mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
eb8a0636c5
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique. |
||
---|---|---|
.. | ||
av_exploiting.yml | ||
av_password_dumper.yml | ||
av_relevant_files.yml | ||
av_webshell.yml | ||
win_mal_ursnif.yml |