Skip to content

Commit

Permalink
Merge PR #5076 from @Neo23x0 - Fix `Suspicious SYSTEM User Process Cr…
Browse files Browse the repository at this point in the history 
…eation`

fix: Suspicious SYSTEM User Process Creation - filter false positives with Google Updater uninstall script
  • Loading branch information
@Neo23x0
Neo23x0 authored Nov 13, 2024
1 parent 4f4ef7a commit 5d1cf4b
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2024-07-22
modified: 2024-11-11
tags:
- attack.credential-access
- attack.defense-evasion
Expand Down Expand Up @@ -74,7 +74,10 @@ detection:
- 'MiniDump' # Process dumping method apart from procdump
- 'net user '
filter_main_ping:
CommandLine|contains: 'ping 127.0.0.1 -n'
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
Expand Down

0 comments on commit 5d1cf4b

Please sign in to comment.