Update doc

JerryLinLinLin · Sep 7, 2022 · 63037a0 · 63037a0
1 parent 5ab0291
commit 63037a0
Show file tree

Hide file tree

Showing 10 changed files with 147 additions and 212 deletions.
diff --git a/rules/README.md b/rules/README.md
@@ -34,11 +34,7 @@
 	* [Suspicious.PowerShell.B](#suspiciouspowershellb)
 	* [Suspicious.PowerShell.C](#suspiciouspowershellc)
 * [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
-	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
-	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
-	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
-	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
-	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
+	* [Telemetry.RunFromSusPath.E](#telemetryrunfromsuspathe)
 * [Suspicious.ScriptHost](#suspiciousscripthost)
 	* [Suspicious.ScriptHost.A](#suspiciousscripthosta)
 	* [Suspicious.ScriptHost.B](#suspiciousscripthostb)
@@ -60,6 +56,12 @@
 	* [Telemetry.PowerShell.C](#telemetrypowershellc)
 * [Telemetry.ReadBrowserData](#telemetryreadbrowserdata)
 	* [Telemetry.ReadBrowserData.A](#telemetryreadbrowserdataa)
+* [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
+	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
+	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
+	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
+	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
+	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
 * [Telemetry.TerminalServer](#telemetryterminalserver)
 	* [Telemetry.TerminalServer.A](#telemetryterminalservera)
 * [Template](#template)
@@ -224,22 +226,22 @@
 
 ## Suspicious.NetDebugger.A
 
-状态：未启用
+状态：启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\SOFTWARE*Microsoft\.NETFramework\DbgManagedDebugge*`的注册表进行**创建、写入**操作
 
-***rule.json hash: 04ca56b228447f507b7f8e4bc012dfee5c97828c916b7513db6b61c24d14ed14***
+***rule.json hash: 69a78ae8fed5bc9bcbb68eae9c549fcf9ac68e5aaeb26a2a0639866dbaf5d8d6***
 # Suspicious.NetWinAppXRT
 
 ## Suspicious.NetWinAppXRT.A
 
-状态：未启用
+状态：启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\WinAppXRT.dll`的文件进行**创建、写入**操作
 
-***rule.json hash: e929a5393844223a858a2db1aec518991e2d30f560a952a4066a5f69352cdf47***
+***rule.json hash: f4ad1d9a4fc9506d43c0e802b323c39414a8599d5241095efeba91abffb9d1ea***
 # Suspicious.PowerShell
 
 ## Suspicious.PowerShell.A
@@ -268,53 +270,14 @@
 ***rule.json hash: 8407b3ae9312f1ebc1145986020e3ff3cd72543e98e6ded29b064a7ccf875ea8***
 # Suspicious.RunFromSusPath
 
-## Suspicious.RunFromSusPath.A
-
-状态：启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\Users\*\AppData\Roaming\>`的程序进行**执行**操作
-- 对路径为`*\Users\*\AppData\>`的程序进行**执行**操作
-- 对路径为`*\Users\>\>`的程序进行**执行**操作
-- 对路径为`*\ProgramData\>`的程序进行**执行**操作
-- 对路径为`*\Program Files\>`的程序进行**执行**操作
-- 对路径为`*\Program Files (x86)\>`的程序进行**执行**操作
-- 对路径为`*\Users\*\AppData\Local\>`的程序进行**执行**操作
-- 对路径为`*\Users\>\Documents\>`的程序进行**执行**操作
-- 对路径为`*\Users\>\Documents\>\>`的程序进行**执行**操作
-- 对路径为`*\Users\Public\>.bat`的文件进行**读取**操作
-
-## Suspicious.RunFromSusPath.B
-
-状态：启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\Recycler\*`的程序进行**执行**操作
-- 对路径为`*\$RECYCLE.BIN\*`的程序进行**执行**操作
-- 对路径为`*\System Volume Information\*`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.C
+## Telemetry.RunFromSusPath.E
 
 状态：未启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\ProgramData\>\>.exe`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.D
-
-状态：启用
-
-行为描述：源程序`*\Windows\Sys?????\>`做出以下操作时，提示用户处理
 - 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
-
-## Suspicious.RunFromSusPath.E
 
