security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: rule extended

Browse Source
This commit is contained in:
Florian Roth
2022-03-21 12:59:14 +01:00
parent 007e52ccb9
commit 35828985e0
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_susp_parents.yml
+2
View File
@@ -23,11 +23,13 @@ detection:
- '\csrss.exe'
- '\certutil.exe'
- '\schtasks.exe'
- '\eventvwr.exe'
filter_special:
Image|endswith:
- '\WerFault.exe'
- '\wermgr.exe'
- '\conhost.exe' # csrss.exe, certutil.exe
- '\mmc.exe' # eventvwr.exe
condition: selection or ( selection_special and not filter_special )
falsepositives:
- Unknown