Update proc_creation_win_lolbin_agentexecutor.yml

2022-12-23 20:11:55 +01:00
parent 16fe47a8fa
commit 5fdad241ea
1 changed files with 2 additions and 3 deletions
@@ -15,15 +15,14 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
+    selection:
        Image: 'AgentExecutor.exe'
-    selection2: 
        CommandLine|contains: '-powershell'
    filter:
        CommandLine|contains:
            - ' C:\Windows\SysWOW64\WindowsPowerShell\'
            - ' C:\Windows\System32\WindowsPowerShell\'
-    condition: selection1 and selection2 and not filter
+    condition: selection and not filter
 falsepositives:
    - Unknown
 level: medium