From f504ccc33fe19cb385ebf8b6922d2c31c564a89d Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Sat, 28 Nov 2020 13:52:36 -0300 Subject: [PATCH] Update sysmon_susp_reg_persist_explorer_run.yml --- .../sysmon_susp_reg_persist_explorer_run.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 0ecd0dfe1..2c6ae5ca2 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: experimental description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -author: Florian Roth +author: Florian Roth, oscd.community date: 2018/07/18 modified: 2020/09/06 references: @@ -13,15 +13,17 @@ logsource: detection: selection: TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details|startswith: + selection2: + - Details|startswith: - 'C:\Windows\Temp\' - 'C:\ProgramData\' - - '*\AppData\' - 'C:\$Recycle.bin\' - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - condition: selection + - Details|contains: + - '\AppData\' + condition: selection and selection2 tags: - attack.persistence - attack.t1060 # an old one