security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: simplified and extended expression in CVE-2020-1048 rule

Browse Source
This commit is contained in:
Florian Roth
2020-05-23 09:16:19 +02:00
parent 57c8e63acd
commit 34006d0794
2 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_exploit_cve_2020_1048.yml
+5 -5
View File
@@ -15,17 +15,17 @@ logsource:
product: windows
detection:
selection1:
CommandLine|contains|all:
CommandLine|contains:
- 'Add-PrinterPort -Name'
- '.dll'
selection2:
CommandLine|contains|all:
- 'Add-PrinterPort -Name'
CommandLine|contains:
- '.exe'
- '.dll'
- '.bat'
selection3:
CommandLine|contains:
- 'Generic / Text Only'
condition: 1 of them
condition: ( selection1 and selection2 ) or selection3
falsepositives:
- New printer port install on host
level: high
rules/windows/sysmon/sysmon_cve-2020-1048.yml
+1
View File
@@ -26,6 +26,7 @@ detection:
TargetObject|contains:
- '.dll'
- '.exe'
- '.bat'
- 'C:'
condition: selection
falsepositives: