valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_susp_tscon_localsystem.yml

Browse Source 
French language settings
This commit is contained in:
mlp1515 2021-08-26 12:50:24 +00:00 committed by GitHub
parent e9ed5f592c
commit e1aa82b412
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rules/windows/process_creation/win_susp_tscon_localsystem.yml
View File

@ -7,6 +7,7 @@ references:
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
author: Florian Roth
date: 2018/03/17
modified: 2021/08/26
tags:
- attack.command_and_control
- attack.t1219
@ -15,7 +16,9 @@ logsource:
product: windows
detection:
selection:
User: NT AUTHORITY\SYSTEM
User|startswith:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
Image|endswith: '\tscon.exe'
condition: selection
falsepositives: