valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 01:15:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
SigmaHQ/wazuh/rules/sigma_win_plugx_susp_exe_locations.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
2.2 KiB
YAML
Raw Permalink Blame History

alert:
- debug
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
filter:
- query:
query_string:
query: ((((((((((((data.win.eventdata.image.keyword:*\\CamMute.exe AND (NOT (data.win.eventdata.image.keyword:*\\Lenovo\\Communication\ Utility\\*))) OR (data.win.eventdata.image.keyword:*\\chrome_frame_helper.exe AND (NOT (data.win.eventdata.image.keyword:*\\Google\\Chrome\\application\\*)))) OR (data.win.eventdata.image.keyword:*\\dvcemumanager.exe AND (NOT (data.win.eventdata.image.keyword:*\\Microsoft\ Device\ Emulator\\*)))) OR (data.win.eventdata.image.keyword:*\\Gadget.exe AND (NOT (data.win.eventdata.image.keyword:*\\Windows\ Media\ Player\\*)))) OR (data.win.eventdata.image.keyword:*\\hcc.exe AND (NOT (data.win.eventdata.image.keyword:*\\HTML\ Help\ Workshop\\*)))) OR (data.win.eventdata.image.keyword:*\\hkcmd.exe AND (NOT (data.win.eventdata.image.keyword:(*\\System32\\* OR *\\SysNative\\* OR *\\SysWowo64\\*))))) OR (data.win.eventdata.image.keyword:*\\Mc.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit*))))) OR (data.win.eventdata.image.keyword:*\\MsMpEng.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Security\ Client\\* OR *\\Windows\ Defender\\* OR *\\AntiMalware\\*))))) OR (data.win.eventdata.image.keyword:*\\msseces.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Security\ Center\\* OR *\\Microsoft\ Security\ Client\\* OR *\\Microsoft\ Security\ Essentials\\*))))) OR (data.win.eventdata.image.keyword:*\\OInfoP11.exe AND (NOT (data.win.eventdata.image.keyword:*\\Common\ Files\\Microsoft\ Shared\\*)))) OR (data.win.eventdata.image.keyword:*\\OleView.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\*))))) OR (data.win.eventdata.image.keyword:*\\rc.exe AND (NOT (data.win.eventdata.image.keyword:(*\\Microsoft\ Visual\ Studio* OR *\\Microsoft\ SDK* OR *\\Windows\ Kit* OR *\\Windows\ Resource\ Kit\\* OR *\\Microsoft.NET\\*)))))
index: wazuh-alerts-3.x-*
name: aeab5ec5-be14-471a-80e8-e344418305c2_0
priority: 2
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink