Update win_susp_devtoolslauncher_execution.yml

2019-11-04 18:30:04 +03:00
parent 989d75033a
commit dc23e566a0
1 changed files with 5 additions and 4 deletions
@@ -6,8 +6,10 @@ references:
    - https://twitter.com/_felamos/status/1179811992841797632
 author: Beyu Denis, oscd.community (rule), @_felamos (idea)
 date: 2019/10/12
+modified: 2019/11/04
 tags:
-    - attack.persistence
+    - attack.defense_evasion
+    - attack.execution
    - attack.t1218
 level: critical
 logsource:
@@ -16,8 +18,7 @@ logsource:
 detection:
    selection:
        Image: '*\devtoolslauncher.exe'
-        CommandLine: '*LaunchForDeploy*'
+        CommandLine|contains: 'LaunchForDeploy'
    condition: selection
 falsepositives:
-    - Unknown
-
+    - Legitimate use of devtoolslauncher.exe by legitimate user