security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Rename extrac.exe to extrac32.exe (#1601)

Browse Source 
(cherry picked from commit 017d9a51b7)
This commit is contained in:
Jonhnathan
2021-11-14 23:01:13 -03:00
committed by github-actions[bot]
parent f656c7bc25
commit 25bfddb291
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/05/26"
updated_date = "2021/11/07"
[rule]
author = ["Elastic"]
@@ -24,10 +24,10 @@ type = "eql"
query = '''
sequence by process.entity_id
[process where (process.name : "expand.exe" or process.name : "extrac.exe" or
[process where (process.name : "expand.exe" or process.name : "extrac32.exe" or
process.name : "ieexec.exe" or process.name : "makecab.exe") and
event.type == "start"]
[network where (process.name : "expand.exe" or process.name : "extrac.exe" or
[network where (process.name : "expand.exe" or process.name : "extrac32.exe" or
process.name : "ieexec.exe" or process.name : "makecab.exe") and
not cidrmatch(destination.ip,
"10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",