valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_susp_regsvr32_anomalies.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-11-28 13:18:38 -03:00 committed by GitHub
parent e99f63f811
commit 5cbefe3737
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/process_creation/win_susp_regsvr32_anomalies.yml
View File

@ -2,7 +2,7 @@ title: Regsvr32 Anomaly
id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
status: experimental status: experimental
description: Detects various anomalies in relation to regsvr32.exe description: Detects various anomalies in relation to regsvr32.exe
author: Florian Roth author: Florian Roth, oscd.community
date: 2019/01/16 date: 2019/01/16
modified: 2020/08/28 modified: 2020/08/28
references: references:
@ -21,7 +21,7 @@ logsource:
detection: detection:
selection1: selection1:
Image|endswith: '\regsvr32.exe' Image|endswith: '\regsvr32.exe'
CommandLine|contains: '\Temp\\' CommandLine|contains: '\Temp\'
selection2: selection2:
Image|endswith: '\regsvr32.exe' Image|endswith: '\regsvr32.exe'
ParentImage|endswith: '\powershell.exe' ParentImage|endswith: '\powershell.exe'
@ -30,9 +30,11 @@ detection:
ParentImage|endswith: '\cmd.exe' ParentImage|endswith: '\cmd.exe'
selection4: selection4:
Image|endswith: '\regsvr32.exe' Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- '/i:http'
- '/i:ftp'
CommandLine|endswith: CommandLine|endswith:
- '/i:http* scrobj.dll' - 'scrobj.dll'
- '/i:ftp* scrobj.dll'
selection5: selection5:
Image|endswith: '\wscript.exe' Image|endswith: '\wscript.exe'
ParentImage|endswith: '\regsvr32.exe' ParentImage|endswith: '\regsvr32.exe'