valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_xsl_script_processing.yml

Browse Source
This commit is contained in:
zinint 2019-10-21 23:46:11 +03:00 committed by GitHub
parent a685c9c3be
commit 5248f83fb3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
rules/windows/sysmon/sysmon_xsl_script_processing.yml
View File

@ -18,15 +18,12 @@ detection:
selection2:
EventID: 1
Image:
- 'C:\Windows\Temp\msxsl.exe'
- '*msxsl.exe*'
- '*\msxsl.exe*'
condition:
selection1 or selection2
fields:
-
falsepositives:
- WMIC.exe - depend on scripts and administrative methods used in the monitored environment
- msxsl.exe - is not installed by default so unlikely.
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment
- msxsl.exe is not installed by default so unlikely.
level: medium
tags:
- attack.t1220