-
|
for this highlighted keyword, where i need to look because no field there? CommandLine or Image? Rule Link: (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
To my knowledge, In SIGMA a keyword selection means that look in all the fields described by the logsource section. In this specifc case, you should look for the keyword "perfc.dat" in all the fields of process creation (ie 4688 and Sysmon EID 1). Just to get the idea across, for example this rule 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 will look in all the windows event logs available for those specific keywords. (Because no category was specified) I hope this helps :D |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your answer. @nasbench |
Beta Was this translation helpful? Give feedback.
To my knowledge, In SIGMA a keyword selection means that look in all the fields described by the logsource section. In this specifc case, you should look for the keyword "perfc.dat" in all the fields of process creation (ie 4688 and Sysmon EID 1).
Just to get the idea across, for example this rule 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 will look in all the windows event logs available for those specific keywords. (Because no category was specified)
I hope this helps :D