fix: ping hex ip rule

lukiffer · Oct 16, 2020 · 48f1be0 · 48f1be0
1 parent 3affdd1
commit 48f1be0
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml
@@ -6,6 +6,7 @@ references:
     - https://twitter.com/vysecurity/status/977198418354491392
 author: Florian Roth
 date: 2018/03/23
+modified: 2020/10/16
 tags:
     - attack.defense_evasion
     - attack.t1140
@@ -15,9 +16,11 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
-            - '*\ping.exe 0x*'
-            - '*\ping 0x*'
+        CommandLine|contains:
+            - '\ping.exe 0x'
+            - '\ping 0x'
+        Image|contains:
+            - 'ping.exe'
     condition: selection
 fields:
     - ParentCommandLine