From aefd50f049e72ee8f2b82bbe03a7b4eb09daba41 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Jul 2021 14:23:54 +0200 Subject: [PATCH] fix: avoid FPs with HTool string --- rules/windows/builtin/win_av_relevant_match.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index cbf84be0e..6c1d18d52 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -3,14 +3,14 @@ id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 description: This detection method points out highly relevant Antivirus events author: Florian Roth date: 2017/02/19 -modified: 2021/01/07 +modified: 2021/07/28 logsource: product: windows service: application detection: keywords: Message|contains: - - "HTool" + - "HTool-" - "Hacktool" - "ASP/Backdoor" - "JSP/Backdoor"