security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3806 from veramine/patch-10

Browse Source 
Remove Windows 10 user experience false positive
This commit is contained in:
frack113
2022-12-22 10:32:10 +01:00
committed by GitHub
parent 9d4bbec633 3bb741af66
commit fec24ddd0f
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml
+3 -2
View File
@@ -7,7 +7,7 @@ references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: CD_ROM_
date: 2022/05/21
modified: 2022/12/15
modified: 2022/12/21
tags:
- attack.defense_evasion
logsource:
@@ -18,7 +18,8 @@ detection:
Image|endswith: '\rundll32.exe'
ParentImage|endswith: '\explorer.exe'
filter:
CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
- CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
- CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control
condition: selection and not filter
fields:
- Image