You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I have try to match sigma to this evtx.
In this file the malicious command is in ParentCommandLine but when I try on a windows 10 it is in CommandLine.
Is it a special case or a bad capture ?
Thanks
The text was updated successfully, but these errors were encountered:
Hi, its not really a bad capture (missed first process execution), there are legit cases where wuauclt.exe runs DLLs from random paths, so most resilient (and few FPs) approach is to use Sysmon eventid 7 and look for unsigned DLLs loaded there OR look for unusual child processes of wuauclt.exe. The ParentCommandLine /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer in the captrue was due to wuauclt.exe spawning a child after executing code in helpa.dll.
Hi,
I have try to match sigma to this evtx.
In this file the malicious command is in
ParentCommandLine
but when I try on a windows 10 it is inCommandLine
.Is it a special case or a bad capture ?
Thanks
The text was updated successfully, but these errors were encountered: