security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: typo in name

Browse Source
This commit is contained in:
Florian Roth
2021-08-23 18:46:05 +02:00
parent 6b86dacc9e
commit 998ebbe1f3
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_razorinstaller_explorer.yml
+3 -3
View File
@@ -1,7 +1,7 @@
title: Suspicious RazorInstaller Explorer Subprocess
title: Suspicious RazerInstaller Explorer Subprocess
id: a4eaf250-7dc1-4842-862a-5e71cd59a167
status: experimental
description: Detects a explorer.exe sub process of the RazorInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
references:
- https://twitter.com/j0nh4t/status/1429049506021138437
- https://streamable.com/q2dsji
@@ -15,7 +15,7 @@ logsource:
detection:
selection:
Image|endswith: '\explorer.exe'
ParentImage|endswith: '\RazorInstaller.exe'
ParentImage|endswith: '\RazerInstaller.exe'
condition: selection
falsepositives:
- User selecting a different installation folder (check for other sub processes of this explorer.exe process)