valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_malware_emotet.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
591 B
YAML
Raw Permalink Blame History

alert:
- debug
description: Detects all Emotet like process executions that are not covered by the more generic rules
filter:
- query:
query_string:
query: data.win.eventdata.commandLine.keyword:(*\ \-e*\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)
index: wazuh-alerts-3.x-*
name: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18_0
priority: 1
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink