security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs with veam backup shell

Browse Source
This commit is contained in:
Florian Roth
2022-09-12 13:29:51 +02:00
parent a5fe285776
commit 0bbb679e38
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml
+2 -1
View File
@@ -11,7 +11,7 @@ references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
- https://twitter.com/frack113/status/1555830623633375232
date: 2022/08/07
modified: 2022/08/12
modified: 2022/09/12
logsource:
category: process_creation
product: windows
@@ -27,6 +27,7 @@ detection:
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
- '\veam.backup.shell.exe'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.