security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Update command_and_control_rmm_after_msi_install.toml (#5901)

Browse Source
This commit is contained in:
Samirbous
2026-04-08 14:01:10 +01:00
committed by GitHub
parent 09e5bf04f4
commit 7fcbec380b
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_rmm_after_msi_install.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2026/03/18"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
maturity = "production"
updated_date = "2026/03/18"
updated_date = "2026/03/30"
[rule]
author = ["Elastic"]
@@ -69,14 +69,14 @@ type = "eql"
query = '''
sequence by host.id with maxspan=1m
[process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and process.args : ("/i*", "-i*")]
[process where host.os.type == "windows" and event.type == "start" and process.name : "msiexec.exe" and
process.args : ("/i*", "-i*") and process.parent.name : ("explorer.exe", "sihost.exe")]
[process where host.os.type == "windows" and event.type == "start" and
(
(process.name : "ScreenConnect.ClientService.exe" and process.command_line : "*?e=Access&y=Guest&h*&k=*") or
(process.name : "Syncro.Installer.exe" and process.args : "--config-json" and process.args : "--key") or
process.name : ("tvnserver.exe", "winvnc.exe")
)
]
)]
'''
[[rule.threat]]