security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing false positives

Browse Source
This commit is contained in:
Florian Roth
2020-02-26 09:33:55 +01:00
parent 82d2b1e6f0
commit 4f3e3166d3
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_copying_sensitive_files_with_credential_data.yml
+3 -3
View File
@@ -21,13 +21,13 @@ detection:
- Image|endswith: '\esentutl.exe'
CommandLine|contains:
- 'vss'
- '/m'
- '/y'
- ' /m '
- ' /y '
- CommandLine|contains:
- '\windows\ntds\ntds.dit'
- '\config\sam'
- '\config\security'
- '\config\system'
- '\config\system ' # space needed to avoid false positives with \config\systemprofile\
- '\repair\sam'
- '\repair\system'
- '\repair\security'
rules/windows/sysmon/sysmon_suspicious_remote_thread.yml
+1 -1
View File
@@ -59,7 +59,7 @@ detection:
- '\schtasks.exe'
- '\smartscreen.exe'
- '\spoolsv.exe'
- '\taskhost.exe'
# - '\taskhost.exe' # disabled due to false positives
- '\tstheme.exe'
- '\userinit.exe'
- '\vssadmin.exe'