valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improved regsvr32 whitelisting bypass rule

Browse Source
This commit is contained in:
Florian Roth 2017-06-07 12:02:55 +02:00
parent 1fd7a92e87
commit e5ad1b2f84
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml
View File

@ -20,9 +20,10 @@ detection:
selection3:
EventID: 1
Image: '*\regsvr32.exe'
Commandline: '/i:http'
Commandline: '*/i:http* scrobj.dll'
condition: selection1 or selection2 or selection3
falsepositives:
- Unknown
level: high