valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_invoke_phantom.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-11-20 01:30:58 -03:00 committed by GitHub
parent 4af7f00f4a
commit 2194744803
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/process_access/sysmon_invoke_phantom.yml
View File

@ -19,8 +19,8 @@ detection:
selection:
TargetImage|endswith: '\windows\system32\svchost.exe'
GrantedAccess: '0x1f3fff'
CallTrace:
- '*unknown*'
CallTrace|contains:
- 'unknown'
condition: selection
falsepositives:
- unknown