Merge PR #5006 from @frack113 - Fix UNC2452 Process Creation Patterns

fix: UNC2452 Process Creation Patterns - Add the missing `all` modifier
SigmaHQ · Sep 13, 2024 · 236db73 · 236db73
1 parent 1324828
commit 236db73
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/...s-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/...s-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml
@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
 author: Florian Roth (Nextron Systems)
 date: 2021-01-22
-modified: 2023-09-12
+modified: 2024-09-12
 tags:
     - attack.execution
     - attack.t1059.001
@@ -42,7 +42,7 @@ detection:
             - '.dll,Tk_'
     selection_generic_4:
         ParentImage|endswith: '\rundll32.exe'
-        ParentCommandLine|contains:
+        ParentCommandLine|contains|all:
             - 'C:\Windows'
             - '.dll'
         CommandLine|contains: 'cmd.exe /C '