mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-11-09 08:06:41 +00:00
Update 113101-MITRE_TECHNIQUES_FROM_SYSMON_EVENT14.xml
This commit is contained in:
taylor_socfortress
committed by
GitHub
GitHub
parent
a52a8a4c9c
commit
b8b2c759f8
@@ -440,7 +440,7 @@
|
|||||||
<group>sysmon_event_14,</group>
|
<group>sysmon_event_14,</group>
|
||||||
</rule>
|
</rule>
|
||||||
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
|
<!-- Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image) -->
|
||||||
<rule id="113141" level="12">
|
<rule id="113141" level="10">
|
||||||
<if_sid>61616</if_sid>
|
<if_sid>61616</if_sid>
|
||||||
<field name="win.eventdata.RuleName">^technique_id=T1113,technique_name=Recall Enabled via Registry Delete$</field>
|
<field name="win.eventdata.RuleName">^technique_id=T1113,technique_name=Recall Enabled via Registry Delete$</field>
|
||||||
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
|
<description>Sysmon - Event 14: RegistryEvent (Key and Value Rename) by $(win.eventdata.image)</description>
|
||||||
|
|||||||
Reference in New Issue
Block a user