From 96572cdc9b5acd99a273b63c810753d99c85be50 Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 30 Jul 2024 16:10:27 -0700 Subject: [PATCH] Remove some more extra fields from new ymls --- .../windows_admon_default_group_policy_object_modified.yml | 1 - .../endpoint/windows_admon_group_policy_object_created.yml | 1 - .../windows_esx_admins_group_creation_security_event.yml | 1 - .../endpoint/windows_esx_admins_group_creation_via_net.yml | 1 - .../windows_esx_admins_group_creation_via_powershell.yml | 1 - .../endpoint/windows_outlook_webview_registry_modification.yml | 1 - detections/endpoint/windows_privileged_group_modification.yml | 3 +-- 7 files changed, 1 insertion(+), 8 deletions(-) diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index a7d737f541..5cf1f5a316 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -58,7 +58,6 @@ tags: - displayName - gPCFileSysPath - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index c09e970738..f49f41caea 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -56,7 +56,6 @@ tags: - displayName - gPCFileSysPath - dcName - risk_score: 50 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 631c86f244..34d1a4677f 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -59,7 +59,6 @@ tags: - SubjectUserName - SubjectDomainName - Computer - risk_score: 25 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 17a42c082d..bc36efeb16 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -59,7 +59,6 @@ tags: - Processes.process - Processes.process_id - Processes.original_file_name - risk_score: 56 security_domain: endpoint cve: - CVE-2024-37085 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 04869a9d40..dd74a21ced 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -52,7 +52,6 @@ tags: - ScriptBlockText - Computer - UserID - risk_score: 56 security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index c60975a5c7..2d9a39add9 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -54,7 +54,6 @@ tags: - Registry.registry_path - Registry.registry_value_name - Registry.registry_value_data - risk_score: 100 security_domain: endpoint cve: [] tests: diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index d9505bdb38..804fafd128 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -3,7 +3,7 @@ id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 version: 1 date: '2024-07-30' author: Brandon Sternfield, Optiv + ClearShark -data_sources: +data_source: - Windows Event Log Security 4727 - Windows Event Log Security 4731 - Windows Event Log Security 4744 @@ -79,7 +79,6 @@ tags: - result - status - _time - risk_score: 80 security_domain: endpoint cve: - CVE-2024-37085