security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added the right System string to User filter

Browse Source
This commit is contained in:
Roberto Rodriguez
2021-10-27 01:22:19 -04:00
parent 9c7a736ca6
commit d80f73625f
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_child_process_as_system_.yml
+2 -1
View File
@@ -22,8 +22,9 @@ detection:
ParentUser:
- 'NT AUTHORITY\NETWORK SERVICE'
- 'NT AUTHORITY\LOCAL SERVICE'
User:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
User: 'NT AUTHORITY\SYSTEM'
IntegrityLevel: 'System'
rundllexception:
Image|endswith: '\rundll32.exe'