valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 16:02:16 -03:00 committed by GitHub
parent 5790cc2ea7
commit 7d5e404b32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
View File

@ -15,13 +15,13 @@ logsource:
category: file_event
detection:
selection_1:
TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys'
TargetFilename|endswith: '\AppData\Local\Temp\\*\PROCEXP152.sys'
selection_2:
Image|contains:
- '*\procexp64.exe'
- '*\procexp.exe'
- '*\procmon64.exe'
- '*\procmon.exe'
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.