security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5718 from @phantinuss - Fix Sysmon Channel Reference Deletion

Browse Source 
fix: Sysmon Channel Reference Deletion - AccessMask should be a string
This commit is contained in:
phantinuss
2025-10-22 10:57:20 +02:00
committed by GitHub
parent 59dfb1ce70
commit b228274f3f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml
+2 -2
View File
@@ -9,7 +9,7 @@ references:
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-07-14
modified: 2022-10-05
modified: 2025-10-22
tags:
- attack.defense-evasion
- attack.t1112
@@ -29,7 +29,7 @@ detection:
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
AccessMask: 0x10000
AccessMask: '0x10000'
condition: 1 of selection*
falsepositives:
- Unknown