wietze/windows-dll-hijacking

Filtering out SysWOW64

iosonogio opened this issue · 0 comments

iosonogio commented

Many thanks for these resources! In the SIGMA rule possible_windows_dll_hijacking.yml this path should/could be filtered out: C:\Windows\SysWOW64\

That is:

    filter:
        EventID: 7
        ImageLoaded:
            - "C:\\Windows\\WinSxS\\*"
            - "C:\\Windows\\System32\\*"
            - "C:\\Windows\\SysWOW64\\*"