security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f29ffc06974c0e5e80d83bb013ae8a6accedc708
blue-team-tools/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml
T

24 lines
890 B
YAML
Raw Normal View History

Small Typo fix
2017-08-22 10:56:25 +02:00
title: Command Line Execution with suspicious URL and AppData Strings
Rule: Suspicious cmd.exe combo with http and AppData
2017-04-03 10:41:10 +02:00
status: experimental
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Change "reference" to "references" to match new schema
2018-01-28 02:12:19 +03:00
references:
Rule: Suspicious cmd.exe combo with http and AppData
2017-04-03 10:41:10 +02:00
- 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100'
- 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100'
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'cmd.exe /c *http://*%AppData%'
- 'cmd.exe /c *https://*%AppData%'
condition: selection
Added field names to first rules
2017-09-12 23:54:04 +02:00
fields:
- CommandLine
- ParentCommandLine
Rule: Suspicious cmd.exe combo with http and AppData
2017-04-03 10:41:10 +02:00
falsepositives:
- High
level: medium
Reference in New Issue Copy Permalink