valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_apt_bear_activity_gtr19.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-27 23:26:34 -03:00 committed by GitHub
parent e24e6da3b5
commit 0860978412
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
rules/windows/process_creation/win_apt_bear_activity_gtr19.yml
View File

@ -18,10 +18,19 @@ logsource:
detection:
selection1:
Image|endswith: '\xcopy.exe'
CommandLine|contains: '/S /E /C /Q /H \\'
CommandLine|contains|all:
- '/S'
- '/E'
- '/C'
- '/Q'
- '/H'
- '\\'
selection2:
Image|endswith: '\adexplorer.exe'
CommandLine|contains: ' -snapshot "" c:\users\\'
CommandLine|contains|all:
- '-snapshot'
- '""'
- 'c:\users\\'
condition: selection1 or selection2
falsepositives:
- unknown