valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
358d1ffba0
SigmaHQ/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml
Thomas Patzke 986c9ff9b7 Added field names to first rules
2017-09-12 23:54:04 +02:00

24 lines
889 B
YAML
Raw Blame History

title: Command Line Execution with suspicious URL and AppData Strings
status: experimental
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
reference:
- 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100'
- 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'cmd.exe /c *http://*%AppData%'
- 'cmd.exe /c *https://*%AppData%'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- High
level: medium
Reference in New Issue View Git Blame Copy Permalink