8 строки
366 B
Plaintext
8 строки
366 B
Plaintext
// Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_equationgroup_c2.yml
|
|
// Questions via Twitter: @janvonkirchheim
|
|
DeviceProcessEvents
|
|
| where Timestamp > ago(7d)
|
|
| where (FolderPath endswith @"\rundll32.exe" and ProcessCommandLine endswith ",dll_u")
|
|
or ProcessCommandLine has " -export dll_u "
|
|
| top 100 by Timestamp desc
|