Update win_av_relevant_match.yml

2020-10-15 15:17:33 -03:00
parent b555628321
commit 777e49b76c
1 changed files with 26 additions and 26 deletions
@@ -8,32 +8,32 @@ logsource:
    service: application
 detection:
    keywords:
-        Message:
-            - "*HTool*"
-            - "*Hacktool*"
-            - "*ASP/Backdoor*"
-            - "*JSP/Backdoor*"
-            - "*PHP/Backdoor*"
-            - "*Backdoor.ASP*"
-            - "*Backdoor.JSP*"
-            - "*Backdoor.PHP*"
-            - "*Webshell*"
-            - "*Portscan*"
-            - "*Mimikatz*"
-            - "*WinCred*"
-            - "*PlugX*"
-            - "*Korplug*"
-            - "*Pwdump*"
-            - "*Chopper*"
-            - "*WmiExec*"
-            - "*Xscan*"
-            - "*Clearlog*"
-            - "*ASPXSpy*"
-    filters:
-        Message:
-            - "*Keygen*"
-            - "*Crack*"
-    condition: keywords and not 1 of filters
+        Message|contains:
+            - "HTool"
+            - "Hacktool"
+            - "ASP/Backdoor"
+            - "JSP/Backdoor"
+            - "PHP/Backdoor"
+            - "Backdoor.ASP"
+            - "Backdoor.JSP"
+            - "Backdoor.PHP"
+            - "Webshell"
+            - "Portscan"
+            - "Mimikatz"
+            - "WinCred"
+            - "PlugX"
+            - "Korplug"
+            - "Pwdump"
+            - "Chopper"
+            - "WmiExec"
+            - "Xscan"
+            - "Clearlog"
+            - "ASPXSpy"
+    filter:
+        Message|contains:
+            - "Keygen"
+            - "Crack"
+    condition: keywords and not filter
 falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
 level: high