Search error and escaping characters

Hello there, i'm trying to play around with a rule to search for instances of the Sticky Key being abused in Windows.

The output below has been created from converting a SIGMA rule:

process where (event.category : "process" and process.command_line : "*copy " and process.command_line : "/y *" and process.command_line : "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe")

Whenever i try this in Kibana i get a lot of errors. I understand after reading that i need to escape certain characters. Please can someone advise how to make this work. Also do i need the process where at the beginning (i don't think i do) ?

Hopefully someone can help as i intend to create and convert a few more SIGMA rules to test.


I may have worked it out but have no way of testing.

process.command_line : ("C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe" AND copy AND /y) AND event.category : "process"

Please could someone take a look and tell me what they think.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.