fix: condition
This commit is contained in:
Qasim Qlf
@@ -10,7 +10,7 @@ references:
|
||||
- https://twitter.com/bryon_/status/975835709587075072
|
||||
author: 'Agro (@agro_sev) oscd.community'
|
||||
date: 2020/10/10
|
||||
modified: 2022/02/25
|
||||
modified: 2022/12/09
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
@@ -21,14 +21,13 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_1:
|
||||
Image|endswith: '\sqlps.exe'
|
||||
- Image|endswith: '\sqlps.exe'
|
||||
- OriginalFileName: 'sqlps.exe'
|
||||
selection_2:
|
||||
ParentImage|endswith: '\sqlps.exe'
|
||||
selection_3:
|
||||
OriginalFileName: '\sqlps.exe'
|
||||
filter:
|
||||
ParentImage|endswith: '\sqlagent.exe'
|
||||
condition: 1 of selection_* and not filter
|
||||
condition: (selection_1 and not filter) or selection_2
|
||||
falsepositives:
|
||||
- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
|
||||
level: medium
|
||||
|
||||
Reference in New Issue
Block a user