valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added perfc.dat keyword to NotPetya rule

Browse Source
This commit is contained in:
Florian Roth 2017-06-28 10:35:42 +02:00
parent a3e0e37163
commit ece1d7e3a8
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/malware/sysmon_malware_notpetya.yml
View File

@ -20,7 +20,9 @@ detection:
EventID: 1
Image: '*\wevtutil.exe'
CommandLine: '* cl *'
condition: fsutil_clean_journal or pipe_com or event_clean
perfc_keyword:
- '*\perfc.dat*'
condition: fsutil_clean_journal or pipe_com or event_clean or perfc_keyword
falsepositives:
- Admin activity
level: critical