Skip to content

Commit

Permalink
Merge PR #5138 from @DanielKoifman - Update `Suspicious Windows Servi…
Browse files Browse the repository at this point in the history 
…ce Tampering`

update: Suspicious Windows Service Tampering - Add additional services
  • Loading branch information
@DanielKoifman
DanielKoifman authored Dec 27, 2024
1 parent e8a6894 commit 7c83045
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@ references:
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior
date: 2022-09-01
modified: 2024-10-21
modified: 2024-12-23
tags:
- attack.defense-evasion
- attack.t1489
- attack.t1562.001
logsource:
category: process_creation
product: windows
Expand Down Expand Up @@ -148,6 +149,7 @@ detection:
- 'mfewc'
- 'MMS'
- 'mozyprobackup'
- 'mpssvc'
- 'MSComplianceAudit'
- 'MSDTC'
- 'MsDtsServer'
Expand Down Expand Up @@ -235,6 +237,7 @@ detection:
- 'swi_service'
- 'swi_update'
- 'Symantec'
- 'sysmon'
- 'TeamViewer'
- 'Telemetryserver'
- 'ThreatLockerService'
Expand Down Expand Up @@ -277,6 +280,7 @@ detection:
- 'WRSVC'
- 'wsbexchange'
- 'WSearch'
- 'wscsvc'
- 'Zoolz 2 Service'
condition: all of selection_*
falsepositives:
Expand Down

0 comments on commit 7c83045

Please sign in to comment.