security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: fix FP with bonjour in CI rule

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-25 01:55:08 +02:00
parent 1258eca847
commit ec425c836d
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/code_integrity/win_codeintegrity_failed_dll_load.yml
+5
View File
@@ -35,6 +35,11 @@ detection:
ProcessNameBuffer|endswith: '\AppData\Local\Keybase\Gui\Keybase.exe'
RequestedPolicy: 8
ValidatedPolicy: 1
filter_bonjour:
FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
RequestedPolicy: 8
ValidatedPolicy: 1
condition: selection and not 1 of filter_*
falsepositives:
- Unknown