updated detection logic

2024-11-06 17:35:19 +00:00 · 2019-03-11 16:58:57 +01:00 · 2019-03-11 16:58:57 +01:00 · c22265c655
commit c22265c655
parent 8dd39a2653
1 changed files with 3 additions and 4 deletions
--- a/rules/windows/builtin/win_mal_creddumper.yml
+++ b/rules/windows/builtin/win_mal_creddumper.yml
@ -11,10 +11,9 @@ logsource:
    product: windows
    service: system
 detection:
-    selection:
+    selection1:
        EventID: 
          - 7045
-          - 4697
    keywords:
      - 'WCE SERVICE'
      - 'WCESERVICE'
@ -22,7 +21,7 @@ detection:
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
-    condition: ( selection and keywords ) or quarkspwdump
+    condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
 falsepositives:
    - Unlikely
 level: high
@ -31,5 +30,5 @@ logsource:
    product: windows
    service: security
 detection:
-    selection:
+    selection2:
        EventID: 4697