From d52db9c541f2ce0a15a94c311de801e0268202bf Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 31 Jan 2023 13:02:08 +0500 Subject: [PATCH 1/2] fix: value --- .../process_creation/proc_creation_win_lolbin_pktmon.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml index a22ebc7ad..cb9f875fc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml @@ -5,7 +5,7 @@ description: Tools to Capture Network Packets on the windows 10 with October 201 references: - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ author: frack113 -date: 2022/03/17 +date: 2022/01/31 tags: - attack.credential_access - attack.t1040 @@ -14,7 +14,7 @@ logsource: product: windows detection: selection: - - Image|endswith: 'PktMon.exe' + - Image|endswith: '\pktmon.exe' - OriginalFileName: 'PktMon.exe' condition: selection falsepositives: From 924999650477f45052f87dd21a840183ce70e7f6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:41:54 +0100 Subject: [PATCH 2/2] Update proc_creation_win_lolbin_pktmon.yml --- .../process_creation/proc_creation_win_lolbin_pktmon.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml index cb9f875fc..5497cd382 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml @@ -5,7 +5,8 @@ description: Tools to Capture Network Packets on the windows 10 with October 201 references: - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ author: frack113 -date: 2022/01/31 +date: 2022/03/17 +modified: 2023/01/31 tags: - attack.credential_access - attack.t1040