-状态：未启用
-
-行为描述：源程序`*`做出以下操作时，提示用户处理
-- 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
-
-***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
+***rule.json hash: ae7bf2ac35fb32eee6f78358c21c58b8e16d1e3204d61c29e3504a940ca0b6a1***
 # Suspicious.ScriptHost
 
 ## Suspicious.ScriptHost.A
@@ -434,6 +397,55 @@
 - 对路径为`*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*`的文件进行**读取**操作
 
 ***rule.json hash: 04c8f6e13bbfc0027141f86bf678a2573bfd46326051c1753b2930bfdc2d1d7a***
+# Telemetry.RunFromSusPath
+
+## Suspicious.RunFromSusPath.A
+
+状态：启用
+
+行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\Users\*\AppData\Roaming\>`的程序进行**执行**操作
+- 对路径为`*\Users\*\AppData\>`的程序进行**执行**操作
+- 对路径为`*\Users\>\>`的程序进行**执行**操作
+- 对路径为`*\ProgramData\>`的程序进行**执行**操作
+- 对路径为`*\Program Files\>`的程序进行**执行**操作
+- 对路径为`*\Program Files (x86)\>`的程序进行**执行**操作
+- 对路径为`*\Users\*\AppData\Local\>`的程序进行**执行**操作
+- 对路径为`*\Users\>\Documents\>`的程序进行**执行**操作
+- 对路径为`*\Users\>\Documents\>\>`的程序进行**执行**操作
+- 对路径为`*\Users\Public\>.bat`的文件进行**读取**操作
+
+## Suspicious.RunFromSusPath.B
+
+状态：启用
+
+行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\Recycler\*`的程序进行**执行**操作
+- 对路径为`*\$RECYCLE.BIN\*`的程序进行**执行**操作
+- 对路径为`*\System Volume Information\*`的程序进行**执行**操作
+
+## Suspicious.RunFromSusPath.C
+
+状态：未启用
+
+行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\ProgramData\>\>.exe`的程序进行**执行**操作
+
+## Suspicious.RunFromSusPath.D
+
+状态：启用
+
+行为描述：源程序`*\Windows\Sys?????\>`做出以下操作时，提示用户处理
+- 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
+
+## Suspicious.RunFromSusPath.E
+
+状态：未启用
+
+行为描述：源程序`*`做出以下操作时，提示用户处理
+- 对路径为`*\Users\*\AppData\Roaming\>\>.exe`的程序进行**执行**操作
+
+***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
 # Telemetry.TerminalServer
 
 ## Telemetry.TerminalServer.A

diff --git a/rules/README_en_us.md b/rules/README_en_us.md
@@ -34,11 +34,7 @@ Contents
 	* [Suspicious.PowerShell.B](#suspiciouspowershellb)
 	* [Suspicious.PowerShell.C](#suspiciouspowershellc)
 * [Suspicious.RunFromSusPath](#suspiciousrunfromsuspath)
-	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
-	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
-	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
-	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
-	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
+	* [Telemetry.RunFromSusPath.E](#telemetryrunfromsuspathe)
 * [Suspicious.ScriptHost](#suspiciousscripthost)
 	* [Suspicious.ScriptHost.A](#suspiciousscripthosta)
 	* [Suspicious.ScriptHost.B](#suspiciousscripthostb)
@@ -60,6 +56,12 @@ Contents
 	* [Telemetry.PowerShell.C](#telemetrypowershellc)
 * [Telemetry.ReadBrowserData](#telemetryreadbrowserdata)
 	* [Telemetry.ReadBrowserData.A](#telemetryreadbrowserdataa)
+* [Telemetry.RunFromSusPath](#telemetryrunfromsuspath)
+	* [Suspicious.RunFromSusPath.A](#suspiciousrunfromsuspatha)
+	* [Suspicious.RunFromSusPath.B](#suspiciousrunfromsuspathb)
+	* [Suspicious.RunFromSusPath.C](#suspiciousrunfromsuspathc)
+	* [Suspicious.RunFromSusPath.D](#suspiciousrunfromsuspathd)
+	* [Suspicious.RunFromSusPath.E](#suspiciousrunfromsuspathe)
 * [Telemetry.TerminalServer](#telemetryterminalserver)
 	* [Telemetry.TerminalServer.A](#telemetryterminalservera)
 * [Template](#template)
@@ -238,24 +240,24 @@ When the source process`*\cmd.exe`initializes the following actions, HIPS module
 
