Skip to content

Commit

Permalink
fix: add OriginalFileName (#4032)
Browse files Browse the repository at this point in the history
  • Loading branch information
@qasimqlf
qasimqlf authored Feb 13, 2023
1 parent ab611c2 commit 1adec45
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions rules/windows/process_creation/proc_creation_win_exploit_cve_2021_41379.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,21 @@ references:
- https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
author: Florian Roth (Nextron Systems)
date: 2021/11/22
modified: 2023/02/07
modified: 2023/02/11
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_parent:
ParentImage|endswith: '\elevation_service.exe'
IntegrityLevel: 'System'
condition: selection
condition: all of selection_*
falsepositives:
- Unknown
level: critical

0 comments on commit 1adec45

Please sign in to comment.