valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_system_exe_anomaly.yml

Browse Source 
Following sigma event I've noticed my twitter account was referenced:
https://twitter.com/GelosSnake/status/934900723426439170

Rule:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

Seems like - '\SystemRoot\System32\\*' is missing and hence triggering an FP.
This commit is contained in:
GelosSnake 2019-12-29 18:01:19 +02:00 committed by Florian Roth
parent 4260d01ff0
commit 9f3672fdc0
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/process_creation/win_system_exe_anomaly.yml
View File

@ -29,13 +29,14 @@ detection:
- '*\lsm.exe'
- '*\winlogon.exe'
- '*\explorer.exe'
- '*\taskhost.exe'
- '*\taskhost.exe'
filter:
Image:
- 'C:\Windows\System32\\*'
- 'C:\Windows\SysWow64\\*'
- 'C:\Windows\explorer.exe'
- 'C:\Windows\winsxs\\*'
- '\SystemRoot\System32\\*'
condition: selection and not filter
falsepositives:
- Exotic software