valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1369 from SigmaHQ/rule-devel

Browse Source 
fix: FPs with rule and avast sandbox
This commit is contained in:
Florian Roth 2021-03-02 15:30:30 +01:00 committed by GitHub
commit 5c1dc30a13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/process_creation/win_system_exe_anomaly.yml
View File

@ -6,6 +6,7 @@ references:
- https://twitter.com/GelosSnake/status/934900723426439170
author: Florian Roth, Patrick Bareiss
date: 2017/11/27
modified: 2021/03/02
tags:
- attack.defense_evasion
- attack.t1036
@ -46,7 +47,8 @@ detection:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\winsxs\\*'
- 'C:\Windows\WinSxS\\*'
- '\SystemRoot\System32\\*'
- '*\SystemRoot\System32\\*'
- 'C:\avast! sandbox*'
condition: selection and not filter
fields:
- ComputerName