valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_office_shell.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 18:13:10 -03:00 committed by GitHub
parent e7f25a61bf
commit 58f6fd4e4f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
rules/windows/process_creation/win_office_shell.yml
View File

@ -17,33 +17,33 @@ logsource:
product: windows
detection:
selection:
ParentImage:
- '*\WINWORD.EXE'
- '*\EXCEL.EXE'
- '*\POWERPNT.exe'
- '*\MSPUB.exe'
- '*\VISIO.exe'
- '*\OUTLOOK.EXE'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\scrcons.exe'
- '*\schtasks.exe'
- '*\regsvr32.exe'
- '*\hh.exe'
- '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '*\mshta.exe'
- '*\rundll32.exe'
- '*\msiexec.exe'
- '*\forfiles.exe'
- '*\scriptrunner.exe'
- '*\mftrace.exe'
- '*\AppVLP.exe'
- '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\OUTLOOK.EXE'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\scrcons.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
condition: selection
fields:
- CommandLine