From d27d96e4bd1b18b7af9d65543055990b9ac8bc0c Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Mon, 25 Nov 2024 19:51:17 +0900 Subject: [PATCH] replace equalsfield use with fieldref --- ..._Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml | 4 ++-- hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml | 4 ++-- hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml index c8513d236..b659757e1 100644 --- a/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml +++ b/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml @@ -1,6 +1,6 @@ author: Zach Mathis date: 2022/04/18 -modified: 2022/12/16 +modified: 2024/11/25 title: Possible Token Impersonation description: Tries to detect token impersonation by tools like Cobalt Strike. @@ -18,7 +18,7 @@ detection: selection_TokenImpersonationCharacteristics: LogonType: 9 # New Interactive ImpersonationLevel|contains: 1833 # It is actually %%1833 for Impersonation level of "Impersonation". - SubjectUserName|equalsfield: TargetUserName + SubjectUserName|fieldref: TargetUserName condition: selection_basic and selection_TokenImpersonationCharacteristics falsepositives: - normal system usage diff --git a/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml b/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml index 6937fd448..f37708b30 100644 --- a/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml +++ b/hayabusa/sysmon/Sysmon_1_Low_ExeFileRenamed.yml @@ -1,6 +1,6 @@ author: Zach Mathis date: 2022/12/23 -modified: 2023/11/09 +modified: 2023/11/25 title: 'Renamed Exe File' description: 'This is to detect when an .exe file was renamed. Attackers will often rename malware and lolbas tools in order not to be detected. %OriginalFileName% is the original filename in the PE header when the .exe was compiled.' @@ -18,7 +18,7 @@ detection: EventID: 1 OriginalFileName|endswith: '.exe' FileNameAndOriginalNameAreSame: - Image|endswithfield: OriginalFileName + Image|fieldref|endswith: OriginalFileName FilterUnknown: - OriginalFileName: '\?' - OriginalFileName: '-' diff --git a/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml b/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml index 256115e12..17e19bdba 100644 --- a/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml +++ b/hayabusa/sysmon/Sysmon_1_ProcExec_High_LOLBAS-Rename.yml @@ -1,6 +1,6 @@ author: Zach Mathis date: 2022/04/17 -modified: 2024/10/03 +modified: 2024/11/25 title: 'LOLBAS Renamed' description: This is to detect when a LOLBAS (default Windows binary or script) was renamed in order to hide its execution. OringalFileName is the original filename in the PE header. From my tests, false positives should be low so I rated this as high. @@ -136,7 +136,7 @@ detection: - OriginalFileName|endswith: 'xcopy.exe' - OriginalFileName|endswith: 'RoboCopy.exe' filter_OriginalFilenameAndProcessNameIsSame: - Image|endswithfield: OriginalFileName + Image|fieldref|endswith: OriginalFileName condition: selection_basic and selection_OriginalFilenameIsLOLBIN and not filter_OriginalFilenameAndProcessNameIsSame falsepositives: tags: