valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Rule simplification

Browse Source 
Two selection fields are reduced to one. HKCU and HKLM registry value changes are considered, thus wildcards are added. No change at details.
This commit is contained in:
Ensar Şamil 2018-09-28 10:58:50 +03:00 committed by GitHub
parent 1c2431f33b
commit dec7568d4c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml
View File

@ -12,9 +12,11 @@ logsource:
product: windows
service: sysmon
detection:
selection1:
selection:
EventID: 13
TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*'
TargetObject:
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*'
- '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*'
Details:
- 'C:\Windows\Temp\*'
- '*\AppData\*'
@ -23,18 +25,7 @@ detection:
- 'C:\Users\Public\*'
- 'C:\Users\Default\*'
- 'C:\Users\Desktop\*'
selection2:
EventID: 13
TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*'
Details:
- 'C:\Windows\Temp\*'
- '*\AppData\*'
- 'C:\$Recycle.bin\*'
- 'C:\Temp\*'
- 'C:\Users\Public\*'
- 'C:\Users\Default\*'
- 'C:\Users\Desktop\*'
condition: selection1 or selection2
condition: selection
fields:
- Image
falsepositives: