Update win_user_driver_loaded.yml
This commit is contained in:
Jonhnathan
@@ -21,18 +21,18 @@ detection:
|
||||
Service: '-'
|
||||
selection_2:
|
||||
ProcessName|contains:
|
||||
- '*\Windows\System32\Dism.exe'
|
||||
- '*\Windows\System32\rundll32.exe'
|
||||
- '*\Windows\System32\fltMC.exe'
|
||||
- '*\Windows\HelpPane.exe'
|
||||
- '*\Windows\System32\mmc.exe'
|
||||
- '*\Windows\System32\svchost.exe'
|
||||
- '*\Windows\System32\wimserv.exe'
|
||||
- '*\procexp64.exe'
|
||||
- '*\procexp.exe'
|
||||
- '*\procmon64.exe'
|
||||
- '*\procmon.exe'
|
||||
- '*\Google\Chrome\Application\chrome.exe'
|
||||
- '\Windows\System32\Dism.exe'
|
||||
- '\Windows\System32\rundll32.exe'
|
||||
- '\Windows\System32\fltMC.exe'
|
||||
- '\Windows\HelpPane.exe'
|
||||
- '\Windows\System32\mmc.exe'
|
||||
- '\Windows\System32\svchost.exe'
|
||||
- '\Windows\System32\wimserv.exe'
|
||||
- '\procexp64.exe'
|
||||
- '\procexp.exe'
|
||||
- '\procmon64.exe'
|
||||
- '\procmon.exe'
|
||||
- '\Google\Chrome\Application\chrome.exe'
|
||||
condition: selection_1 and not selection_2
|
||||
falsepositives:
|
||||
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'
|
||||
|
||||
Reference in New Issue
Block a user