valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml

Browse Source
This commit is contained in:
frack113 2021-09-09 06:28:48 +02:00 committed by GitHub
parent caa5c7af1a
commit 312ffe69e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/sysmon/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml
View File

@ -1,4 +1,5 @@
title: LOLBins Process Created With WmiPrvSE
id: f90d4ff4-db81-4576-9719-8ed45fe387c8
description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
@ -11,7 +12,7 @@ tags:
- attack.execution
- attack.defence_evasion
status: experimental
Date: 2021/08/23
date: 2021/08/23
logsource:
product: Windows
category: process_creation
@ -25,9 +26,8 @@ detection:
- 'mshta'
- 'verclsid'
selection2:
ParentImage|endswith:
- "\wbem\WmiPrvSE.exe"
condition: selection1 AND selection2
ParentImage|endswith: \wbem\WmiPrvSE.exe
condition: selection1 and selection2
falsepositives:
- FPs are possible here, but some LOLBins weren't excluded for obvious reasons.
- FPs are possible here, but some LOLBins weren't excluded for obvious reasons.
level: high