Update win_renamed_meg.yml

2021-06-22 22:27:34 +07:00
parent 177442d6df
commit 10488512ae
1 changed files with 4 additions and 4 deletions
@@ -13,7 +13,7 @@ logsource:
    product: windows
    service: sysmon # require sysmon version >= 10.0
 detection:
-    selection:
+    selection_sysmon:
        EventID: 
            - '1'
        OriginalFileName:
@@ -21,18 +21,18 @@ detection:
    filter:
        Image|endswith:
            - '\meg.exe'
-    condition: selection and not filter
+    condition: selection_sysmon and not filter
 ---
 logsource:
    product: windows
    category: process_creation
 detection:
-    selection:
+    selection_proc:
        ParentImage|endswith:
            - '\explorer.exe'
        CommandLine|contains:
            - 'C:\Windows\Temp\meg.exe'
-     condition: selection
+     condition: selection_proc
 falsepositives:
    - Software that illegaly integrates MegaSync in a renamed form
    - Administrators that have renamed MegaSync