security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_apt_mustangpanda.yml

Browse Source
This commit is contained in:
Jonhnathan
2020-10-15 17:33:02 -03:00
committed by GitHub
parent a06114d611
commit 82fbfed2c2
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_apt_mustangpanda.yml
+7 -6
View File
@@ -13,12 +13,13 @@ logsource:
product: windows product: windows
detection: detection:
selection1: selection1:
CommandLine: CommandLine|endswith:
- '*Temp\wtask.exe /create*' - 'Temp\wtask.exe /create*'
- '*%windir:~-3,1%%PUBLIC:~-9,1%*' - '%windir:~-3,1%%PUBLIC:~-9,1%*'
- '*/E:vbscript * C:\Users\\*.txt" /F' - '/tn "Security Script *'
- '*/tn "Security Script *' - '%windir:~-1,1%*'
- '*%windir:~-1,1%*' Commandline|startswith:
- '/E:vbscript * C:\Users\\*.txt" /F'
selection2: selection2:
Image: Image:
- '*Temp\winwsh.exe' - '*Temp\winwsh.exe'