security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update proc_creation_win_lolbin_customshellhost.yml

Browse Source
This commit is contained in:
Florian Roth
2022-08-20 09:22:05 +02:00
committed by GitHub
parent 544e06ee33
commit 65cdc9d04d
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml
+4 -1
View File
@@ -17,7 +17,10 @@ detection:
- Image|endswith: '\CustomShellHost.exe'
- OriginalFileName: 'CustomShellHost.exe'
filter:
Image: 'C:\Windows\explorer.exe'
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\explorer.exe'
- CurrentDirectory|startswith: C:\Windows\System32\
condition: selection and not filter
falsepositives:
- Unknown