valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix detection

Browse Source
This commit is contained in:
frack113 2021-09-15 16:21:30 +02:00
parent b08b3e2b0d
commit 3b8282c221
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
rules/windows/registry_event/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml → rules/windows/process_creation/process_creation_possible_privilege_escalation_via_service_registry_permissions.yml
View File

@ -14,16 +14,17 @@ date: 2019/10/26
modified: 2020/09/06 modified: 2020/09/06
logsource: logsource:
product: windows product: windows
category: registry_event category: process_creation
detection: detection:
selection: selection:
IntegrityLevel: 'Medium' IntegrityLevel: 'Medium'
TargetObject|contains: '\services\' CommandLine|contains|all:
TargetObject|endswith: - ControlSet
- '\ImagePath' - services
- '\FailureCommand' CommandLine|contains:
- '\Parameters\ServiceDll' - \ImagePath
- \FailureCommand
- \ServiceDll
condition: selection condition: selection
falsepositives: falsepositives:
- Unknown - Unknown