security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing format

Browse Source
This commit is contained in:
Tim Shelton
2022-03-02 17:35:41 +00:00
parent 9c6fb23480
commit cffc027c33
1 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml
+8 -10
View File
@@ -28,16 +28,14 @@ detection:
- '\mshta.exe'
falsepositives:
CurrentDirectory|contains: '\ccmcache\'
# FP - Amazon Workspaces
ParentCommandLine|contains: '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
ParentCommandLine|contains: '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
ParentCommandLine|contains: '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
# Tenable/Nessus VA Scanner
ParentCommandLine|contains: '\nessus_'
CommandLine|contains: '\nessus_'
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
CommandLine|contains:
- '\nessus_' # Tenable/Nessus VA Scanner
condition: selection and not falsepositives
fields:
- CommandLine