windows-dll-hijacking icon indicating copy to clipboard operation
windows-dll-hijacking copied to clipboard

Published 20 hours ago verified publisher icon wietze

Filtering out SysWOW64

Open iosonogio opened this issue 1 year ago • 0 comments

Many thanks for these resources! In the SIGMA rule possible_windows_dll_hijacking.yml this path should/could be filtered out: C:\Windows\SysWOW64\

That is:

    filter:
        EventID: 7
        ImageLoaded:
            - "C:\\Windows\\WinSxS\\*"
            - "C:\\Windows\\System32\\*"
            - "C:\\Windows\\SysWOW64\\*"

iosonogio avatar Sep 27 '23 13:09 iosonogio