security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Completed changes to selection1 and selection2

Browse Source 
changes were completed to remove ( * ) and stay within rule creation guide:
    - Image|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'

 WMIcommand|contains: 'Win32_Process\:\:Create'
This commit is contained in:
Cyb3rEng
2021-09-08 21:14:58 -06:00
committed by GitHub
parent 49df2358de
commit 5bbe3dec9b
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/Monitor_WMI_Win32_Process Create_command_execution_by_Office_Applications.yml
+5 -5
View File
@@ -20,12 +20,12 @@ detection:
selection1:
EventLog: EDR
EventType: WMIExecution
WMIcommand: '*Win32_Process\:\:Create*'
WMIcommand|contains: 'Win32_Process\:\:Create'
selection2:
- Image:
- '*\winword.exe'
- '*\excel.exe'
- '*\powerpnt.exe'
- Image|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
condition: selection1 AND selection2
falsepositives:
- Unknown