security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support for Malicious cmdlets in ATP

Browse Source
This commit is contained in:
agold
2019-08-20 14:33:08 -07:00
parent 1bfe925f6b
commit 0984293d0c
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/wdatp.py
+5
View File
@@ -138,12 +138,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
if (self.category, self.product, self.service) == ("process_creation", "windows", None):
self.table = "ProcessCreationEvents"
elif (self.category, self.product, self.service) == (None, "windows", "powershell"):
self.table = "MiscEvents"
self.orToken = ", "
return super().generate(sigmaparser)
def generateBefore(self, parsed):
if self.table is None:
raise NotSupportedError("No WDATP table could be determined from Sigma rule")
if self.table == "MiscEvents" and self.service == "powershell":
return "%s | where tostring(extractjson('$.Command', AdditionalFields)) in~ " % self.table
return "%s | where " % self.table
def generateMapItemNode(self, node):