security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move ipv6 check to selection fields as filter is negated

Browse Source
This commit is contained in:
Cian Mc Govern
2021-07-02 22:02:43 +01:00
parent dcda583810
commit cbbb953d7f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/network_connection/sysmon_powershell_network_connection.yml
+1 -1
View File
@@ -18,6 +18,7 @@ detection:
selection:
Image|endswith: '\powershell.exe'
Initiated: 'true'
DestinationIsIpv6: 'false'
filter:
DestinationIp|startswith:
- '10.'
@@ -39,7 +40,6 @@ detection:
- '172.30.'
- '172.31.'
- '127.0.0.1'
DestinationIsIpv6: 'false'
User: 'NT AUTHORITY\SYSTEM'
condition: selection and not filter
falsepositives: