security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rule needs endwith, not exact match.

Browse Source 
Fix ImageLoaded filter to match with endswith, rather than exact match.
This commit is contained in:
Brad Kish
2020-06-15 13:54:02 -04:00
parent d371fd864c
commit dfae2a6df6
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml
+1 -1
View File
@@ -16,7 +16,7 @@ detection:
selection:
EventID: 7
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ImageLoaded: 'wbemcons.dll'
ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)