From 391d73a2c22abac8305b79b44f1bbfd80f2a440f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Andr=C3=A9?= Date: Fri, 4 Feb 2022 21:08:47 +0100 Subject: [PATCH 1/2] Avoiding being too narrow for paths InstallUtil.exe is also available under 32 bits path for .net framework --- rules/windows/process_creation/win_pc_susp_instalutil.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_susp_instalutil.yml b/rules/windows/process_creation/win_pc_susp_instalutil.yml index cbf7ebc50..f5b9298f8 100644 --- a/rules/windows/process_creation/win_pc_susp_instalutil.yml +++ b/rules/windows/process_creation/win_pc_susp_instalutil.yml @@ -6,14 +6,14 @@ author: frack113 references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -date: 2022/01/23 +date: 2022/02/04 logsource: category: process_creation product: windows detection: selection: Image|endswith: \InstallUtil.exe - Image|contains: Microsoft.NET\Framework64\ + Image|contains: Microsoft.NET\Framework CommandLine|contains|all: - '/logfile= ' - '/LogToConsole=false' From affd73506d6f56bd69521112d73e3362094eec00 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 4 Feb 2022 23:16:05 +0100 Subject: [PATCH 2/2] Update win_pc_susp_instalutil.yml --- rules/windows/process_creation/win_pc_susp_instalutil.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_susp_instalutil.yml b/rules/windows/process_creation/win_pc_susp_instalutil.yml index f5b9298f8..d4ece5241 100644 --- a/rules/windows/process_creation/win_pc_susp_instalutil.yml +++ b/rules/windows/process_creation/win_pc_susp_instalutil.yml @@ -6,7 +6,8 @@ author: frack113 references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool -date: 2022/02/04 +date: 2022/01/23 +modified: 2022/02/04 logsource: category: process_creation product: windows