rule: improved dumpert rule

2020-02-04 22:46:16 +01:00
parent 8f8b977c85
commit 535e2d149b
1 changed files with 5 additions and 2 deletions
@@ -13,10 +13,13 @@ logsource:
    product: windows
    service: sysmon
 detection:
-    selection:
+    selection1:
        EventID: 13
        TargetFilename: C:\Windows\Temp\dumpert.dmp
-    condition: selection
+    selection2:
+        EventID: 1
+        Imphash: '09D278F9DE118EF09163C6140255C690'
+    condition: 1 of them
 falsepositives:
    - Very unlikely
 level: critical