LoFP / legitimate package hosted on a known and authorized remote location

Techniques

Sample rules

Loading Diagcab Package From Remote Path

• source: sigma
• technicques:

Description

Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Detection logic

condition: selection
selection:
  EventID: 101
  PackagePath|contains: \\\\