valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove commas

Browse Source
This commit is contained in:
Jonhnathan 2020-10-08 15:31:17 -03:00 committed by GitHub
parent 8d94e993ab
commit 1695bc56dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
rules/windows/process_creation/win_susp_rundll32_activity.yml
View File

@ -19,25 +19,25 @@ logsource:
detection:
selection:
CommandLine|contains:
- 'url.dll,*OpenURL'
- 'url.dll,*OpenURLA'
- 'url.dll,*FileProtocolHandler'
- 'zipfldr.dll,*RouteTheCall'
- 'shell32.dll,*Control_RunDLL'
- 'shell32.dll,*ShellExec_RunDLL'
- 'url.dll*OpenURL'
- 'url.dll*OpenURLA'
- 'url.dll*FileProtocolHandler'
- 'zipfldr.dll*RouteTheCall'
- 'shell32.dll*Control_RunDLL'
- 'shell32.dll*ShellExec_RunDLL'
- 'javascript:'
- '.RegisterXLL'
- 'mshtml.dll,*PrintHTML'
- 'advpack.dll,*LaunchINFSection'
- 'advpack.dll,*RegisterOCX'
- 'ieadvpack.dll,*LaunchINFSection'
- 'ieadvpack.dll,*RegisterOCX'
- 'ieframe.dll,*OpenURL'
- 'shdocvw.dll,*OpenURL'
- 'syssetup.dll,*SetupInfObjectInstallAction'
- 'setupapi.dll,*InstallHinfSection'
- 'pcwutl.dll,*LaunchApplication'
- 'dfshim.dll,*ShOpenVerbApplication'
- 'mshtml.dll*PrintHTML'
- 'advpack.dll*LaunchINFSection'
- 'advpack.dll*RegisterOCX'
- 'ieadvpack.dll*LaunchINFSection'
- 'ieadvpack.dll*RegisterOCX'
- 'ieframe.dll*OpenURL'
- 'shdocvw.dll*OpenURL'
- 'syssetup.dll*SetupInfObjectInstallAction'
- 'setupapi.dll*InstallHinfSection'
- 'pcwutl.dll*LaunchApplication'
- 'dfshim.dll*ShOpenVerbApplication'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment