mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
eb8a0636c5
After @thomaspatzke changed to HKU, I did some reading. HKU is for HKEY_User, not HKEY_Current_User (what this threat is tied to. However, he was correct that HKCU does not exist as a prefix for sysmon (see the notes section under event id 13 here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml). Changed to ignore the key name, confirmed that the key is still uniique. |
||
|---|---|---|
| .. | ||
| av_exploiting.yml | ||
| av_password_dumper.yml | ||
| av_relevant_files.yml | ||
| av_webshell.yml | ||
| win_mal_ursnif.yml | ||