Skip to content

Commit

Permalink
Merge pull request SigmaHQ#806 from SanWieb/sysmon_creation_system_file
Browse files Browse the repository at this point in the history 
Fixed wrong field & Improve rule
  • Loading branch information
@Neo23x0
Neo23x0 authored May 29, 2020
2 parents 7f2fa05 + a00f7f1 commit e20b58c
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions rules/windows/sysmon/sysmon_creation_system_file.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ logsource:
detection:
selection:
EventID: 11
Image:
TargetFilename|endswith:
- '*\svchost.exe'
- '*\rundll32.exe'
- '*\services.exe'
Expand All @@ -41,7 +41,7 @@ detection:
- '*\audiodg.exe'
- '*\wlanext.exe'
filter:
Image:
TargetFilename:
- 'C:\Windows\System32\\*'
- 'C:\Windows\system32\\*'
- 'C:\Windows\SysWow64\\*'
Expand Down

0 comments on commit e20b58c

Please sign in to comment.