Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: SigmaHQ/sigma
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: BinaryDefense/sigma
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref
Able to merge. These branches can be automatically merged.
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on Jun 10, 2022

  1. Add proc_creation_win_msdt_smb_path.yml

    Randy Pargman committed Jun 10, 2022
    Copy the full SHA
    dfd7718 View commit details
Showing with 27 additions and 0 deletions.
  1. +27 −0 rules/windows/process_creation/proc_creation_win_msdt_smb_path.yml
27 changes: 27 additions & 0 deletions rules/windows/process_creation/proc_creation_win_msdt_smb_path.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
title: MSDT.EXE With SMB Answers File
id: c577e607-8f6f-4e33-8767-a8f263b326a1
status: experimental
description: Detects when "msdt.exe" is executed with an answers file from an SMB share
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://twitter.com/ImpetuousDanny/status/1531650953082023936
date: 2022/06/09
author: Matt Ehrnschwender
logsource:
category: process_creation
product: windows
detection:
image:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
af_with_smb:
CommandLine|contains:
- '/af \\\\'
- '-af \\\\'
condition: image and af_with_smb
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion