valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_cactustorch.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 20:12:54 -03:00 committed by GitHub
parent 457217bfc0
commit df81f5180d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
rules/windows/sysmon/sysmon_cactustorch.yml
View File

@ -14,13 +14,13 @@ logsource:
detection: detection:
selection: selection:
EventID: 8 EventID: 8
SourceImage: SourceImage|endswith:
- '*\System32\cscript.exe' - '\System32\cscript.exe'
- '*\System32\wscript.exe' - '\System32\wscript.exe'
- '*\System32\mshta.exe' - '\System32\mshta.exe'
- '*\winword.exe' - '\winword.exe'
- '*\excel.exe' - '\excel.exe'
TargetImage: '*\SysWOW64\\*' TargetImage|contains: '\SysWOW64\\'
StartModule: null StartModule: null
condition: selection condition: selection
tags: tags: