valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rule: made it more specific - command line must contain URL

Browse Source
This commit is contained in:
Florian Roth 2019-11-20 09:23:04 +01:00
parent 55e66b1843
commit f9e6a929ba
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
rules/windows/process_creation/win_exploit_cve_2019_1388.yml
View File

@ -16,6 +16,7 @@ detection:
selection: selection:
ParentImage: '*\consent.exe' ParentImage: '*\consent.exe'
Image: '*\iexplore.exe' Image: '*\iexplore.exe'
CommandLine: '* http*'
rights1: rights1:
IntegrityLevel: 'System' # for Sysmon users IntegrityLevel: 'System' # for Sysmon users
rights2: rights2: