valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 16:02:16 -03:00 committed by GitHub
parent 5790cc2ea7
commit 7d5e404b32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
View File

@ -15,13 +15,13 @@ logsource:
category: file_event category: file_event
detection: detection:
selection_1: selection_1:
TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys' TargetFilename|endswith: '\AppData\Local\Temp\\*\PROCEXP152.sys'
selection_2: selection_2:
Image|contains: Image|contains:
- '*\procexp64.exe' - '\procexp64.exe'
- '*\procexp.exe' - '\procexp.exe'
- '*\procmon64.exe' - '\procmon64.exe'
- '*\procmon.exe' - '\procmon.exe'
condition: selection_1 and not selection_2 condition: selection_1 and not selection_2
falsepositives: falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.