valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rule reorganized

Browse Source
This commit is contained in:
Florian Roth 2020-06-29 21:24:47 +02:00 committed by GitHub
parent 1a088425f9
commit 5a11ef90d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
rules/windows/process_creation/win_susp_powershell_parent_process.yml
View File

@ -14,7 +14,7 @@ logsource:
product: windows
detection:
selection_image1:
ParentImage|endswith:
- ParentImage|endswith:
- '\mshta.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
@ -45,17 +45,14 @@ detection:
- '\php-cgi.exe'
- '\jbosssvc.exe'
- "MicrosoftEdgeSH.exe"
selection_image2:
ParentImage|contains: "tomcat"
filters:
- ParentImage|contains: "tomcat"
selection_powershell:
- CommandLine|contains:
- "powershell"
- "pwsh"
- Description: "Windows PowerShell"
- Product: "PowerShell Core 6"
condition: (1 of selection_image*) and (1 of filters)
condition: all of them
falsepositives:
- Other scripts
level: medium