Update win_susp_rundll32_activity.yml

2020-10-10 10:08:02 -03:00
parent 1695bc56dc
commit 09e6b05033
1 changed files with 52 additions and 18 deletions
@@ -18,26 +18,60 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine|contains:
-            - 'url.dll*OpenURL'
-            - 'url.dll*OpenURLA'
-            - 'url.dll*FileProtocolHandler'
-            - 'zipfldr.dll*RouteTheCall'
-            - 'shell32.dll*Control_RunDLL'
-            - 'shell32.dll*ShellExec_RunDLL'
+        - CommandLine|contains:
            - 'javascript:'
            - '.RegisterXLL'
-            - 'mshtml.dll*PrintHTML'
-            - 'advpack.dll*LaunchINFSection'
-            - 'advpack.dll*RegisterOCX'
-            - 'ieadvpack.dll*LaunchINFSection'
-            - 'ieadvpack.dll*RegisterOCX'
-            - 'ieframe.dll*OpenURL'
-            - 'shdocvw.dll*OpenURL'
-            - 'syssetup.dll*SetupInfObjectInstallAction'
-            - 'setupapi.dll*InstallHinfSection'
-            - 'pcwutl.dll*LaunchApplication'
-            - 'dfshim.dll*ShOpenVerbApplication'
+        - CommandLine|contains|all:
+            - 'url.dll'
+            - 'OpenURL'
+        - CommandLine|contains|all:
+            - 'url.dll'
+            - 'OpenURLA'
+        - CommandLine|contains|all:
+            - 'url.dll'
+            - 'FileProtocolHandler'
+        - CommandLine|contains|all:
+            - 'zipfldr.dll'
+            - 'RouteTheCall'
+        - CommandLine|contains|all:
+            - 'shell32.dll'
+            - 'Control_RunDLL'
+        - CommandLine|contains|all:
+            - 'shell32.dll'
+            - 'ShellExec_RunDLL'
+        - CommandLine|contains|all:
+            - 'mshtml.dll'
+            - 'PrintHTML'
+        - CommandLine|contains|all:
+            - 'advpack.dll'
+            - 'LaunchINFSection'
+        - CommandLine|contains|all:
+            - 'advpack.dll'
+            - 'RegisterOCX'
+        - CommandLine|contains|all:
+            - 'ieadvpack.dll'
+            - 'LaunchINFSection'
+        - CommandLine|contains|all:
+            - 'ieadvpack.dll'
+            - 'RegisterOCX'
+        - CommandLine|contains|all:
+            - 'ieframe.dll'
+            - 'OpenURL'
+        - CommandLine|contains|all:
+            - 'shdocvw.dll'
+            - 'OpenURL'
+        - CommandLine|contains|all:
+            - 'syssetup.dll'
+            - SetupInfObjectInstallAction'
+        - CommandLine|contains|all:
+            - 'setupapi.dll'
+            - 'InstallHinfSection'
+        - CommandLine|contains|all:
+            - 'pcwutl.dll'
+            - 'LaunchApplication'
+        - CommandLine|contains|all:
+            - 'dfshim.dll'
+            - 'ShOpenVerbApplication'
    condition: selection
 falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment