Open joydragon opened 4 years ago
Dunno if you already decided this before, but can you add to the configuration of the event 15 the exe and dll files?
I was trying to test manually this sigma rule with those types and it wasn't working: https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml
This is based on this article: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
I added something like this, but I don't know if that's the best answer to it: <TargetFilename condition="end with">.exe</TargetFilename> <!--Executable files--> <TargetFilename condition="end with">.dll</TargetFilename> <!--DLL files-->
<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable files-->
<TargetFilename condition="end with">.dll</TargetFilename> <!--DLL files-->
Thanks!
Dunno if you already decided this before, but can you add to the configuration of the event 15 the exe and dll files?
I was trying to test manually this sigma rule with those types and it wasn't working: https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml
This is based on this article: https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
I added something like this, but I don't know if that's the best answer to it:
<TargetFilename condition="end with">.exe</TargetFilename> <!--Executable files--><TargetFilename condition="end with">.dll</TargetFilename> <!--DLL files-->Thanks!