security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #615 from Neo23x0/devel

Browse Source 
fix: dumpert rule with wrong sysmon event id
This commit is contained in:
Florian Roth
2020-02-08 20:03:28 +01:00
committed by GitHub
parent 880a0b5593 d9645af840
commit bf98d286f9
2 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/proxy/proxy_ua_malware.yml
+2
View File
@@ -56,6 +56,8 @@ detection:
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Others
- '* pxyscand*'
- '* asd'
rules/windows/sysmon/sysmon_hack_dumpert.yml
+1 -1
View File
@@ -30,6 +30,6 @@ logsource:
service: sysmon
detection:
selection:
EventID: 13
EventID: 11
TargetFilename: C:\Windows\Temp\dumpert.dmp
condition: selection