valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add additional filename pattern to HiveNightmare rule

Browse Source
This commit is contained in:
Florian Roth 2021-07-23 10:39:41 +02:00
parent 5955efa750
commit c0138d5ced
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/file_event/win_hivenightmare_file_exports.yml
View File

@ -7,6 +7,7 @@ date: 2020/07/23
references:
- https://github.com/GossiTheDog/HiveNightmare
- https://github.com/FireFart/hivenightmare/
- https://github.com/WiredPulse/Invoke-HiveNightmare
logsource:
product: windows
category: file_event
@ -20,6 +21,7 @@ detection:
- '\hive_sam_' # Go version
- '\SAM-2021-' # C++ version
- '\SAM-2022-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
condition: selection
fields: