security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

fix: revert change to rule

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-02-23 12:55:46 +01:00
parent 078e3ab500
commit d799ad9982
1 changed files with 0 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file/file_event/file_event_win_remote_cred_dump.yml
-5
View File
@@ -19,11 +19,6 @@ detection:
Image|endswith: '\svchost.exe'
# CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
selection_aurora:
Provider_Name: 'Microsoft-Windows-Kernel-File'
Image|endswith: '\svchost.exe'
CommandLine|contains: 'RemoteRegistry'
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
condition: selection
falsepositives:
- Unknown