valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #255 from vburov/patch-1

Browse Source 
Update win_susp_process_creations.yml
This commit is contained in:
Thomas Patzke 2019-02-22 21:15:52 +01:00 committed by GitHub
commit 18d012cc2e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
rules/windows/builtin/win_susp_process_creations.yml
View File

@ -14,6 +14,7 @@ references:
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
- https://twitter.com/vector_sec/status/896049052642533376
- http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
author: Florian Roth
modified: 2018/12/11
detection:
@ -134,3 +135,11 @@ detection:
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
# Keyloggers and Password-Stealers abusing NirSoft tools(Limitless Logger, Predator Pain, HawkEye Keylogger, iSpy Keylogger, KeyBase Keylogger)
- '* /stext *'
- '* /scomma *'
- '* /stab *'
- '* /stabular *'
- '* /shtml *'
- '* /sverhtml *'
- '* /sxml *'