security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4563 from @YamatoSecurity - Remove erroneous extra asterisk

Browse Source 
fix: Suspicious Process By Web Server Process - Remove erroneous extra asterisk
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
This commit is contained in:
Zach Mathis (田中ザック)
2023-11-11 10:16:51 -08:00
committed by GitHub
parent 309c2dee7f
commit e7d2bba8a2
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019/01/16
modified: 2023/11/09
modified: 2023/11/11
tags:
- attack.persistence
- attack.t1505.003
@@ -81,7 +81,7 @@ detection:
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_**
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high