valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_impacket_lateralization.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
624 B
YAML
Raw Permalink Blame History

alert:
- debug
description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
filter:
- query:
query_string:
query: ((data.win.eventdata.parentImage.keyword:(*\\wmiprvse.exe OR *\\mmc.exe OR *\\explorer.exe OR *\\services.exe) AND data.win.eventdata.commandLine.keyword:(*cmd.exe*\ \/Q\ \/c\ *\ \\\\127.0.0.1\\*&1*)) OR (process_parent_command_line.keyword:(*svchost.exe\ \-k\ netsvcs OR taskeng.exe*) AND data.win.eventdata.commandLine.keyword:(cmd.exe\ \/C\ *Windows\\Temp\\*&1)))
index: wazuh-alerts-3.x-*
name: 10c14723-61c7-4c75-92ca-9af245723ad2_0
priority: 1
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink