security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Replace line comments with block comments (#710)

Browse Source
This commit is contained in:
Justin Ibarra
2020-12-12 20:11:17 -06:00
committed by GitHub
parent 7c2abc68d7
commit a6463b435c
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_startup_folder_scripts.toml
+12 -12
View File
@@ -17,18 +17,18 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
type = "eql"
query = '''
file where event.type != "deletion" and user.domain != "NT AUTHORITY"
and (
// detect shortcuts created by wscript.exe or cscript.exe
file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
process.name : ("wscript.exe", "cscript.exe")
) or
// detect vbs or js files created by any process
file.path : ("C:\\*\\Programs\\Startup\\*.vbs",
"C:\\*\\Programs\\Startup\\*.vbe",
"C:\\*\\Programs\\Startup\\*.wsh",
"C:\\*\\Programs\\Startup\\*.wsf",
"C:\\*\\Programs\\Startup\\*.js")
file where event.type != "deletion" and user.domain != "NT AUTHORITY" and
/* detect shortcuts created by wscript.exe or cscript.exe */
(file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
process.name : ("wscript.exe", "cscript.exe")) or
/* detect vbs or js files created by any process */
file.path : ("C:\\*\\Programs\\Startup\\*.vbs",
"C:\\*\\Programs\\Startup\\*.vbe",
"C:\\*\\Programs\\Startup\\*.wsh",
"C:\\*\\Programs\\Startup\\*.wsf",
"C:\\*\\Programs\\Startup\\*.js")
'''