Skip to content

Commit

Permalink
fix: updated condition (#4031)
Browse files Browse the repository at this point in the history
  • Loading branch information
@qasimqlf
qasimqlf authored Feb 13, 2023
1 parent da61cf1 commit ab611c2
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ references:
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
date: 2020/10/12
modified: 2022/10/09
modified: 2023/02/11
tags:
- attack.defense_evasion
- attack.t1218
Expand All @@ -22,8 +22,8 @@ logsource:
product: windows
detection:
selection_one:
- Image|contains: wuauclt
- OriginalFileName: wuauclt.exe
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
selection_two:
CommandLine|contains|all:
- 'UpdateDeploymentProvider'
Expand All @@ -33,7 +33,7 @@ detection:
CommandLine|contains:
- ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
- ' wuaueng.dll '
condition: selection_one and selection_two and not filter
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high

0 comments on commit ab611c2

Please sign in to comment.