From 024315fe88711fdab774868802bf37fb66ef2040 Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Sat, 25 Nov 2023 17:53:53 +0300 Subject: [PATCH 01/12] Create Rule to detect Process Injection This commit adds a new experimental rule that attempts to detect process injection by utilizing the dd command to inject malicious code in the process memory under /proc/mem example provided in this project https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh --- ...proc_creation_lnx_dd_process_injection.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml new file mode 100644 index 00000000000..f06e08f3b06 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -0,0 +1,27 @@ +title: Possible Linux Process Code Injection +id: 4cad6c64-d6df-42d6-8dae-eb78defdc415 +status: experimental +description: This rule detects the injetion of code by overwriting the memory map of a linux process using the linux command dd. +references: + - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ + - https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh + - https://attack.mitre.org/techniques/T1055/009/ +author: Joseph Kamau +date: 2023/11/25 +tags: + - attack.defense_evasion + - attack.t1055.009 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/dd' + CommandLine|contains|all: + - 'of=' + - '/proc/' + - '/mem' + condition: selection +falsepositives: + - Unknown +level: medium From 25d030d27dd17c13b9d42d4a3cd5f5a285c18c2b Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 1 Dec 2023 01:01:55 +0100 Subject: [PATCH 02/12] Update proc_creation_lnx_dd_process_injection.yml --- .../proc_creation_lnx_dd_process_injection.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index f06e08f3b06..809fcd2eb88 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -1,13 +1,12 @@ -title: Possible Linux Process Code Injection +title: Potential Linux Process Code Injection Via DD Utility id: 4cad6c64-d6df-42d6-8dae-eb78defdc415 status: experimental -description: This rule detects the injetion of code by overwriting the memory map of a linux process using the linux command dd. +description: Detects the injetion of code by overwriting the memory map of a linux process using the "dd" linux command. references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ - - https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh - - https://attack.mitre.org/techniques/T1055/009/ + - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh author: Joseph Kamau -date: 2023/11/25 +date: 2023/12/01 tags: - attack.defense_evasion - attack.t1055.009 From 926a74e74f2d12c7f8a9d76b3f669dd263e8b49b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 1 Dec 2023 19:17:00 +0100 Subject: [PATCH 03/12] fix: typo --- .../process_creation/proc_creation_lnx_dd_process_injection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml index 809fcd2eb88..4d7d8fbbb32 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml @@ -1,7 +1,7 @@ title: Potential Linux Process Code Injection Via DD Utility id: 4cad6c64-d6df-42d6-8dae-eb78defdc415 status: experimental -description: Detects the injetion of code by overwriting the memory map of a linux process using the "dd" linux command. +description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/ - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh From 49a6c8bbfe8bfb487390e316e535569b75e130bf Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Sat, 3 Feb 2024 13:11:47 +0300 Subject: [PATCH 04/12] Add files via upload --- ..._mysql_daemon_executable_file_creation.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml diff --git a/rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml b/rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml new file mode 100644 index 00000000000..79f8d329b2c --- /dev/null +++ b/rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml @@ -0,0 +1,30 @@ +title: Mysql Daemon Creating Executable Files +id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf +status: experimental +description: 'Detects the creation of executable files by Mysql daemon which could be an indicator of User Defined Functions abuse to download malware. + + ' +references: + - https://asec.ahnlab.com/en/58878/ + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ +author: Joseph Kamau +date: 2024/02/03 +tags: + - attack.defense_evasion +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + - \mysqld.exe + - \mysqld-nt.exe + TargetFilename|endswith: + - .exe + - .dll + - .ps1 + - .bat + condition: selection +falsepositives: + - Unknown +level: high From fa8a897720ce8690874d6aa8313ac2672c276744 Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Sat, 3 Feb 2024 13:25:10 +0300 Subject: [PATCH 05/12] Delete rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml Wrong file name --- ..._mysql_daemon_executable_file_creation.yml | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml diff --git a/rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml b/rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml deleted file mode 100644 index 79f8d329b2c..00000000000 --- a/rules/windows/file/file_event/file_event_mysql_daemon_executable_file_creation.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Mysql Daemon Creating Executable Files -id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf -status: experimental -description: 'Detects the creation of executable files by Mysql daemon which could be an indicator of User Defined Functions abuse to download malware. - - ' -references: - - https://asec.ahnlab.com/en/58878/ - - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ -author: Joseph Kamau -date: 2024/02/03 -tags: - - attack.defense_evasion -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: - - \mysqld.exe - - \mysqld-nt.exe - TargetFilename|endswith: - - .exe - - .dll - - .ps1 - - .bat - condition: selection -falsepositives: - - Unknown -level: high From b63c4d3765dd9debdd57d080d5da4aafecf36520 Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Sat, 3 Feb 2024 13:26:38 +0300 Subject: [PATCH 06/12] Add files via upload --- ..._mysql_daemon_executable_file_creation.