOLBIN and not filter_OriginalFilenameAndProcessNameIsSame
 falsepositives:
 tags: