Neo23x0
commented
2 months ago I added the "modified" field and set the date to 2024/04/12. I'm pulling this request because we see a set of FPs in THOR Cloud with THOR 10.7 applying the Sigma rules on process trees on Linux systems.
Fix FP reported by @Neo23x0
Also require "root" to be in the command line as shown in POC repo:
See https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
SigmaHQ Rule Creation Conventions