valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add detect_by_option

Browse Source
This commit is contained in:
frack113 2021-10-25 20:49:30 +02:00 committed by GitHub
parent db640f6080
commit 8eee468cc3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/windows/process_creation/win_susp_rclone_execution.yml
View File

@ -20,6 +20,11 @@ logsource:
product: windows
category: process_creation
detection:
detect_by_option:
CommandLine|contains|all:
- '--config '
- '--no-check-certificate '
- ' copy '
exec_selection:
Image|endswith: '\rclone.exe'
ParentImage|endswith:
@ -45,7 +50,7 @@ detection:
- 'no-check-certificate '
description_selection:
Description: 'Rsync for cloud storage'
condition: command_selection and ( description_selection or exec_selection )
condition: detect_by_option or command_selection and ( description_selection or exec_selection )
fields:
- CommandLine
- ParentCommandLine