 ## Suspicious.NetDebugger.A
 
-Status: Disabled
+Status: Enabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
 - `Create, Write` the registry under the path `*\SOFTWARE*Microsoft\.NETFramework\DbgManagedDebugge*`
 
-***rule.json hash: 04ca56b228447f507b7f8e4bc012dfee5c97828c916b7513db6b61c24d14ed14***
+***rule.json hash: 69a78ae8fed5bc9bcbb68eae9c549fcf9ac68e5aaeb26a2a0639866dbaf5d8d6***
 # Suspicious.NetWinAppXRT
 
 ## Suspicious.NetWinAppXRT.A
 
-Status: Disabled
+Status: Enabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
 - `Create, Write` the file under the path `*\WinAppXRT.dll`
 
-***rule.json hash: e929a5393844223a858a2db1aec518991e2d30f560a952a4066a5f69352cdf47***
+***rule.json hash: f4ad1d9a4fc9506d43c0e802b323c39414a8599d5241095efeba91abffb9d1ea***
 # Suspicious.PowerShell
 
 ## Suspicious.PowerShell.A
@@ -287,58 +289,15 @@ When the source process`*`initializes the following actions, HIPS module should
 ***rule.json hash: 8407b3ae9312f1ebc1145986020e3ff3cd72543e98e6ded29b064a7ccf875ea8***
 # Suspicious.RunFromSusPath
 
-## Suspicious.RunFromSusPath.A
-
-Status: Enabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Users\*\AppData\Roaming\>`
-- `Execute` the program under the path `*\Users\*\AppData\>`
-- `Execute` the program under the path `*\Users\>\>`
-- `Execute` the program under the path `*\ProgramData\>`
-- `Execute` the program under the path `*\Program Files\>`
-- `Execute` the program under the path `*\Program Files (x86)\>`
-- `Execute` the program under the path `*\Users\*\AppData\Local\>`
-- `Execute` the program under the path `*\Users\>\Documents\>`
-- `Execute` the program under the path `*\Users\>\Documents\>\>`
-- `Read` the file under the path `*\Users\Public\>.bat`
-
-## Suspicious.RunFromSusPath.B
-
-Status: Enabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Recycler\*`
-- `Execute` the program under the path `*\$RECYCLE.BIN\*`
-- `Execute` the program under the path `*\System Volume Information\*`
-
-## Suspicious.RunFromSusPath.C
-
-Status: Disabled
-
-Behavioral Description:   
-When the source process`*`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\ProgramData\>\>.exe`
-
-## Suspicious.RunFromSusPath.D
-
-Status: Enabled
-
-Behavioral Description:   
-When the source process`*\Windows\Sys?????\>`initializes the following actions, HIPS module should let the user decide them.
-- `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
-
-## Suspicious.RunFromSusPath.E
+## Telemetry.RunFromSusPath.E
 
 Status: Disabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
 - `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
 
-***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
+***rule.json hash: ae7bf2ac35fb32eee6f78358c21c58b8e16d1e3204d61c29e3504a940ca0b6a1***
 # Suspicious.ScriptHost
 
 ## Suspicious.ScriptHost.A
@@ -470,6 +429,60 @@ When the source process`*`initializes the following actions, HIPS module should
 - `Read` the file under the path `*\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*`
 
