security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FP with Zoom

Browse Source
This commit is contained in:
Florian Roth
2022-05-04 11:33:12 +02:00
parent 752338408c
commit 3faac9729d
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
+9 -1
View File
@@ -3,6 +3,7 @@ id: 277dc340-0540-42e7-8efb-5ff460045e07
description: Detect the creation of a service with a service binary located in a uncommon directory
status: experimental
date: 2022/05/02
modified: 2022/05/04
author: Florian Roth
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
@@ -29,7 +30,14 @@ detection:
Details|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
condition: 1 of selection_*
filter:
- Image|contains:
- '\AppData\Roaming\Zoom\'
- '\AppData\Local\Zoom\'
- Details|contains:
- '\AppData\Roaming\Zoom\'
- '\AppData\Local\Zoom\'
condition: 1 of selection_* and not filter
falsepositives:
- Unknown
level: medium