security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Hex equivalent of WriteData

Browse Source
This commit is contained in:
Jonhnathan
2021-05-19 10:27:20 -03:00
committed by GitHub
parent 18bbb2a342
commit 1cf7bb5735
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_GPO_scheduledtasks.yml
+3 -1
View File
@@ -20,7 +20,9 @@ detection:
EventID: 5145
ShareName: \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
Accesses|contains: 'WriteData'
Accesses|contains:
- 'WriteData'
- '%%4417'
condition: selection
falsepositives:
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks