Skip to content

Commit

Permalink
added definition to Sysmon 13.30 rule for priv escalation
Browse files Browse the repository at this point in the history
  • Loading branch information
@Cyb3rWard0g
Cyb3rWard0g committed Oct 27, 2021
1 parent d80f736 commit 7543b3e
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions rules/windows/process_creation/win_susp_child_process_as_system_.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,13 @@ modified: 2020/10/26
logsource:
category: process_creation
product: windows
definition: ParentUser field needs sysmon >= 13.30
detection:
selection:
ParentUser:
- 'NT AUTHORITY\NETWORK SERVICE'
- 'NT AUTHORITY\LOCAL SERVICE'
- 'AUTORITE NT\' # French language settings
User:
- 'NT AUTHORITY\SYSTEM'
- 'AUTORITE NT\Sys' # French language settings
Expand Down

0 comments on commit 7543b3e

Please sign in to comment.