Update proc_creation_win_dotnet_trace_lolbin_execution.yml

SigmaHQ · Jan 2, 2024 · eef0995 · eef0995
1 parent 6a55b91
commit eef0995
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml
@@ -1,11 +1,11 @@
-title: Lolbin Execution Via Dotnet-Trace.exe
+title: Lolbin Execution Via Dotnet-Trace.EXE
 id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
 status: experimental
-description: Detects cmdline arguments for executing a child process with dotnet-trace.exe
+description: Detects commandline arguments for executing a child process via dotnet-trace.exe
 references:
     - https://twitter.com/bohops/status/1740022869198037480
 author: Jimmy Bayne (@bohops)
-date: 2023/12/27
+date: 2024/01/02
 tags:
     - attack.execution
     - attack.defense_evasion
@@ -19,9 +19,9 @@ detection:
         - OriginalFileName: 'dotnet-trace.dll'
     selection_cli:
         CommandLine|contains|all:
-            - '--'
+            - '-- '
             - 'collect'
     condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Legitimate usage of the utility in order to debug and trace a program.
 level: medium