security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Completed changes to selection1

Browse Source 
changed to the following to follow rule creation guidelines:
    - Image|endswith: '\wbem\WMIC.exe'
    - ProcessCommandLine|contains: 'wmic '
This commit is contained in:
Cyb3rEng
2021-09-08 21:26:01 -06:00
committed by GitHub
parent 851dfeee46
commit fe9b91c504
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/sysmon/Monitor_Office_Applications_from_proxy_executing_regsvr32_with_payload.yml
+2 -2
View File
@@ -18,8 +18,8 @@ logsource:
detection:
#useful_information: add more LOLBins to the rules logic of your choice.
selection1:
- Image: '*\wbem\WMIC.exe'
- ProcessCommandLine: '*wmic *'
- Image|endswith: '\wbem\WMIC.exe'
- ProcessCommandLine|contains: 'wmic '
- OriginalFileName: 'wmic.exe'
- Description: 'WMI Commandline Utility'
selection2: