security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: deprecate 5f113a8f-8b61-41ca-b90f-d374fa7e4a39

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-11-15 22:56:51 +01:00
parent ec66833765
commit 11ce8a1e5b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml → rules-deprecated/windows/proc_access_win_in_memory_assembly_execution.yml
+1 -1
View File
@@ -1,6 +1,6 @@
title: Suspicious In-Memory Module Execution
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
status: experimental
status: deprecated
description: |
Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.
An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),