From 27afa64a7c847ca13081362b79bcdab753f0508e Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 7 Nov 2024 13:56:53 +0000 Subject: [PATCH] Update credential_access_suspicious_lsass_access_generic.toml (#4188) (cherry picked from commit d2dfd46b3ed54db79ae8debf98a403af4f332622) --- ...al_access_suspicious_lsass_access_generic.toml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index e71a3fc5dc1..3d128e0eda8 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/22" integration = ["windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2024/10/21" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -51,6 +51,7 @@ process where host.os.type == "windows" and event.code == "10" and "?:\\Windows\\LTSvc\\LTSVC.exe", "?:\\Windows\\Sysmon.exe", "?:\\Windows\\Sysmon64.exe", + "C:\\Windows\\CynetMS.exe", "?:\\Windows\\system32\\csrss.exe", "?:\\Windows\\System32\\lsm.exe", "?:\\Windows\\system32\\MRT.exe", @@ -58,7 +59,17 @@ process where host.os.type == "windows" and event.code == "10" and "?:\\Windows\\system32\\wbem\\wmiprvse.exe", "?:\\Windows\\system32\\wininit.exe", "?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe", - "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe" + "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe", + "C:\\oracle\\64\\02\\instantclient_19_13\\sqlplus.exe", + "C:\\oracle\\64\\02\\instantclient_19_13\\sqlldr.exe", + "d:\\oracle\\product\\19\\dbhome1\\bin\\ORACLE.EXE", + "C:\\wamp\\bin\\apache\\apache*\\bin\\httpd.exe", + "C:\\Windows\\system32\\netstat.exe", + "C:\\PROGRA~1\\INFORM~1\\apps\\jdk\\*\\jre\\bin\\java.exe", + "C:\\PROGRA~2\\CyberCNSAgentV2\\osqueryi.exe", + "C:\\Utilityw2k19\\packetbeat\\packetbeat.exe", + "C:\\ProgramData\\Cisco\\Cisco AnyConnect Secure Mobility Client\\Temp\\CloudUpdate\\vpndownloader.exe", + "C:\\ProgramData\\Cisco\\Cisco Secure Client\\Temp\\CloudUpdate\\vpndownloader.exe" ) and not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") '''