From 0744107fbb3fcf2444d00a8d3539dd1a2ce6bbd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:19:08 +0300 Subject: [PATCH] Deleted EventID part --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 13ee8b635..87b6a254f 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -13,7 +13,6 @@ logsource: product: windows detection: selection: - EventID: 1 Image|endswith: - '\powershell.exe' ParentImage|endswith: