Skip to content

Commit

Permalink
Merge PR #4644 from @qasimqlf - Add Missing CommandLine Field Selection
Browse files Browse the repository at this point in the history 
fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection 

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
  • Loading branch information
@qasimqlf @frack113
qasimqlf and frack113 authored Dec 28, 2023
1 parent e0cf5f3 commit 17b87ec
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022/01/16
modified: 2022/09/09
modified: 2023/12/28
tags:
- attack.exfiltration
- attack.t1048
Expand All @@ -18,8 +18,9 @@ detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
Expand Down

0 comments on commit 17b87ec

Please sign in to comment.