Update win_apt_mustangpanda.yml

2020-10-15 17:33:02 -03:00
parent a06114d611
commit 82fbfed2c2
1 changed files with 7 additions and 6 deletions
@@ -13,12 +13,13 @@ logsource:
    product: windows
 detection:
    selection1:
-        CommandLine: 
-            - '*Temp\wtask.exe /create*'
-            - '*%windir:~-3,1%%PUBLIC:~-9,1%*'
-            - '*/E:vbscript * C:\Users\\*.txt" /F'
-            - '*/tn "Security Script *'
-            - '*%windir:~-1,1%*'
+        CommandLine|endswith: 
+            - 'Temp\wtask.exe /create*'
+            - '%windir:~-3,1%%PUBLIC:~-9,1%*'
+            - '/tn "Security Script *'
+            - '%windir:~-1,1%*'
+        Commandline|startswith:
+            - '/E:vbscript * C:\Users\\*.txt" /F'
    selection2:
        Image:
            - '*Temp\winwsh.exe'