valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: remove rule, too many FPs and no better matching criteria

Browse Source
This commit is contained in:
phantinuss 2021-09-21 16:52:02 +02:00
parent 5951ad1d9a
commit 46febf48b0
No known key found for this signature in database
GPG Key ID: 10E5D3C9141CC9FF
1 changed files with 0 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rules/windows/file_event/sysmon_uac_bypass_cleanmgr_tmpfile.yml
View File

@ -1,25 +0,0 @@
title: UAC Bypass Using Cleanmgr Temp File Creation
id: 6a8a8a65-15ac-4722-adb7-c93c213c180a
description: Detects the pattern of UAC bypass using cleanmgr.exe to create temporary files (UACMe 63)
author: Christian Burkard
date: 2021/08/30
status: experimental
references:
- https://github.com/hfiref0x/UACME
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
Image: 'C:\Windows\system32\cleanmgr.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high