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml diff --git a/rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml new file mode 100644 index 00000000000..79f8d329b2c --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml @@ -0,0 +1,30 @@ +title: Mysql Daemon Creating Executable Files +id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf +status: experimental +description: 'Detects the creation of executable files by Mysql daemon which could be an indicator of User Defined Functions abuse to download malware. + + ' +references: + - https://asec.ahnlab.com/en/58878/ + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ +author: Joseph Kamau +date: 2024/02/03 +tags: + - attack.defense_evasion +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + - \mysqld.exe + - \mysqld-nt.exe + TargetFilename|endswith: + - .exe + - .dll + - .ps1 + - .bat + condition: selection +falsepositives: + - Unknown +level: high From 6d359e0d9b2b6004c50c28b4926cdc06a1b59c75 Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Fri, 23 Feb 2024 22:53:12 +0300 Subject: [PATCH 07/12] Add files via upload --- ...ile_event_win_outlook_opening_smb_file.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml diff --git a/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml b/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml new file mode 100644 index 00000000000..4df70392fc0 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml @@ -0,0 +1,24 @@ +title: "Outlook opening a file hosted on an SMB Share " +id: e5305252-1ee0-426a-81ec-9ca43c4dd3a7 +description: "Detects when threat actors attempt to bypass outlook security warning by sharing links of malware hosted on SMB shares.This has been detected in Pikabot campaigns" +author: Joseph Kamau +date: 2024/02/23 +status: experimental +tags: +- attack.defense_evasion +- attack.t1021.002 +references: https://app.any.run/tasks/478732bb-b180-4d14-9a93-5e424c44a97e?utm_source=twitter&utm_medium=post&utm_campaign=pikabot&utm_content=linktoservice&utm_term=210224/ +logsource: + product: "windows" + category: "file_event" +detection: + selection: + Image|endswith: '\outlook.exe' + TargetFilename|endswith: '\PIPE\srvsvc' + condition: "selection" +fields: +- "Image" +- "TargetFilename" +falsepositives: +- "unlikely" +level: "high" \ No newline at end of file From 21c39f534d426339b50bc676179ed05d4380639f Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Fri, 23 Feb 2024 22:56:40 +0300 Subject: [PATCH 08/12] Update file_event_win_outlook_opening_smb_file.yml --- ...file_event_win_outlook_opening_smb_file.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml b/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml index 4df70392fc0..b20eb8dcba1 100644 --- a/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml +++ b/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml @@ -1,6 +1,6 @@ -title: "Outlook opening a file hosted on an SMB Share " +title: Outlook opening a file hosted on an SMB Share id: e5305252-1ee0-426a-81ec-9ca43c4dd3a7 -description: "Detects when threat actors attempt to bypass outlook security warning by sharing links of malware hosted on SMB shares.This has been detected in Pikabot campaigns" +description: Detects when threat actors attempt to bypass outlook security warning by sharing links of malware hosted on SMB shares.This has been detected in Pikabot campaigns author: Joseph Kamau date: 2024/02/23 status: experimental @@ -9,16 +9,16 @@ tags: - attack.t1021.002 references: https://app.any.run/tasks/478732bb-b180-4d14-9a93-5e424c44a97e?utm_source=twitter&utm_medium=post&utm_campaign=pikabot&utm_content=linktoservice&utm_term=210224/ logsource: - product: "windows" - category: "file_event" + product: windows + category: file_event detection: selection: Image|endswith: '\outlook.exe' TargetFilename|endswith: '\PIPE\srvsvc' - condition: "selection" + condition: selection fields: -- "Image" -- "TargetFilename" +- Image +- TargetFilename falsepositives: -- "unlikely" -level: "high" \ No newline at end of file +- unlikely +level: high From 69adf3dd0715cef631a41a361f047a42d4dccd1c Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Fri, 23 Feb 2024 23:00:03 +0300 Subject: [PATCH 09/12] Delete rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml --- ...ile_event_win_outlook_opening_smb_file.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml diff --git a/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml b/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml deleted file mode 100644 index b20eb8dcba1..00000000000 --- a/rules/windows/file/file_event/file_event_win_outlook_opening_smb_file.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Outlook opening a file hosted on an SMB Share -id: e5305252-1ee0-426a-81ec-9ca43c4dd3a7 -description: Detects when threat actors attempt to bypass outlook security warning by sharing links of malware hosted on SMB shares.This has been detected in Pikabot campaigns -author: Joseph Kamau -date: 2024/02/23 -status: experimental -tags: -- attack.defense_evasion -- attack.t1021.002 -references: https://app.any.run/tasks/478732bb-b180-4d14-9a93-5e424c44a97e?utm_source=twitter&utm_medium=post&utm_campaign=pikabot&utm_content=linktoservice&utm_term=210224/ -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: '\outlook.exe' - TargetFilename|endswith: '\PIPE\srvsvc' - condition: selection -fields: -- Image -- TargetFilename -falsepositives: -- unlikely -level: high From b394a45aae5f5a60302995a4bb879c749bc7bedb Mon Sep 17 00:00:00 2001 From: skaynum <152009163+skaynum@users.noreply.github.com> Date: Thu, 25 Apr 2024 16:45:05 +0300 Subject: [PATCH 10/12] Add files via upload --- .../proc_creation_win_susp_browser_launch.