valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update to sysmon_cve-2020-1048

Browse Source 
Added .com executables to detection
Second TargetObject should have been Details
This commit is contained in:
Remco Hofman 2020-05-26 11:20:21 +02:00
parent a962bd1bc1
commit 48c5f2ed09
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/windows/sysmon/sysmon_cve-2020-1048.yml
View File

@ -2,9 +2,9 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: experimental
description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
author: EagleEye Team, Florian Roth
author: EagleEye Team, Florian Roth, NVISO
date: 2020/05/13
modified: 2020/05/23
modified: 2020/05/26
references:
- https://windows-internals.com/printdemon-cve-2020-1048/
tags:
@ -23,10 +23,11 @@ detection:
- SetValue
- DeleteValue
- CreateValue
TargetObject|contains:
Details|contains:
- '.dll'
- '.exe'
- '.bat'
- '.com'
- 'C:'
condition: selection
falsepositives: