paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-04 13:53:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 900000-exclusion_rules.xml

Browse Source
This commit is contained in:
taylor_socfortress
2025-03-01 11:21:25 -06:00
committed by GitHub
parent 5720855ec4
commit 4a3ac632a7
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Exclusion Rules/900000-exclusion_rules.xml
View File

@@ -771,4 +771,11 @@
<options>no_full_log</options> <options>no_full_log</options>
<description>DLL file created by printer spool service, possible malware binary drop from PrintNightmare exploit</description> <description>DLL file created by printer spool service, possible malware binary drop from PrintNightmare exploit</description>
</rule> </rule>
<!-- Lower Microsoft AI for WINWORD and powerpoint-->
<rule id="900109" level="10">
<if_sid>100508</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)^C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD\.EXE$|(?i)^C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office16\\\\POWERPNT\.EXE$|(?i)^C:\\\\Program Files \(x86\)\\\\Microsoft Office\\\\root\\\\Office16\\\\WINWORD\.EXE$</field>
<options>no_full_log</options>
<description>Sysmon - Event 1: Process $(win.eventdata.description) - MS RCE Follina Detection.</description>
</rule>
</group> </group>