security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_system_exe_anomaly.yml

Browse Source
This commit is contained in:
Jonhnathan
2020-11-28 13:32:44 -03:00
committed by GitHub
parent a3e436363e
commit 0d0f58c830
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_system_exe_anomaly.yml
+10 -9
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects a Windows program executable started in a suspicious folder
references:
- https://twitter.com/GelosSnake/status/934900723426439170
author: Florian Roth, Patrick Bareiss
author: Florian Roth, Patrick Bareiss, oscd.community
date: 2017/11/27
tags:
- attack.defense_evasion
@@ -38,15 +38,16 @@ detection:
- '\audiodg.exe'
- '\wlanext.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\\'
- 'C:\Windows\system32\\'
- 'C:\Windows\SysWow64\\'
- 'C:\Windows\SysWOW64\\'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWow64\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\winsxs\'
- 'C:\Windows\WinSxS\'
- '\SystemRoot\System32\'
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\winsxs\\'
- 'C:\Windows\WinSxS\\'
- '\SystemRoot\System32\\'
condition: selection and not filter
fields:
- ComputerName