Merge pull request #806 from SanWieb/sysmon_creation_system_file

Fixed wrong field & Improve rule
2020-05-29 17:32:27 +02:00
parent 7f2fa05ed3 a00f7f19a1
commit e20b58c421
1 changed files with 2 additions and 2 deletions
@@ -15,7 +15,7 @@ logsource:
 detection:
    selection:
        EventID: 11
-        Image:
+        TargetFilename|endswith:
            - '*\svchost.exe'
            - '*\rundll32.exe'
            - '*\services.exe'
@@ -41,7 +41,7 @@ detection:
            - '*\audiodg.exe'
            - '*\wlanext.exe'
    filter:
-        Image:
+        TargetFilename:
            - 'C:\Windows\System32\\*'
            - 'C:\Windows\system32\\*'
            - 'C:\Windows\SysWow64\\*'