security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1872 from SigmaHQ/rule-devel

Browse Source 
fix: FPs with WMIADAP.exe
This commit is contained in:
Florian Roth
2021-08-18 19:26:17 +02:00
committed by GitHub
parent c7d697e720 768855e6d6
commit 39ef3e0df9
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/sysmon_wmi_module_load.yml
+2 -1
View File
@@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
description: Detects non wmiprvse loading WMI modules
status: experimental
date: 2019/08/10
modified: 2021/06/15
modified: 2021/08/18
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
@@ -37,6 +37,7 @@ detection:
- '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
- '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
- '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
- '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871
condition: selection and not filter
fields:
- ComputerName