Update win_malware_emotet.yml

2024-11-07 09:48:58 +00:00 · 2020-10-15 18:01:00 -03:00 · 2020-10-15 18:01:00 -03:00 · d962e5b844
commit d962e5b844
parent 035cd43e58
1 changed files with 9 additions and 9 deletions
--- a/rules/windows/process_creation/win_malware_emotet.yml
+++ b/rules/windows/process_creation/win_malware_emotet.yml
@ -21,15 +21,15 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine:
-            - '* -e* PAA*'
-            - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*'  # $env:userprofile
-            - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*'  # $env:userprofile
-            - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*'  # $env:userprofile
-            - '*IgAoACcAKgAnACkAOwAkA*'  # "('*');$
-            - '*IAKAAnACoAJwApADsAJA*'  # "('*');$
-            - '*iACgAJwAqACcAKQA7ACQA*'  # "('*');$
-            - '*JABGAGwAeAByAGgAYwBmAGQ*'
+        CommandLine|contains:
+            - ' -e* PAA'
+            - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ'  # $env:userprofile
+            - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA'  # $env:userprofile
+            - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA'  # $env:userprofile
+            - 'IgAoACcAKgAnACkAOwAkA'  # "('*');$
+            - 'IAKAAnACoAJwApADsAJA'  # "('*');$
+            - 'iACgAJwAqACcAKQA7ACQA'  # "('*');$
+            - 'JABGAGwAeAByAGgAYwBmAGQ'
    condition: selection
 fields:
    - CommandLine