SigmaHQ/wazuh/rules/sigma_win_susp_explorer_break_proctree.yml

16 lines
477 B
YAML
Raw Permalink Normal View History

2020-12-02 22:43:30 +00:00
alert:
- debug
description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
filter:
- query:
query_string:
query: (data.win.eventdata.commandLine.keyword:*explorer.exe* AND data.win.eventdata.commandLine.keyword:*\ \/root,*)
index: wazuh-alerts-3.x-*
name: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605_0
priority: 3
realert:
minutes: 0
type: any