security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs noticed with Aurora

Browse Source
This commit is contained in:
Florian Roth
2021-12-20 12:04:40 +01:00
parent 3f5859bac5
commit 37da48ba3f
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+2
View File
@@ -68,6 +68,8 @@ detection:
- 'C:\WINDOWS\system32\NhNotifSys.exe'
- TargetImage:
- 'C:\Windows\System32\RuntimeBroker.exe'
- TargetImage|endswith:
- '\Microsoft VS Code\Code.exe'
- CallTrace|contains: # attempt to save the rule with a broader filter
- '|C:\WINDOWS\System32\RPCRT4.dll+'
filter_set_1: