valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_netsh_wifi_credential_harvesting.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-11-27 16:01:25 -03:00 committed by GitHub
parent d996e97fdd
commit f6aaa957ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml
View File

@ -4,7 +4,7 @@ status: experimental
description: Detect the harvesting of wifi credentials using netsh.exe description: Detect the harvesting of wifi credentials using netsh.exe
references: references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
author: Andreas Hunkeler (@Karneades) author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020/04/20 date: 2020/04/20
modified: 2020/09/01 modified: 2020/09/01
tags: tags:
@ -16,8 +16,13 @@ logsource:
product: windows product: windows
detection: detection:
selection: selection:
CommandLine: CommandLine|contains|all:
- 'netsh wlan s* p* k*=clear' - 'netsh'
- 'wlan'
- ' s'
- ' p'
- ' k'
- '=clear'
condition: selection condition: selection
falsepositives: falsepositives:
- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason