security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: transformed rule to new proc_creation format

Browse Source
This commit is contained in:
Florian Roth
2019-03-12 09:03:30 +01:00
parent c4003ff410
commit 95b47972f0
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win-susp-mshta-execution.yml → rules/windows/builtin/win_susp_mshta_execution.yml
+2 -3
View File
@@ -25,10 +25,9 @@ detection:
- '*mshta vbscript:Execute("Execute*'
- '*mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe*'
selection2:
EventID: 4688
NewProcessName:
Image:
- 'C:\Windows\system32\mshta.exe'
ProcessCommandLine:
CommandLine:
- '*.jpg*'
- '*.png*'
- '*.lnk*'