From 17b87ec10156d0cffa7f42a0baad4983380c3a28 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Thu, 28 Dec 2023 23:52:05 +0500 Subject: [PATCH] Merge PR #4644 from @qasimqlf - Add Missing CommandLine Field Selection fix: Suspicious Redirection to Local Admin Share - Add missing CommandLine field selection --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../proc_creation_win_susp_redirect_local_admin_share.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml index 9c0ed1bc3bf..27545ea805c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml @@ -7,7 +7,7 @@ references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth (Nextron Systems) date: 2022/01/16 -modified: 2022/09/09 +modified: 2023/12/28 tags: - attack.exfiltration - attack.t1048 @@ -18,8 +18,9 @@ detection: selection_redirect: CommandLine|contains: '>' selection_share: - - '\\\\127.0.0.1\\admin$\\' - - '\\\\localhost\\admin$\\' + CommandLine|contains: + - '\\\\127.0.0.1\\admin$\\' + - '\\\\localhost\\admin$\\' condition: all of selection_* falsepositives: - Unknown