Update apt unidentified nov 18.txt
This commit is contained in:
tali-ash
GitHub
Родитель
cb4126c4b0
Коммит
5e2733109e
|
|
@ -1,11 +1,11 @@
|
||||||
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml
|
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_unidentified_nov_18.yml
|
||||||
// Questions via Twitter: @janvonkirchheim
|
// Questions via Twitter: @janvonkirchheim
|
||||||
ProcessCreationEvents
|
DeviceProcessEvents
|
||||||
| where EventTime > ago(7d)
|
| where Timestamp > ago(7d)
|
||||||
| where ProcessCommandLine endswith "cyzfc.dat, PointFunctionCall"
|
| where ProcessCommandLine endswith "cyzfc.dat, PointFunctionCall"
|
||||||
| top 100 by EventTime desc
|
| top 100 by Timestamp desc
|
||||||
|
|
||||||
FileCreationEvents
|
DeviceFileEvents
|
||||||
| where EventTime > ago(7d)
|
| where Timestamp > ago(7d)
|
||||||
| where FolderPath has "ds7002.lnk"
|
| where FolderPath has "ds7002.lnk"
|
||||||
| top 100 by EventTime desc
|
| top 100 by Timestamp desc
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче