BIOC-Jetico_signed.bioc

4a90391096331de93d95205e3aa00f7f
[{"rule_id":502,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1638350268266,"modify_time":1638353935456,"severity":"SEV_040_HIGH","source":"frank.bussink@scrt.ch","comment":"Created by F. Bussink SCRT","status":"ENABLED","category":"EXECUTION","indicator":{"runOnCGO":true,"investigationType":"PROCESS_EXECUTION_EVENT","investigation":{"PROCESS_EXECUTION_EVENT":{"filter":{"AND":[{"SEARCH_FIELD":"agent_os_type","SEARCH_TYPE":"NEQ","SEARCH_VALUE":4,"EXTRA_FIELDS":[],"isExtended":false,"node":"xdr_agent"},{"SEARCH_FIELD":"action_process_signature_status","SEARCH_TYPE":"COMPLEX_EQ","SEARCH_VALUE":"{\"COLLECTION_TYPE\": \"SIGNATURE_STATUS\", \"COLLECTION_VALUE\": \"SIGNATURE_SIGNED\"}","EXTRA_FIELDS":[],"isExtended":false},{"SEARCH_FIELD":"action_process_signature_vendor","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"Jetico.*","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"ca1b0c73d6ed6af725f54b8f6165913f","indicator_text":"Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux","name":"SCRT JETICO Signed binary","mitre_technique_id_and_name":"","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SCRT JETICO Signed binary","tactic_id":[],"technique_id":[],"biocRuleName":"SCRT JETICO Signed binary","biocId":502,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?*signature_state_signed*) (regex (lowcase ?signer_name) \"jetico.*\" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid))))"}},"btp_rule_name":"process_start_502","is_preventable":1,"supported_os":1,"btp_validation_error":"WINDOWS_SUPPORT_ONLY","xql":null,"is_xql":false,"query_tables":null}]