4 Comments

Thanks for continuing the series Eric!

I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).

I get this error:

false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}

In the detection I'm testing against, the command line is:

"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",

And of course, I've used your example detection statements:

- op: is

path: detect/event/FILE_PATH

value: C:\Windows\System32\svchost.exe

Can you see what I'm doing wrong based on what I've presented here?

Thanks!

Expand full comment

Looks like it should be working -- can you continue tweaking your rule? For instance, see if you get different results with

- op: ends with

path: detect/event/FILE_PATH

value: svchost.exe

Expand full comment

Thanks! That particular tweak worked!

Expand full comment
Comment deleted
Nov 22, 2023
Comment deleted
Expand full comment

That is why this was a recorded lecture/demo because its very difficult to recreate this without specific conditions being met... My goal was to instead teach the overall concept so that you can test it with your own detections.

Expand full comment