security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

simplifying format

Browse Source
This commit is contained in:
Tim Shelton
2021-11-30 14:21:38 +00:00
parent 14f11c905d
commit fa26f5f7f5
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_xsl_script_processing.yml
+10 -9
View File
@@ -16,15 +16,16 @@ detection:
CommandLine|contains: '/format' # wmic process list /FORMAT /?
- Image|endswith: '\msxsl.exe'
false_positives:
- CommandLine|contains: '/Format:List'
- CommandLine|contains: '/Format:htable'
- CommandLine|contains: '/Format:hform'
- CommandLine|contains: '/Format:table'
- CommandLine|contains: '/Format:mof'
- CommandLine|contains: '/Format:value'
- CommandLine|contains: '/Format:rawxml'
- CommandLine|contains: '/Format:xml'
- CommandLine|contains: '/Format:csv'
CommandLine|contains:
- '/Format:List'
- '/Format:htable'
- '/Format:hform'
- '/Format:table'
- '/Format:mof'
- '/Format:value'
- '/Format:rawxml'
- '/Format:xml'
- '/Format:csv'
condition: selection and not false_positives
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.