valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
alexpetrov12 2019-10-23 02:39:40 +03:00
parent 5a260db459
commit 29cd7fed3e
1 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
rules/windows/process_creation/renamed_binary_description.yml
View File

@ -35,24 +35,24 @@ detection:
- "7-zip console"
filter:
Image:
- '*\adexplorer.exe'
- '*\procdump.exe'
- '*\msbuild.exe'
- '*\dotnet.exe'
- '*\cmd.exe'
- '*\powershell.exe'
- '*\psexec.exe'
- '*\installutil.exe'
- '*\cscript.exe'
- '*\wscript.exe'
- '*\mshta.exe'
- '*\regsvr32.exe'
- '*\wmic.exe'
- '*\certutil.exe'
- '*\rundll32.exe'
- '*\cmstp.exe'
- '*\msiexec.exe'
- '*\7z.exe'
-'*\adexplorer.exe'
-'*\procdump.exe'
-'*\msbuild.exe'
-'*\dotnet.exe'
-'*\cmd.exe'
-'*\powershell.exe'
-'*\psexec.exe'
-'*\installutil.exe'
-'*\cscript.exe'
-'*\wscript.exe'
-'*\mshta.exe'
-'*\regsvr32.exe'
-'*\wmic.exe'
-'*\certutil.exe'
-'*\rundll32.exe'
-'*\cmstp.exe'
-'*\msiexec.exe'
-'*\7z.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist