Merge pull request #10 from phantinuss/master

Collect LittleCorporal ProcessAccess events

Author: Neo23x0

sysmonconfig-export.xml

@@ -502,6 +502,12 @@
 				<TargetImage condition="end with">lsass.exe</TargetImage>
 				<GrantedAccess condition="contains any">0x40,0x1000,0x1010,0x1038,0x1410,0x1418,0x1438,0x143a,0x100000,0x1f0fff,0x1f1fff,0x1f2fff,0x1f3fff,0x1fffff</GrantedAccess> <!--0x1400 too noisy-->
 			</Rule>
+			<!-- LittleCorporal generated MalDoc Ref: https://github.com/connormcgarr/LittleCorporal -->
+			<Rule groupRelation="and">
+				<SourceImage condition="contains">winword.exe</SourceImage>
+				<CallTrace condition="contains">:\Windows\Microsoft.NET\Framework64\v2.</CallTrace>
+				<CallTrace condition="contains">UNKNOWN</CallTrace>
+			</Rule>
 		</ProcessAccess>
 	</RuleGroup>