search

wietze / windows-dll-hijacking

Project for identifying executables and DLLs vulnerable to relative path DLL hijacking.
GNU General Public License v3.0
438 stars 73 forks source link

Filtering out SysWOW64 #5

Closed iosonogio closed 5 months ago

iosonogio commented 1 year ago

Many thanks for these resources! In the SIGMA rule possible_windows_dll_hijacking.yml this path should/could be filtered out: C:\Windows\SysWOW64\

That is:

    filter:
        EventID: 7
        ImageLoaded:
            - "C:\\Windows\\WinSxS\\*"
            - "C:\\Windows\\System32\\*"
            - "C:\\Windows\\SysWOW64\\*"