Sysmon log loading of ieproxy.dll for detecting IE COM abuse
| <!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS--> | |
| <!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus--> | |
| <ImageLoad onmatch="include"> | |
| <ImageLoaded condition="end with">ieproxy.dll</ImageLoaded> | |
| </ImageLoad> | |
| <ImageLoad onmatch="exclude"> | |
| <Image condition="is">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Image> | |
| <Image condition="is">C:\Program Files\internet explorer\iexplore.exe</Image> | |
| <Image condition="is">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Image> | |
| <Image condition="is">C:\Program Files\internet explorer\ielowutil.exe</Image> | |
| </ImageLoad> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment