security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1533 from SpeedyFireCyclone/cobaltstrike_service_install_fix

Browse Source 
Consistency: Service File Name to ServiceFileName
This commit is contained in:
Florian Roth
2021-06-03 23:34:00 +02:00
committed by GitHub
parent bcd6d3c9ba 12c822511e
commit b26eece20d
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/win_cobaltstrike_service_installs.yml
+3 -3
View File
@@ -5,7 +5,7 @@ author: Florian Roth, Wojciech Lesicki
references:
- https://www.sans.org/webcasts/119395
date: 2021/05/26
modified: 2021/06/01
modified: 2021/06/03
tags:
- attack.execution
- attack.privilege_escalation
@@ -20,11 +20,11 @@ detection:
selection1:
EventID: 7045
selection2:
Service File Name|contains|all:
ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection3:
Service File Name|contains|all:
ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'