 ***rule.json hash: 04c8f6e13bbfc0027141f86bf678a2573bfd46326051c1753b2930bfdc2d1d7a***
+# Telemetry.RunFromSusPath
+
+## Suspicious.RunFromSusPath.A
+
+Status: Enabled
+
+Behavioral Description:   
+When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\Users\*\AppData\Roaming\>`
+- `Execute` the program under the path `*\Users\*\AppData\>`
+- `Execute` the program under the path `*\Users\>\>`
+- `Execute` the program under the path `*\ProgramData\>`
+- `Execute` the program under the path `*\Program Files\>`
+- `Execute` the program under the path `*\Program Files (x86)\>`
+- `Execute` the program under the path `*\Users\*\AppData\Local\>`
+- `Execute` the program under the path `*\Users\>\Documents\>`
+- `Execute` the program under the path `*\Users\>\Documents\>\>`
+- `Read` the file under the path `*\Users\Public\>.bat`
+
+## Suspicious.RunFromSusPath.B
+
+Status: Enabled
+
+Behavioral Description:   
+When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\Recycler\*`
+- `Execute` the program under the path `*\$RECYCLE.BIN\*`
+- `Execute` the program under the path `*\System Volume Information\*`
+
+## Suspicious.RunFromSusPath.C
+
+Status: Disabled
+
+Behavioral Description:   
+When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\ProgramData\>\>.exe`
+
+## Suspicious.RunFromSusPath.D
+
+Status: Enabled
+
+Behavioral Description:   
+When the source process`*\Windows\Sys?????\>`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
+
+## Suspicious.RunFromSusPath.E
+
+Status: Disabled
+
+Behavioral Description:   
+When the source process`*`initializes the following actions, HIPS module should let the user decide them.
+- `Execute` the program under the path `*\Users\*\AppData\Roaming\>\>.exe`
+
+***rule.json hash: 08f7e3dc7ada40ee0b6cce1ef341404eb3de0be6da37d852a0549a1c049944c2***
 # Telemetry.TerminalServer
 
 ## Telemetry.TerminalServer.A

diff --git a/rules/Suspicious.NetDebugger/README.md b/rules/Suspicious.NetDebugger/README.md
@@ -12,9 +12,9 @@
 
 ## Suspicious.NetDebugger.A
 
-状态：未启用
+状态：启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\SOFTWARE*Microsoft\.NETFramework\DbgManagedDebugge*`的注册表进行**创建、写入**操作
 
-***rule.json hash: 04ca56b228447f507b7f8e4bc012dfee5c97828c916b7513db6b61c24d14ed14***
+***rule.json hash: 69a78ae8fed5bc9bcbb68eae9c549fcf9ac68e5aaeb26a2a0639866dbaf5d8d6***
diff --git a/rules/Suspicious.NetDebugger/README_en_us.md b/rules/Suspicious.NetDebugger/README_en_us.md
@@ -12,10 +12,10 @@ Contents
 
 ## Suspicious.NetDebugger.A
 
-Status: Disabled
+Status: Enabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
 - `Create, Write` the registry under the path `*\SOFTWARE*Microsoft\.NETFramework\DbgManagedDebugge*`
 
-***rule.json hash: 04ca56b228447f507b7f8e4bc012dfee5c97828c916b7513db6b61c24d14ed14***
+***rule.json hash: 69a78ae8fed5bc9bcbb68eae9c549fcf9ac68e5aaeb26a2a0639866dbaf5d8d6***
diff --git a/rules/Suspicious.NetWinAppXRT/README.md b/rules/Suspicious.NetWinAppXRT/README.md
@@ -12,9 +12,9 @@
 
 ## Suspicious.NetWinAppXRT.A
 
-状态：未启用
+状态：启用
 
 行为描述：源程序`*`做出以下操作时，提示用户处理
 - 对路径为`*\WinAppXRT.dll`的文件进行**创建、写入**操作
 
-***rule.json hash: e929a5393844223a858a2db1aec518991e2d30f560a952a4066a5f69352cdf47***
+***rule.json hash: f4ad1d9a4fc9506d43c0e802b323c39414a8599d5241095efeba91abffb9d1ea***
diff --git a/rules/Suspicious.NetWinAppXRT/README_en_us.md b/rules/Suspicious.NetWinAppXRT/README_en_us.md
@@ -12,10 +12,10 @@ Contents
 
 ## Suspicious.NetWinAppXRT.A
 
-Status: Disabled
+Status: Enabled
 
 Behavioral Description:   
 When the source process`*`initializes the following actions, HIPS module should let the user decide them.
 - `Create, Write` the file under the path `*\WinAppXRT.dll`
 
-***rule.json hash: e929a5393844223a858a2db1aec518991e2d30f560a952a4066a5f69352cdf47***
+***rule.json hash: f4ad1d9a4fc9506d43c0e802b323c39414a8599d5241095efeba91abffb9d1ea***