Rule: Improved Github communication rule

2018-08-30 10:08:01 +02:00
parent d17cc5c07d
commit e70395744b
1 changed files with 4 additions and 1 deletions
@@ -3,6 +3,7 @@ status: experimental
 description: Detects an executable in the Windows folder accessing github.com
 references:
    - https://twitter.com/M_haggis/status/900741347035889665
+    - https://twitter.com/M_haggis/status/1032799638213066752
 author: Michael Haag (idea), Florian Roth (rule)
 logsource:
    product: windows
@@ -10,7 +11,9 @@ logsource:
 detection:
    selection:
        EventID: 3
-        DestinationHostname: '*.github.com'
+        DestinationHostname: 
+            - '*.github.com'
+            - '*.githubusercontent.com'
        Image: 'C:\Windows\*'
    condition: selection
 falsepositives: