valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add "Microsoft Security Client" directory for MsMpEng.exe (Win<8)

Browse Source
This commit is contained in:
Cedric HIEN 2021-03-15 12:07:05 +01:00
parent 310888bae7
commit 864973888e
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/process_creation/win_proc_wrong_parent.yml
View File

@ -9,7 +9,7 @@ references:
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
- https://attack.mitre.org/techniques/T1036/ - https://attack.mitre.org/techniques/T1036/
date: 2019/02/23 date: 2019/02/23
modified: 2020/09/06 modified: 2020/03/15
tags: tags:
- attack.defense_evasion - attack.defense_evasion
- attack.t1036 # an old one - attack.t1036 # an old one
@ -36,6 +36,7 @@ detection:
- '*\SysWOW64\\*' - '*\SysWOW64\\*'
- '*\SavService.exe' - '*\SavService.exe'
- '*\Windows Defender\\*\MsMpEng.exe' - '*\Windows Defender\\*\MsMpEng.exe'
- '*\Microsoft Security Client\\*\MsMpEng.exe'
filter_null: filter_null:
ParentImage: null ParentImage: null
condition: selection and not filter and not filter_null condition: selection and not filter and not filter_null