Update sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml
Fixed CI
This commit is contained in:
Iveco
@@ -1,4 +1,4 @@
|
||||
title: Suspicious PROCEXP152.sys file created in tmp folder
|
||||
title: Suspicious PROCEXP152.sys File Created In TMP
|
||||
id: 3da70954-0f2c-4103-adff-b7440368f50e
|
||||
description: detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
|
||||
status: experimental
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
|
||||
tags:
|
||||
- attack.t1089
|
||||
- attack.defensive_evasion
|
||||
- attack.defense_evasion
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
|
||||
Reference in New Issue
Block a user