security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update powershell_invoke_obfuscation_via_use_mhsta.yml

Browse Source
This commit is contained in:
Nikita Nazarov
2020-10-09 16:29:20 +03:00
committed by GitHub
parent 27410d3c8e
commit 02e826def3
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml
+2 -2
View File
@@ -18,11 +18,11 @@ detection:
selection_1:
EventID: 4104
selection_2:
- ScriptBlockText|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"'
- ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
selection_3:
EventID: 4103
selection_4:
- Payload|re: '(?i).*downloadstring&&.*mshta.*powershell.*\(window.close\).*"'
- Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
falsepositives:
- Unknown