Skip to content

Commit

Permalink
Add OriginalFileName to Name regex search for better hunting (#2895)
Browse files Browse the repository at this point in the history 
Added OriginalFileName OR EntryName into filter to improve hunting
results on renamed binaries.
  • Loading branch information
@mgreen27 @scudette
mgreen27 authored and scudette committed Aug 28, 2023
1 parent 2ec9d43 commit c6ee310
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions artifacts/definitions/Windows/Detection/Amcache.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ description: |
- SHA1regex - regex entries to filter by SHA1.
- PathRegex - filter on path if available.
- NameRegex - filter on EntryName / binary.
- NameRegex - filter on EntryName OR OriginalFileName.
NOTE:
Expand Down Expand Up @@ -109,9 +109,9 @@ sources:
WHERE SHA1
AND SHA1 =~ SHA1Regex
AND if(condition= NameRegex,
then= EntryName =~ NameRegex,
else= True)
then= EntryName =~ NameRegex OR OriginalFileName =~ NameRegex,
else= True)
AND if(condition= PathRegex,
then= EntryPath =~ PathRegex,
else= True)
})
})

0 comments on commit c6ee310

Please sign in to comment.