security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update proc_creation_win_persistence_userinitmprlogonscript.yml

Browse Source 
When logging into Windows Core, userinit.exe normalls calls PowerShell.exe without parameters to bring up a PowerShell window.
This commit is contained in:
Kevin Branch
2023-06-05 12:57:52 -04:00
committed by GitHub
parent 715cc0589c
commit b478f24985
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml
+2
View File
@@ -23,6 +23,8 @@ detection:
- 'netlogon*.bat'
- 'UsrLogon.cmd'
- 'C:\WINDOWS\Explorer.EXE'
- CommandLine:
- 'PowerShell.exe'
- Image|endswith:
- '\explorer.exe'
- '\proquota.exe'