valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_unsigned_image_loaded_into_lsass.yml

Browse Source
This commit is contained in:
yugoslavskiy 2019-11-14 00:58:39 +03:00 committed by GitHub
parent 20a5c9498c
commit 01ed5a7135
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/sysmon/sysmon_unsigned_image_loaded_into_lsass.yml
View File

@ -2,6 +2,7 @@ title: Unsigned image loaded into LSASS process
description: Loading unsigned image (DLL, EXE) into LSASS process
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2019/11/13
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
@ -13,7 +14,7 @@ logsource:
detection:
selection:
EventID: 7
Image: '*\lsass.exe'
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
falsepositives: