valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_cmstp_execution.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 17:16:50 -03:00 committed by GitHub
parent ce4e22750d
commit 1878aa5fbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
rules/windows/process_access/sysmon_cmstp_execution.yml
View File

@ -32,14 +32,14 @@ logsource:
detection:
# Registry Object Add
selection2:
TargetObject: '*\cmmgr32.exe*'
TargetObject|contains: '\cmmgr32.exe'
EventType: 'CreateKey'
# Registry Object Value Set
selection3:
TargetObject: '*\cmmgr32.exe*'
TargetObject|contains: '\cmmgr32.exe'
# Process Access Call Trace
selection4:
CallTrace: '*cmlua.dll*'
CallTrace|contains: 'cmlua.dll'
condition: 1 of them
---
logsource:
@ -48,5 +48,5 @@ logsource:
detection:
# CMSTP Spawning Child Process
selection1:
ParentImage: '*\cmstp.exe'
ParentImage|endswith: '\cmstp.exe'
condition: 1 of them