From 777e49b76c700f9fd8817cbe2f08a0b6079e82d2 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 15:17:33 -0300 Subject: [PATCH] Update win_av_relevant_match.yml --- .../windows/builtin/win_av_relevant_match.yml | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index 360f9a1b0..4a2c35ebc 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -8,32 +8,32 @@ logsource: service: application detection: keywords: - Message: - - "*HTool*" - - "*Hacktool*" - - "*ASP/Backdoor*" - - "*JSP/Backdoor*" - - "*PHP/Backdoor*" - - "*Backdoor.ASP*" - - "*Backdoor.JSP*" - - "*Backdoor.PHP*" - - "*Webshell*" - - "*Portscan*" - - "*Mimikatz*" - - "*WinCred*" - - "*PlugX*" - - "*Korplug*" - - "*Pwdump*" - - "*Chopper*" - - "*WmiExec*" - - "*Xscan*" - - "*Clearlog*" - - "*ASPXSpy*" - filters: - Message: - - "*Keygen*" - - "*Crack*" - condition: keywords and not 1 of filters + Message|contains: + - "HTool" + - "Hacktool" + - "ASP/Backdoor" + - "JSP/Backdoor" + - "PHP/Backdoor" + - "Backdoor.ASP" + - "Backdoor.JSP" + - "Backdoor.PHP" + - "Webshell" + - "Portscan" + - "Mimikatz" + - "WinCred" + - "PlugX" + - "Korplug" + - "Pwdump" + - "Chopper" + - "WmiExec" + - "Xscan" + - "Clearlog" + - "ASPXSpy" + filter: + Message|contains: + - "Keygen" + - "Crack" + condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools level: high