Merge pull request #1688 from SigmaHQ/rule-devel

refactor: improved Raccine uninstall rule
2021-07-14 09:57:08 +02:00
parent 1ec9473472 04370c7e91
commit 3ff4e99d44
1 changed files with 2 additions and 1 deletions
@@ -9,6 +9,7 @@ tags:
    - attack.t1562.001
 author: Florian Roth 
 date: 2021/01/21
+modified: 2021/07/14
 logsource:
    category: process_creation
    product: windows
@@ -16,7 +17,7 @@ detection:
    selection1:
        CommandLine|contains|all:
            - 'taskkill '
-            - '/IM RaccineSettings.exe'
+            - 'RaccineSettings.exe'
    selection2:
        CommandLine|contains|all:
            - 'reg.exe'