valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1690 from WuerthIT/patch_rule

Browse Source 
update rule: powershell_accessing_win_api.yml
This commit is contained in:
Florian Roth 2021-07-15 08:36:38 +02:00 committed by GitHub
commit abb8df887a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rules/windows/powershell/powershell_accessing_win_api.yml
View File

@ -26,13 +26,13 @@ detection:
- 'VirtualFree'
- 'WriteProcessMemory'
- 'CreateUserThread'
- 'CloseHanlde'
- 'CloseHandle'
- 'GetDelegateForFunctionPointer'
- 'CreateThread'
- 'memcpy'
- 'LoadLibrary'
- 'GetModuleHandle'
- 'GetProcAdress'
- 'GetProcAddress'
- 'VirtualProtect'
- 'FreeLibrary'
- 'ReadProcessMemory'
@ -51,20 +51,20 @@ detection:
- 'RevertToSelf'
- 'GetLogonSessionData'
- 'CreateProcessWithToken'
- 'DuplicateRokenEx'
- 'DuplicateTokenEx'
- 'OpenWindowStation'
- 'OpenDesktop'
- 'MiniDumpWrireDump'
- 'MiniDumpWriteDump'
- 'AddSecurityPackage'
- 'EnumerateSecurityPackages'
- 'GetProcessHandle'
- 'DangerousGetHandle'
- 'Kernel32'
- 'kernel32'
- 'Advapi32'
- 'Msvcrt'
- 'msvcrt'
- 'ntdll'
- 'User32'
- 'Secur32'
- 'user32'
- 'secur32'
condition: selection
falsepositives:
- Unknown