security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Deprecate Rule] Suspicious Process from Conhost (#2222)

Browse Source 
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit d3420e3386)
This commit is contained in:
Samirbous
2022-08-16 16:32:24 +02:00
committed by github-actions[bot]
parent 73834a3b08
commit 353fde10a0
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_code_injection_conhost.toml → rules/_deprecated/defense_evasion_code_injection_conhost.toml
+3 -2
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/08/31"
maturity = "production"
updated_date = "2022/05/21"
deprecation_date = "2022/08/03"
maturity = "deprecated"
updated_date = "2022/08/03"
[rule]
author = ["Elastic"]