Sigma Rule Update (2023-11-11 20:06:45) (#530)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Nov 11, 2023 · 6a95a17 · 6a95a17
1 parent 9b1192d
commit 6a95a17
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/...iltin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/...iltin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
@@ -10,7 +10,7 @@ references:
 author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim
     Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2023/11/09
+modified: 2023/11/11
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -89,7 +89,7 @@ detection:
             - ADManager Plus
         ParentProcessName|endswith: \java.exe
     condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children
-        and not 1 of filter_main_**)
+        and not 1 of filter_main_*)
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high

diff --git a/...ysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/...ysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
@@ -10,7 +10,7 @@ references:
 author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim
     Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2023/11/09
+modified: 2023/11/11
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -90,7 +90,7 @@ detection:
             - sc query
             - ADManager Plus
     condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children
-        and not 1 of filter_main_**)
+        and not 1 of filter_main_*)
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high