valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_susp_certutil_command.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 18:29:56 -03:00 committed by GitHub
parent 4a3bb4b963
commit 04125cc4c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
rules/windows/process_creation/win_susp_certutil_command.yml
View File

@ -19,21 +19,21 @@ logsource:
product: windows
detection:
selection:
CommandLine:
- '* -decode *'
- '* /decode *'
- '* -decodehex *'
- '* /decodehex *'
- '* -urlcache *'
- '* /urlcache *'
- '* -verifyctl *'
- '* /verifyctl *'
- '* -encode *'
- '* /encode *'
- '*certutil* -URL*'
- '*certutil* /URL*'
- '*certutil* -ping*'
- '*certutil* /ping*'
CommandLine|contains:
- ' -decode '
- ' /decode '
- ' -decodehex '
- ' /decodehex '
- ' -urlcache '
- ' /urlcache '
- ' -verifyctl '
- ' /verifyctl '
- ' -encode '
- ' /encode '
- 'certutil* -URL'
- 'certutil* /URL'
- 'certutil* -ping'
- 'certutil* /ping'
condition: selection
fields:
- CommandLine