SigmaHQ/wazuh/rules/sigma_sysmon_dhcp_calloutdll.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
522 B
YAML

alert:
- debug
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
filter:
- query:
query_string:
query: data.win.eventdata.targetObject.keyword:(*\\Services\\DHCPServer\\Parameters\\CalloutDlls OR *\\Services\\DHCPServer\\Parameters\\CalloutEnabled)
index: wazuh-alerts-3.x-*
name: 9d3436ef-9476-4c43-acca-90ce06bdf33a_0
priority: 2
realert:
minutes: 0
type: any