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml new file mode 100644 index 00000000000..10198920ea9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml @@ -0,0 +1,33 @@ +title: Suspicious Browser Launch Indicative of a Possible Phishing Link +id: 1193d960-2369-499f-a158-7b50a31df682 +status: stable +description: 'Detects when a browser or browser tab is launched from an application that handles document files and connects to a web application over http(s), this could indicate possible phishing. + + ' +references: + - ' https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document' + - ' https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ #Office Document' +author: Joseph Kamau +date: 2024/04/25 +tags: + - attack.execution + - attack.t1204.002 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|contains: + - Microsoft Office + - Acrobat Reader + - PDF Reader + Image|endswith: + - \msedge.exe + - \chrome.exe + - \firefox.exe + - \brave.exe + CommandLine|contains: http + condition: selection +falsepositives: + - Unlikely, further investigations should be done in the commandline to determine the context of the url acccessed +level: medium From 9901724a262aa625b9b633861beb900e3db988b5 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 27 May 2024 16:42:27 +0200 Subject: [PATCH 11/12] chore: update metadata --- ...ent_win_mysqld_uncommon_file_creation.yml} | 22 ++++++----- .../proc_creation_win_susp_browser_launch.yml | 33 ----------------- ...er_launch_from_document_reader_process.yml | 37 +++++++++++++++++++ 3 files changed, 50 insertions(+), 42 deletions(-) rename rules/windows/file/file_event/{file_event_win_mysql_daemon_executable_file_creation.yml => file_event_win_mysqld_uncommon_file_creation.yml} (56%) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml diff --git a/rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml similarity index 56% rename from rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml rename to rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml index 79f8d329b2c..d60c5a3fcb8 100644 --- a/rules/windows/file/file_event/file_event_win_mysql_daemon_executable_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml @@ -1,14 +1,14 @@ -title: Mysql Daemon Creating Executable Files +title: Uncommon File Creation By Mysql Daemon Process id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf status: experimental -description: 'Detects the creation of executable files by Mysql daemon which could be an indicator of User Defined Functions abuse to download malware. - - ' +description: | + Detects the creation of files with scripting or executable extensions by Mysql daemon. + Which could be an indicator of "User Defined Functions" abuse to download malware. references: - https://asec.ahnlab.com/en/58878/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ author: Joseph Kamau -date: 2024/02/03 +date: 2024/05/27 tags: - attack.defense_evasion logsource: @@ -20,10 +20,14 @@ detection: - \mysqld.exe - \mysqld-nt.exe TargetFilename|endswith: - - .exe - - .dll - - .ps1 - - .bat + - '.bat' + - '.dat' + - '.dll' + - '.exe' + - '.ps1' + - '.psm1' + - '.vbe' + - '.vbs' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml deleted file mode 100644 index 10198920ea9..00000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_browser_launch.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Suspicious Browser Launch Indicative of a Possible Phishing Link -id: 1193d960-2369-499f-a158-7b50a31df682 -status: stable -description: 'Detects when a browser or browser tab is launched from an application that handles document files and connects to a web application over http(s), this could indicate possible phishing. - - ' -references: - - ' https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document' - - ' https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ #Office Document' -author: Joseph Kamau -date: 2024/04/25 -tags: - - attack.execution - - attack.t1204.002 -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|contains: - - Microsoft Office - - Acrobat Reader - - PDF Reader - Image|endswith: - - \msedge.exe - - \chrome.exe - - \firefox.exe - - \brave.exe - CommandLine|contains: http - condition: selection -falsepositives: - - Unlikely, further investigations should be done in the commandline to determine the context of the url acccessed -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml new file mode 100644 index 00000000000..b59d2b8c80d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml @@ -0,0 +1,37 @@ +title: Potential Suspicious Browser Launch From Document Reader +id: 1193d960-2369-499f-a158-7b50a31df682 +status: experimental +description: | + Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. +references: + - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document + - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document +author: Joseph Kamau +date: 2024/05/27 +tags: + - attack.execution + - attack.t1204.002 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|contains: + - 'Acrobat Reader' + - 'Microsoft Office' + - 'PDF Reader' + Image|endswith: + - '\brave.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\msedge.exe' + - '\opera.exe' + - '\maxthon.exe' + - '\seamonkey.exe' + - '\vivaldi.exe' + - '' + CommandLine|contains: 'http' + condition: selection +falsepositives: + - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. +level: medium From 9d10f52d82afb8e7ff615591665b650dee2ec1e0 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 27 May 2024 16:43:14 +0200 Subject: [PATCH 12/12] Update proc_creation_win_susp_browser_launch_from_document_reader_process.yml --- ...ion_win_susp_browser_launch_from_document_reader_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml index b59d2b8c80d..9235887ad2d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml @@ -1,4 +1,4 @@ -title: Potential Suspicious Browser Launch From Document Reader +title: Potential Suspicious Browser Launch From Document Reader Process id: 1193d960-2369-499f-a158-7b50a31df682 status: experimental description: |