security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update win_software_discovery.yml

Browse Source 
Add edits
This commit is contained in:
Nikita Nazarov
2020-10-19 11:05:45 +03:00
committed by GitHub
parent 30ce1ff268
commit 654bd7bdba
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_software_discovery.yml
+2 -3
View File
@@ -7,7 +7,6 @@ author: Nikita Nazarov, oscd.community
date: 2020/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://attack.mitre.org/techniques/T1518/
tags:
- attack.discovery
- attack.t1518
@@ -25,7 +24,7 @@ detection:
EventID: 4104
ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
- 'get-itemProperty'
- '*\software\*'
- '\software\'
- 'select-object'
- 'format-table'
---
@@ -37,6 +36,6 @@ detection:
Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
CommandLine|contains|all:
- 'query'
- '*\software\*'
- '\software\'
- '/v'
- 'svcversion'