CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/sysmon_pcre_net_temp_file.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

29 lines
860 B
YAML
Raw Blame History

title: PCRE.NET Package Temp Files
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/29
description: Detects processes creating temp files related to PCRE.NET package
detection:
SELECTION_1:
EventID: 11
SELECTION_2:
TargetFilename: '*\AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\\*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
level: high
logsource:
category: file_event
product: windows
modified: 2021/08/14
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
status: experimental
tags:
- attack.execution
- attack.t1059
yml_filename: sysmon_pcre_net_temp_file.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
Reference in New Issue View Git Blame Copy Permalink