security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

refactor: comsvcs.dll adjustments - run by ordinal variants

Browse Source
This commit is contained in:
Florian Roth
2021-12-08 10:02:21 +01:00
parent bfd6b48ee4
commit 33bdfd124d
2 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
other/godmode_sigma_rule.yml
+5 -1
View File
@@ -19,7 +19,7 @@ description: 'PoC rule to detect malicious activity - following the principle: i
status: experimental
author: Florian Roth
date: 2019/12/22
modified: 2020/05/18
modified: 2021/12/08
level: high
action: global
---
@@ -54,6 +54,10 @@ detection:
- 'schtasks* /create *AppData' # Scheduled task creation pointing to AppData
- ' comsvcs.dll,MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll,#24' # Process dumping method apart from procdump
- ' comsvcs.dll MiniDump' # Process dumping method apart from procdump
- ' comsvcs.dll #24' # Process dumping method apart from procdump
- 'MiniDump full' # Process dumping method apart from procdump
- '#24 full' # Process dumping method apart from procdump
selection_parent_child:
ParentImage|contains:
# Office Dropper Detection