valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix detection

Browse Source
This commit is contained in:
frack113 2021-09-15 16:21:30 +02:00
parent b08b3e2b0d
commit 3b8282c221
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml → rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml
View File

@ -14,16 +14,17 @@ date: 2019/10/26
modified: 2020/09/06
logsource:
product: windows
category: registry_event
category: process_creation
detection:
selection:
IntegrityLevel: 'Medium'
TargetObject|contains: '\services\'
TargetObject|endswith:
- '\ImagePath'
- '\FailureCommand'
- '\Parameters\ServiceDll'
CommandLine|contains|all:
- ControlSet
- services
CommandLine|contains:
- \ImagePath
- \FailureCommand
- \ServiceDll
condition: selection
falsepositives:
- Unknown