security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_susp_copy_system32.yml

Browse Source
This commit is contained in:
Jonhnathan
2020-11-20 02:31:26 -03:00
committed by GitHub
parent 5d7131bbf2
commit ec1944e2d7
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_copy_system32.yml
+4 -2
View File
@@ -16,8 +16,10 @@ tags:
detection:
selection:
CommandLine|contains:
- ' /c copy *\System32\'
- 'xcopy*\System32\'
- ' /c copy'
- 'xcopy'
CommandLine|contains|all:
- '\System32\'
condition: selection
fields:
- CommandLine