security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious WerFault Child Process (#915)

Browse Source 
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

Added Article "How to Design Abnormal Child Processes Rules without Telemetry"

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Austin Songer
2021-02-10 13:17:57 -06:00
committed by GitHub
parent 2b7b1a6ab0
commit 17032194d8
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
+1
View File
@@ -18,6 +18,7 @@ name = "Suspicious WerFault Child Process"
references = [
"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/",
"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx",
"https://blog.menasec.net/2021/01/",
]
risk_score = 47
rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff"