Update sysmon_wmi_susp_scripting.yml

2020-10-15 20:15:22 -03:00
parent 92aaeca075
commit d7eda3fe7e
1 changed files with 11 additions and 11 deletions
@@ -17,17 +17,17 @@ logsource:
 detection:
    selection:
        EventID: 20
-        Destination:
-            - '*new-object system.net.webclient).downloadstring(*'
-            - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*'
-            - '*new-object net.webclient).downloadfile(*'
-            - '* iex(*'
-            - '*WScript.shell*'
-            - '* -nop *'
-            - '* -noprofile *'
-            - '* -decode *'
-            - '* -enc *'
+        Destination|contains:
+            - 'new-object system.net.webclient).downloadstring('
+            - 'new-object system.net.webclient).downloadfile('
+            - 'new-object net.webclient).downloadstring('
+            - 'new-object net.webclient).downloadfile('
+            - ' iex('
+            - 'WScript.shell'
+            - ' -nop '
+            - ' -noprofile '
+            - ' -decode '
+            - ' -enc '
    condition: selection
 fields:
    - CommandLine