Update process_creation_susp_7z.yml

2024-11-07 09:48:58 +00:00 · 2021-07-27 15:22:44 +02:00 · 2021-07-27 15:22:44 +02:00 · c31bc05aae
commit c31bc05aae
parent 54e6e36ecc
1 changed files with 7 additions and 8 deletions
--- a/rules/windows/process_creation/process_creation_susp_7z.yml
+++ b/rules/windows/process_creation/process_creation_susp_7z.yml
@ -14,20 +14,19 @@ logsource:
    product: windows
 detection:
    selection_7z:
-        CommandLine|contains:
+        Image|endswith:
            - '7z.exe'
-    selection_password:
-        CommandLine|contains:
+            - '7za.exe'
+    selection_param:
+        CommandLine|contains|all:
            - ' -p'
-    selection_action:
-        CommandLine|contains:
            - ' a '
            - ' u '
-    condition: all of them 
+    condition: selection_7z and selection_param
 falsepositives:
-    - Unknown
+    - Command line parameter combinations that contain all included strings
 level: medium
 fields:
    - CommandLine
    - ParentCommandLine
-    - CurrentDirectory
+    - CurrentDirectory