Update powershell_accessing_win_api.yml

2020-10-07 14:47:29 +03:00
parent c90d99c0f9
commit bfa3635cd2
1 changed files with 2 additions and 2 deletions
@@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell
 id: 03d83090-8cba-44a0-b02f-0b756a050306
 status: experimental
 description: Detecting use WinAPI Functions in PowerShell
-author: Nikita Nazarov
+author: Nikita Nazarov, oscd.community
 date: 2020/10/06
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
@@ -17,7 +17,7 @@ detection:
    selection:
        EventID:
            - 4104
-        Message|contains::
+        Message|contains:
            - 'WaitForSingleObject'
            - 'QueueUserApc'
            - 'RtlCreateUserThread'