Skip to content

Commit

Permalink
Merge pull request SigmaHQ#1205 from Neo23x0/rule-devel
Browse files Browse the repository at this point in the history 
fix: ping hex ip rule
  • Loading branch information
@Neo23x0
Neo23x0 authored Oct 16, 2020
2 parents f064102 + 986b711 commit 75f1772
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions rules/windows/process_creation/win_susp_ping_hex_ip.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ references:
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth
date: 2018/03/23
modified: 2020/10/16
tags:
- attack.defense_evasion
- attack.t1140
Expand All @@ -16,8 +17,10 @@ logsource:
detection:
selection:
CommandLine|contains:
- 'ping.exe*0x*'
- 'ping*0x*'
- '\ping.exe 0x'
- '\ping 0x'
Image|contains:
- 'ping.exe'
condition: selection
fields:
- ParentCommandLine
Expand Down

0 comments on commit 75f1772

Please sign in to comment.