valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

forfiles, bash detection

Browse Source
This commit is contained in:
juju4 2017-08-13 16:18:13 -04:00
parent 238f27fa0d
commit 21b1c52d1e
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/builtin/win_susp_process_creations.yml
View File

@ -11,6 +11,7 @@ reference:
- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
- https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
- https://twitter.com/vector_sec/status/896049052642533376
author: Florian Roth author: Florian Roth
logsource: logsource:
product: windows product: windows
@ -67,6 +68,8 @@ detection:
- '*AddInProcess*' - '*AddInProcess*'
# NotPowershell (nps) attack # NotPowershell (nps) attack
- '*msbuild*' - '*msbuild*'
- '*forfiles*'
- '*bash*'
condition: selection condition: selection
falsepositives: falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment - False positives depend on scripts and administrative tools used in the monitored environment