valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix rule due to sigmac bug?

Browse Source
This commit is contained in:
ecco 2020-05-18 09:39:48 -04:00
parent e89613aee0
commit 088800cd18
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/sysmon/sysmon_webshell_creation_detect.yml
View File

@ -40,6 +40,8 @@ detection:
TargetFilename|contains: TargetFilename|contains:
- '\AppData\Local\Temp\' - '\AppData\Local\Temp\'
- '\Windows\Temp\' - '\Windows\Temp\'
condition: selection_1 and not false_positives and (( selection_2 and selection_3 ) or ( selection_4 and selection_5 ) or selection_6) # kind of ugly but sigmac seems not to handle double parenthesis "(("
# we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives)
falsepositives: falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder - Legitimate administrator or developer creating legitimate executable files in a web application folder