Sigma Rule Update (2023-12-28 20:07:16) (#560)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Dec 28, 2023 · 45828a8 · 45828a8
1 parent 0b2f00d
commit 45828a8
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
@@ -8,7 +8,7 @@ references:
     - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 author: Florian Roth (Nextron Systems)
 date: 2022/01/16
-modified: 2022/09/09
+modified: 2023/12/28
 tags:
     - attack.exfiltration
     - attack.t1048
@@ -22,8 +22,9 @@ detection:
     selection_redirect:
         CommandLine|contains: '>'
     selection_share:
-        - \\\\127.0.0.1\\admin$\\
-        - \\\\localhost\\admin$\\
+        CommandLine|contains:
+            - \\\\127.0.0.1\\admin$\\
+            - \\\\localhost\\admin$\\
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown

diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml
@@ -8,7 +8,7 @@ references:
     - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 author: Florian Roth (Nextron Systems)
 date: 2022/01/16
-modified: 2022/09/09
+modified: 2023/12/28
 tags:
     - attack.exfiltration
     - attack.t1048
@@ -23,8 +23,9 @@ detection:
     selection_redirect:
         CommandLine|contains: '>'
     selection_share:
-        - \\\\127.0.0.1\\admin$\\
-        - \\\\localhost\\admin$\\
+        CommandLine|contains:
+            - \\\\127.0.0.1\\admin$\\
+            - \\\\localhost\\admin$\\
     condition: process_creation and (all of selection_*)
 falsepositives:
     - Unknown