Update win_proc_wrong_parent.yml
This commit is contained in:
Jonhnathan
@@ -20,22 +20,22 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image:
|
||||
- '*\svchost.exe'
|
||||
- '*\taskhost.exe'
|
||||
- '*\lsm.exe'
|
||||
- '*\lsass.exe'
|
||||
- '*\services.exe'
|
||||
- '*\lsaiso.exe'
|
||||
- '*\csrss.exe'
|
||||
- '*\wininit.exe'
|
||||
- '*\winlogon.exe'
|
||||
Image|endswith:
|
||||
- '\svchost.exe'
|
||||
- '\taskhost.exe'
|
||||
- '\lsm.exe'
|
||||
- '\lsass.exe'
|
||||
- '\services.exe'
|
||||
- '\lsaiso.exe'
|
||||
- '\csrss.exe'
|
||||
- '\wininit.exe'
|
||||
- '\winlogon.exe'
|
||||
filter:
|
||||
ParentImage:
|
||||
- '*\System32\\*'
|
||||
- '*\SysWOW64\\*'
|
||||
- '*\SavService.exe'
|
||||
- '*\Windows Defender\\*\MsMpEng.exe'
|
||||
ParentImage|endswith:
|
||||
- '\System32\\*'
|
||||
- '\SysWOW64\\*'
|
||||
- '\SavService.exe'
|
||||
- '\Windows Defender\\*\MsMpEng.exe'
|
||||
filter_null:
|
||||
ParentImage: null
|
||||
condition: selection and not filter and not filter_null
|
||||
|
||||
Reference in New Issue
Block a user