valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove Additional backslash

Browse Source
This commit is contained in:
Jonhnathan 2020-11-27 15:45:08 -03:00 committed by GitHub
parent 0bf996d66e
commit 9171d8913c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
rules/windows/process_creation/win_netsh_fw_add_susp_image.yml
View File

@ -29,26 +29,26 @@ detection:
susp_image:
CommandLine|contains:
- '%TEMP%'
- ':\RECYCLER\\'
- 'C:\$Recycle.bin\\'
- ':\SystemVolumeInformation\\'
- 'C:\\Windows\\Tasks\\'
- 'C:\\Windows\\debug\\'
- 'C:\\Windows\\fonts\\'
- 'C:\\Windows\\help\\'
- 'C:\\Windows\\drivers\\'
- 'C:\\Windows\\addins\\'
- 'C:\\Windows\\cursors\\'
- 'C:\\Windows\\system32\tasks\\'
- 'C:\Windows\Temp\\'
- 'C:\Temp\\'
- 'C:\Users\Public\\'
- '%Public%\\'
- 'C:\Users\Default\\'
- 'C:\Users\Desktop\\'
- '\Downloads\\'
- '\Temporary Internet Files\Content.Outlook\\'
- '\Local Settings\Temporary Internet Files\\'
- ':\RECYCLER\'
- 'C:\$Recycle.bin\'
- ':\SystemVolumeInformation\'
- 'C:\\Windows\\Tasks\'
- 'C:\\Windows\\debug\'
- 'C:\\Windows\\fonts\'
- 'C:\\Windows\\help\'
- 'C:\\Windows\\drivers\'
- 'C:\\Windows\\addins\'
- 'C:\\Windows\\cursors\'
- 'C:\\Windows\\system32\tasks\'
- 'C:\Windows\Temp\'
- 'C:\Temp\'
- 'C:\Users\Public\'
- '%Public%\'
- 'C:\Users\Default\'
- 'C:\Users\Desktop\'
- '\Downloads\'
- '\Temporary Internet Files\Content.Outlook\'
- '\Local Settings\Temporary Internet Files\'
condition: (selection1 or selection2) and susp_image
falsepositives:
- Legitimate administration