valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #761 from EccoTheFlintstone/cve-2020-1048-fix

Browse Source 
fix CVE 2020-1048 rule
This commit is contained in:
Florian Roth 2020-05-16 08:58:31 +02:00 committed by GitHub
commit 4e1991cfee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/windows/sysmon/sysmon_cve-2020-1048.yml
View File

@ -1,5 +1,5 @@
action: global
title: Suspicious PrinterPorts Created
title: Suspicious PrinterPorts Created (CVE-2020-1048)
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: experimental
description: Detects new registry printer port was created or powershell command add new printer port which point to suspicious file
@ -26,7 +26,10 @@ detection:
- 12
- 13
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
EventType: CreateKey
EventType:
- SetValue
- DeleteValue
- CreateValue
TargetObject|contains:
- '.dll'
- '.exe'