Skip to content

Commit

Permalink
README updated
Browse files Browse the repository at this point in the history
  • Loading branch information
qjerome committed Feb 1, 2018
1 parent 0479e93 commit 516c3a9
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ as it is done by the well known Mimikatz credential dump tool.
}
```

You can find a bunch of other rules on our [repository](https://github.com/0xrawsec/gene-rules).
You can find a bunch of other rules as well as a quick introduction to the
syntax of the rules on the [Gene repository](https://github.com/0xrawsec/gene-rules).

# Demo

Expand All @@ -64,16 +65,16 @@ which matched the event.
{
"Event": {
"EventData": {
"CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|C:\\Windows\\system32\\taskmgr.exe+140e3|C:\\Windows\\system32\\taskmgr.exe+14f01|C:\\Windows\\system32\\taskmgr.exe+15a28|C:\\Windows\\system32\\taskmgr.exe+79d7|C:\\Windows\\system32\\taskmgr.exe+9695|C:\\Windows\\system32\\USER32.dll+2798b|C:\\Windows\\system32\\USER32.dll+27766|C:\\Windows\\system32\\USER32.dll+27696|C:\\Windows\\system32\\USER32.dll+19bbd|C:\\Windows\\system32\\USER32.dll+1729b|C:\\Windows\\system32\\USER32.dll+167e9|C:\\Windows\\SYSTEM32\\ntdll.dll+4bc65|UNKNOWN(FFFFF80002B72AF2)|UNKNOWN(FFFFF960001A2149)|UNKNOWN(FFFFF960001696EB)|UNKNOWN(FFFFF96000239B0D)|UNKNOWN(FFFFF960001E1AF5)|UNKNOWN(FFFFF9600017E1C6)|UNKNOWN(FFFFF9600018413C)|UNKNOWN(FFFFF96000175E87)|UNKNOWN(FFFFF96000183626)|UNKNOWN(FFFFF80002880C13)",
"GrantedAccess": "0x1400",
"SourceImage": "C:\\Windows\\system32\\taskmgr.exe",
"SourceProcessGUID": "{49F1AF32-1388-5A73-0000-0010524A3600}",
"SourceProcessId": "3592",
"SourceThreadId": "3736",
"CallTrace": "C:\\Windows\\SYSTEM32\\ntdll.dll+4bf9a|C:\\Windows\\system32\\KERNELBASE.dll+189b7|UNKNOWN(00000000259123BC)",
"GrantedAccess": "0x1410",
"SourceImage": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
"SourceProcessGUID": "{49F1AF32-DD18-5A72-0000-0010042C0A00}",
"SourceProcessId": "2248",
"SourceThreadId": "3308",
"TargetImage": "C:\\Windows\\system32\\lsass.exe",
"TargetProcessGUID": "{49F1AF32-DB3B-5A72-0000-001013690000}",
"TargetProcessId": "492",
"UtcTime": "2018-02-01 13:20:22.277"
"UtcTime": "2018-02-01 11:24:53.331"
},
"GeneInfo": {
"Criticality": 10,
Expand Down

0 comments on commit 516c3a9

Please sign in to comment.