diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index b7a2650fa..1bd5a2433 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -17,33 +17,33 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' - - '*\regsvr32.exe' - - '*\hh.exe' - - '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '*\mshta.exe' - - '*\rundll32.exe' - - '*\msiexec.exe' - - '*\forfiles.exe' - - '*\scriptrunner.exe' - - '*\mftrace.exe' - - '*\AppVLP.exe' - - '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + - '\OUTLOOK.EXE' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\scrcons.exe' + - '\schtasks.exe' + - '\regsvr32.exe' + - '\hh.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\mshta.exe' + - '\rundll32.exe' + - '\msiexec.exe' + - '\forfiles.exe' + - '\scriptrunner.exe' + - '\mftrace.exe' + - '\AppVLP.exe' + - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html condition: selection fields: - CommandLine