valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_susp_office_kerberos_dll_load.yml

Browse Source
This commit is contained in:
Antonlovesdnb 2020-02-25 09:23:52 -05:00 committed by GitHub
parent f92e2f2b18
commit 4c5d489428
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml
View File

@ -16,12 +16,12 @@ detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
- '*\winword.exe*'
- '*\powerpnt.exe*'
- '*\excel.exe*'
- '*\outlook.exe*'
ImageLoaded:
- '*kerberos.dll*'
- '*\kerberos.dll*'
condition: selection
falsepositives:
- Alerts on legitimate macro usage as well, will need to filter as appropriate