security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added more FPs

Browse Source
This commit is contained in:
Qasim Qlf
2022-12-08 21:08:01 +05:00
committed by GitHub
parent 5337eaa48f
commit c18f634c02
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml
+8 -2
View File
@@ -10,7 +10,7 @@ references:
- https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022/01/16
modified: 2022/10/23
modified: 2022/12/08
tags:
- attack.defense_evasion
- attack.t1218.007
@@ -30,7 +30,13 @@ detection:
- '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
- '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
- '\MsiExec.exe" /Y "C:\Windows\CCM\'
- '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution
- '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution
- '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll'
- '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll'
- '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
- '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
- '\MsiExec.exe" -Y "C:\Windows\CCM\'
- '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate script