mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
Update win_file_winword_cve_2021_40444.yml
Add new condition
This commit is contained in:
parent
dc5c26ad2d
commit
7386904e42
@ -4,7 +4,8 @@ status: experimental
|
||||
description: Detects file creation patterns noticable during the exploitation of CVE-2021-40444
|
||||
references:
|
||||
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
|
||||
author: Florian Roth
|
||||
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
|
||||
author: Florian Roth, Sittikorn S
|
||||
date: 2021/09/10
|
||||
logsource:
|
||||
product: windows
|
||||
@ -14,10 +15,14 @@ detection:
|
||||
Image: '\winword.exe'
|
||||
TargetFilename|endswith: '.cab'
|
||||
TargetFilename|contains: '\Windows\INetCache'
|
||||
condition: selection
|
||||
selection_inf:
|
||||
Image: '\winword.exe'
|
||||
TargetFilename|contains:
|
||||
- '\AppData\Local\Temp\'
|
||||
- '.inf'
|
||||
condition: selection or selection_inf
|
||||
fields:
|
||||
- TargetFilename
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: critical
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user