security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix review comments

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-06-21 17:22:39 +01:00
parent 11dca18b5b
commit 0c2f1bfce5
2 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml
+6 -5
View File
@@ -18,11 +18,12 @@ detection:
- Product|endswith: 'AccessChk'
- Description|contains: 'Reports effective permissions'
- Image|endswith: '\accesschk.exe'
selection_cli: # These are the most common flags used with this tool. You could add other combinations if needed
- 'uwcqv '
- 'kwsu '
- 'qwsu '
- 'uwdqs '
selection_cli:
CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
- 'uwcqv '
- 'kwsu '
- 'qwsu '
- 'uwdqs '
condition: all of selection*
fields:
- IntegrityLevel
rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml
+5 -1
View File
@@ -18,7 +18,11 @@ detection:
CommandLine|contains|all:
- ' service '
- ' get '
- ' name,displayname,pathname,startmode'
CommandLine|contains:
- name
- displayname
- pathname
- startmode
condition: all of selection*
falsepositives:
- Unknown