Merge pull request #1491 from w0rk3r/patch-1
Adds Schema Value equivalent of WriteData to rules/windows/builtin/win_GPO_scheduledtasks.yml
This commit is contained in:
Florian Roth
@@ -20,7 +20,9 @@ detection:
|
||||
EventID: 5145
|
||||
ShareName: \\*\SYSVOL
|
||||
RelativeTargetName|endswith: 'ScheduledTasks.xml'
|
||||
Accesses|contains: 'WriteData'
|
||||
Accesses|contains:
|
||||
- 'WriteData'
|
||||
- '%%4417'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
|
||||
|
||||
Reference in New Issue
Block a user