security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4859 from @vburov - Update casing of Win32_ShadowCopy for multiple rules

Browse Source 
chore: update casing of `Win32_ShadowCopy` for multiple rules

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Vasiliy Burov
2024-05-27 15:33:46 +03:00
committed by GitHub
parent 4163fde77f
commit 92fd446b7d
6 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
+1 -1
View File
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
ScriptBlockText|contains|all:
- win32_shadowcopy
- Win32_ShadowCopy
- ').Create('
- ClientAccessible
condition: selection
rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
+1 -1
View File
@@ -18,7 +18,7 @@ detection:
selection:
ScriptBlockText|contains|all:
- 'Get-WmiObject'
- 'Win32_Shadowcopy'
- 'Win32_ShadowCopy'
- '.Delete()'
condition: selection
falsepositives:
rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml
+1 -1
View File
@@ -27,7 +27,7 @@ detection:
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
ScriptBlockText|contains: 'Win32_Shadowcopy'
ScriptBlockText|contains: 'Win32_ShadowCopy'
selection_delete:
ScriptBlockText|contains:
- '.Delete()'