security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FP with In-memory PowerShell rule and Visual Studio

Browse Source
This commit is contained in:
Florian Roth
2021-11-22 13:45:31 +01:00
parent 37ff832fda
commit d5eff9ef6d
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/sysmon_in_memory_powershell.yml
+1
View File
@@ -39,6 +39,7 @@ detection:
- '\Microsoft SQL Server Management Studio *\Common*\IDE\Ssms.exe'
- '\IDE\devenv.exe'
- '\ServiceHub.VSDetouredHost.exe'
- '\ServiceHub.SettingsHost.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
condition: selection and not filter
falsepositives: