valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_file_winword_cve_2021_40444.yml

Browse Source 
Add new condition
This commit is contained in:
Sittikorn S 2021-09-13 15:33:14 +07:00 committed by GitHub
parent dc5c26ad2d
commit 7386904e42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
rules/windows/file_event/win_file_winword_cve_2021_40444.yml
View File

@ -4,7 +4,8 @@ status: experimental
description: Detects file creation patterns noticable during the exploitation of CVE-2021-40444
references:
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
author: Florian Roth
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
author: Florian Roth, Sittikorn S
date: 2021/09/10
logsource:
product: windows
@ -14,10 +15,14 @@ detection:
Image: '\winword.exe'
TargetFilename|endswith: '.cab'
TargetFilename|contains: '\Windows\INetCache'
condition: selection
selection_inf:
Image: '\winword.exe'
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '.inf'
condition: selection or selection_inf
fields:
- TargetFilename
falsepositives:
- unknown
level: critical