Skip to content

Commit

Permalink
feat: add missing OriginalFileName field
Browse files Browse the repository at this point in the history
  • Loading branch information
@qasimqlf
qasimqlf authored Feb 11, 2023
1 parent da61cf1 commit 7b435af
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions rules/windows/process_creation/proc_creation_win_hktl_koadic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ references:
- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
author: wagga, Jonhnathan Ribeiro, oscd.community
date: 2020/01/12
modified: 2023/02/04
modified: 2023/02/11
tags:
- attack.execution
- attack.t1059.003
Expand All @@ -18,13 +18,15 @@ logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- '/q'
- '/c'
- 'chcp'
condition: selection
condition: all of selection_*
fields:
- CommandLine
- ParentCommandLine
Expand Down

0 comments on commit 7b435af

Please sign in to comment.