rule: add call by ordinal

2024-11-07 17:58:52 +00:00 · 2021-02-01 20:16:31 +01:00 · 2021-02-01 20:16:31 +01:00 · 309e15dc5c
commit 309e15dc5c
parent 597633c938
1 changed files with 9 additions and 3 deletions
--- a/rules/windows/process_creation/win_susp_shimcache_flush.yml
+++ b/rules/windows/process_creation/win_susp_shimcache_flush.yml
@ -13,17 +13,23 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
+    selection1a:
        CommandLine|contains|all:
            - 'rundll32'
            - 'apphelp.dll'
+    selection1b:
+        CommandLine|contains:
            - 'ShimFlushCache'
-    selection2:
+            - '#250'
+    selection2a:
        CommandLine|contains|all:
            - 'rundll32'
            - 'kernel32.dll'
+    selection2b:
+        CommandLine|contains:
            - 'BaseFlushAppcompatCache'
-    condition: selection1 or selection2
+            - '#46'
+    condition: ( selection1 and selection1b ) or ( selection2a and selection2b )
 fields:
    - Image
    - CommandLine