Skip to content

Commit

Permalink
Merge PR #4654 from @qasimqlf - replace hardcoded C: with wildcard
Browse files Browse the repository at this point in the history 
fix: Suspicious Greedy Compression Using Rar.EXE - Fix error in path selection

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
  • Loading branch information
@qasimqlf @nasbench
qasimqlf and nasbench authored Jan 10, 2024
1 parent 2b90adc commit c3463f8
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://decoded.avast.io/martinchlumecky/png-steganography
author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022/12/15
modified: 2023/12/11
modified: 2024/01/02
tags:
- attack.execution
- attack.t1059
Expand All @@ -28,14 +28,14 @@ detection:
- ' -r ' # recursive
selection_cli_folders:
CommandLine|contains:
- ' :\\\*.'
- ' :\\\\\*.'
- ' :\Users\Public\'
- ' ?:\\\*.'
- ' ?:\\\\\*.'
- ' ?:\$Recycle.bin\'
- ' ?:\PerfLogs\'
- ' ?:\Temp'
- ' ?:\Users\Public\'
- ' ?:\Windows\'
- ' %public%'
- ' :\Windows\'
- ' :\PerfLogs\'
- ' :\Temp'
- ' :\$Recycle.bin\'
condition: 1 of selection_opt_* and all of selection_cli_*
falsepositives:
- Unknown
Expand Down

0 comments on commit c3463f8

Please sign in to comment.