valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Modified Rule

Browse Source 
Removed :
unnecessary event ID
This commit is contained in:
Cyb3rEng 2021-09-07 21:09:07 -06:00 committed by GitHub
parent f0f3ecfe2f
commit 8467d5a65a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml
View File

@ -11,37 +11,33 @@ tags:
- attack.execution
- attack.defence_evasion
status: experimental
Date: 2021/23/8
Date: 2021/08/23
logsource:
product: Windows
service: security
category: process_creation
detection:
#useful_information: add more LOLBins to the rules logic of your choice.
selection1:
EventLog: security
EventID: 4688
selection2:
ProcessCommandLine:
- '*regsvr32*'
- '*rundll32*'
- '*msiexec*'
- '*mshta*'
- '*verclsid*'
selection3:
- ProcessName: '*\wbem\WMIC.exe'
selection2:
- Image: '*\wbem\WMIC.exe'
- ProcessCommandLine: '*wmic *'
selection4:
ParentProcessName|endswith:
selection3:
ParentImage|endswith:
- winword.exe
- excel.exe
- powerpnt.exe
selection5:
selection4:
processCommandLine|contains|all:
- 'process'
- 'create'
- 'call'
condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5
condition: selection1 AND selection2 AND selection3 AND selection4
falsepositives:
- Unknown
level: high