Update proc_creation_win_net_default_accounts_manipulation.yml
This commit is contained in:
Nasreddine Bencherchali
+2
-2
@@ -10,7 +10,7 @@ logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
selection_img:
|
||||
Image|endswith:
|
||||
- '\net.exe'
|
||||
- '\net1.exe'
|
||||
@@ -26,7 +26,7 @@ detection:
|
||||
- ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
|
||||
- ' Administratör ' # Swedish
|
||||
- ' guest '
|
||||
condition: selection
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
|
||||
level: high
|
||||
|
||||
Reference in New Issue
Block a user