security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'vburov-patch-2'

Browse Source
This commit is contained in:
Thomas Patzke
2019-05-09 23:10:52 +02:00
parent 763939a8ca 121e21960e
commit 1e2ef92104
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_run_locations.yml
+10 -3
View File
@@ -13,11 +13,18 @@ logsource:
product: windows
detection:
selection:
CommandLine:
Image:
- '*:\RECYCLER\\*'
- '*:\SystemVolumeInformation\\*'
- '%windir%\Tasks\\*'
- '%systemroot%\debug\\*'
- 'C:\\Windows\\Tasks\\*'
- 'C:\\Windows\\debug\\*'
- 'C:\\Windows\\fonts\\*'
- 'C:\\Windows\\help\\*'
- 'C:\\Windows\\drivers\\*'
- 'C:\\Windows\\addins\\*'
- 'C:\\Windows\\cursors\\*'
- 'C:\\Windows\\system32\tasks\\*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment