Simple Quote

2022-01-11 13:40:53 +01:00
parent 11164849b3
commit f7e670d55e
18 changed files with 42 additions and 47 deletions
@@ -13,8 +13,7 @@ logsource:
    definition: Script Block Logging must be enable
 detection:
    selection:
-        ScriptBlockText|contains:
-            - "Invoke-AzureHound"
+        ScriptBlockText|contains: Invoke-AzureHound
    condition: selection
 tags:
    - attack.discovery
@@ -22,11 +22,10 @@ logsource:
 detection:
    selection_content:
        ScriptBlockText|contains:
-            - "set-content"
-            - "add-content"
+            - set-content
+            - add-content
    selection_stream:
-        ScriptBlockText|contains:
-            - "-stream"
+        ScriptBlockText|contains: '-stream'
    condition: all of selection*
 falsepositives:
    - unknown