valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rule: modified the default

Browse Source
This commit is contained in:
Florian Roth 2019-10-14 17:50:48 +02:00
parent 312311494d
commit 0e2284a176
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/process_creation/win_susp_codepage_switch.yml
View File

@ -14,14 +14,14 @@ detection:
Image: '*\chcp.com' Image: '*\chcp.com'
CommandLine: CommandLine:
- '* 936' # Chinese - '* 936' # Chinese
- '* 1256' # Arabic # - '* 1256' # Arabic
- '* 1258' # Vietnamese - '* 1258' # Vietnamese
- '* 855' # Russian # - '* 855' # Russian
- '* 866' # Russian # - '* 866' # Russian
- '* 864' # Arabic # - '* 864' # Arabic
condition: selection condition: selection
fields: fields:
- ParentCommandLine - ParentCommandLine
falsepositives: falsepositives:
- Administrative activity of foreign staff - "Administrative activity (adjust code pages according to your organisation's region)"
level: medium level: medium