fix: FP with Edge and call by ordinal

2024-11-07 09:48:58 +00:00 · 2021-04-29 18:23:14 +02:00 · 2021-04-29 18:23:14 +02:00 · 020e6c9e29
commit 020e6c9e29
parent 04709ab9f4
1 changed files with 6 additions and 2 deletions
--- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml
@ -13,7 +13,7 @@ tags:
    - attack.t1085      # an old one
 author: Florian Roth
 date: 2019/10/22
-modified: 2020/11/28
+modified: 2021/04/29
 logsource:
    category: process_creation
    product: windows
@ -22,7 +22,11 @@ detection:
        CommandLine|contains|all:
            - '\rundll32.exe'
            - ',#'
-    condition: selection
+    filter:
+        CommandLine|contains|all:
+            - 'EDGEHTML.dll'
+            - '#141'
+    condition: selection and not filter
 falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
    - Windows control panel elements have been identified as source (mmc)