Update powershell_code_injection.yml

2020-10-07 14:50:00 +03:00
parent 0ad9fc61de
commit d3f0ddd2b1
1 changed files with 2 additions and 2 deletions
@@ -2,7 +2,7 @@ title: Accessing WinAPI in PowerShell. Code Injection.
 id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
 status: experimental
 description: Detecting Code injection with PowerShell in another process
-author: Nikita Nazarov
+author: Nikita Nazarov, oscd.community
 date: 2020/10/06
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
@@ -17,7 +17,7 @@ detection:
    selection:
        EventID:
            - 8
-        SourceImage: '*\powershell.exe'
+        SourceImage|endswith: '\powershell.exe'
    condition: selection
 falsepositives:
    - Unknown