security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential Microsoft Office Sandbox Evasion (#2123)

Browse Source 
* filter run by macOS os type
This commit is contained in:
Mika Ayenson
2022-07-27 11:58:30 -04:00
committed by GitHub
parent fcc9cc9d8e
commit df670fac56
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
+1 -1
View File
@@ -28,7 +28,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and not event.type:deletion and file.name:~$*.zip
event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos
'''
[[rule.threat]]