valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed image search

Browse Source
This commit is contained in:
Ivan Dyachkov 2020-10-15 13:21:06 +03:00
parent cf399927e1
commit f79342cc59
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/process_creation/win_susp_diskshadow.yml
View File

@ -15,7 +15,7 @@ logsource:
definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events'
detection:
selection:
Image: 'c:\windows\system32\diskshadow.exe'
Image|endswith: 'diskshadow.exe'
CommandLine|contains:
- '/s'
condition: selection