valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: bound sysmon logon script rule to field

Browse Source 
Fixed rule:
- rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
This commit is contained in:
Karneades 2019-11-02 11:43:04 +01:00
parent 3107c0c268
commit 0117dac1db
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
View File

@ -18,16 +18,22 @@ detection:
exec_exclusion:
Image: '*\explorer.exe'
CommandLine: '*\netlogon.bat'
create_selection:
create_selection_cli:
EventID:
- 1
create_selection_reg:
EventID:
- 11
- 12
- 13
- 14
create_keywords:
- UserInitMprLogonScript
condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords)
create_keywords_reg:
TargetObject:
- '*UserInitMprLogonScript*'
create_keywords_cli:
CommandLine:
- '*UserInitMprLogonScript*'
condition: (exec_selection and not exec_exclusion) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming