security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update defense_evasion_posh_process_injection.toml (#1838)

Browse Source 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2022-03-17 19:37:42 -03:00
committed by GitHub
parent b492258fb0
commit a6edb7cfcf
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_posh_process_injection.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/10/14"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/03/15"
[rule]
author = ["Elastic"]
@@ -83,7 +83,7 @@ event.category:process and
(VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or
LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
(WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
SuspendThread or ResumeThread)
SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
)
'''