From 5d1cf4b9de60859cdbd8801703a5a001ee5b8ab9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 13 Nov 2024 23:21:16 +0100 Subject: [PATCH] Merge PR #5076 from @Neo23x0 - Fix `Suspicious SYSTEM User Process Creation` fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script --- .../proc_creation_win_susp_system_user_anomaly.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 3996deda6cc..05427278224 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-07-22 +modified: 2024-11-11 tags: - attack.credential-access - attack.defense-evasion @@ -74,7 +74,10 @@ detection: - 'MiniDump' # Process dumping method apart from procdump - 'net user ' filter_main_ping: - CommandLine|contains: 'ping 127.0.0.1 -n' + CommandLine|contains|all: + - 'ping' + - '127.0.0.1' + - ' -n ' filter_vs: Image|endswith: '\PING.EXE' ParentCommandLine|contains: '\DismFoDInstall.cmd'