security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Suspicious Execution via Scheduled Task (#2235)

Browse Source 
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
This commit is contained in:
Samirbous
2022-08-15 21:50:23 +02:00
committed by GitHub
parent b89d6185b2
commit 0f7b29918c
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_suspicious_scheduled_task_runtime.toml
+7 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/19"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/08/09"
[rule]
author = ["Elastic"]
@@ -56,7 +56,12 @@ process where event.type == "start" and
"C:\\PerfLogs\\*",
"C:\\Intel\\*",
"C:\\Windows\\Debug\\*",
"C:\\HP\\*")
"C:\\HP\\*") and
not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and
not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and
not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and
not (process.name : "msiexec.exe" and user.id : "S-1-5-18")
'''