security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding amazon ec2 to list of false positives

Browse Source
This commit is contained in:
Tim Shelton
2021-11-29 19:20:00 +00:00
parent 182a4c2506
commit f0c6dbdc84
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml
+2 -1
View File
@@ -10,7 +10,7 @@ tags:
- attack.t1086 #an old one
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
date: 2017/03/05
modified: 2021/10/16
modified: 2021/11/29
logsource:
product: windows
category: ps_script
@@ -115,6 +115,7 @@ detection:
- "Invoke-AllChecks"
false_positives:
ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
ScriptBlockText:contains: "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1" # false positive form Amazon EC2
condition: select_Malicious and not false_positives
falsepositives:
- Penetration testing