Update proxy_ua_bitsadmin_susp_tld.yml to use proxy field

2023-05-17 13:46:28 +02:00
parent 7f3eff58e1
commit c1ba6e1505
1 changed files with 2 additions and 2 deletions
@@ -7,7 +7,7 @@ references:
    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
 author: Florian Roth (Nextron Systems), Tim Shelton
 date: 2019/03/07
-modified: 2022/08/16
+modified: 2023/05/17
 tags:
    - attack.command_and_control
    - attack.t1071.001
@@ -21,7 +21,7 @@ detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
    falsepositives:
-        r-dns|endswith:
+        cs-host|endswith:
            - '.com'
            - '.net'
            - '.org'