fix: remove ping filter

phantinuss · Jul 13, 2023 · a1672f8 · a1672f8
1 parent cede72a
commit a1672f8
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
@@ -9,7 +9,7 @@ references:
     - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022/03/16
-modified: 2023/07/05
+modified: 2023/07/13
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -30,20 +30,17 @@ detection:
             - '\spoolsv.exe'
             - '\wordpad.exe'
             - '\write.exe'
-    filter_main_spoolsv:
+    filter_optional_spoolsv:
         SourceImage: 'C:\Windows\System32\csrss.exe'
         TargetImage: 'C:\Windows\System32\spoolsv.exe'
     filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
     filter_optional_aurora_2:
         SourceImage|contains: 'unknown process'
-    filter_optional_csrss_ping:
-        SourceImage: 'C:\Windows\System32\csrss.exe'
-        TargetImage: 'C:\Windows\System32\ping.exe'
     filter_optional_winzip:
         SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe'
         TargetImage: 'C:\Windows\explorer.exe'
-    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high