Added Sigma Rules
This commit is contained in:
Tanaka Zakku
@@ -0,0 +1,27 @@
|
||||
title: Direct Syscall of NtOpenProcess
|
||||
author: Christian Burkard
|
||||
date: 2021/07/28
|
||||
description: Detects the usage of the direct syscall of NtOpenProcess which might
|
||||
be done from a CobaltStrike BOF.
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 10
|
||||
SELECTION_2:
|
||||
CallTrace: UNKNOWN*
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- unknown
|
||||
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
|
||||
level: critical
|
||||
logsource:
|
||||
category: process_access
|
||||
product: windows
|
||||
references:
|
||||
- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1106
|
||||
yml_filename: sysmon_direct_syscall_ntopenprocess.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
|
||||
|
||||
Reference in New Issue
Block a user