security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs (#4627)

Browse Source
This commit is contained in:
Jonhnathan
2025-04-22 11:59:06 -03:00
committed by GitHub
parent a9f99137f3
commit a495b4b9b2
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/03"
integration = ["endpoint", "windows", "m365_defender"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/04/16"
[rule]
author = ["Elastic"]
@@ -87,9 +87,9 @@ query = '''
process where host.os.type == "windows" and event.type == "start" and
process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and
not process.executable : ("?:\\Windows\\explorer.exe",
"?:\\Windows\\SyWOW64\\explorer.exe",
"?:\\Windows\\SysWOW64\\explorer.exe",
"?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE",
"?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE",
"?:\\Program Files (x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE",
"?:\\Windows\\System32\\Dism.exe",
"?:\\Windows\\SysWOW64\\Dism.exe",
"?:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\amd64\\DISM\\dism.exe",