Sysmon log loading of ieproxy.dll for detecting IE COM abuse
<!--SYSMON EVENT ID 7 : DLL (IMAGE) LOADED BY PROCESS--> | |
<!--DATA: UtcTime, ProcessGuid, ProcessId, Image, ImageLoaded, Hashes, Signed, Signature, SignatureStatus--> | |
<ImageLoad onmatch="include"> | |
<ImageLoaded condition="end with">ieproxy.dll</ImageLoaded> | |
</ImageLoad> | |
<ImageLoad onmatch="exclude"> | |
<Image condition="is">C:\Program Files (x86)\Internet Explorer\iexplore.exe</Image> | |
<Image condition="is">C:\Program Files\internet explorer\iexplore.exe</Image> | |
<Image condition="is">C:\Program Files (x86)\Internet Explorer\ielowutil.exe</Image> | |
<Image condition="is">C:\Program Files\internet explorer\ielowutil.exe</Image> | |
</ImageLoad> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment