security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove ambiguity from impact_modification_of_boot_config.toml (#2199)

Browse Source 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit b043695833)
This commit is contained in:
TotalKnob
2022-08-05 15:38:41 +02:00
committed by github-actions[bot]
parent ccbcda523f
commit c585aed3e2
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/impact_modification_of_boot_config.toml
+5 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/03/16"
maturity = "production"
updated_date = "2022/05/09"
updated_date = "2022/07/29"
[rule]
author = ["Elastic"]
@@ -75,8 +75,10 @@ type = "eql"
query = '''
process where event.type in ("start", "process_started") and
(process.name : "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and
(process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or
(process.args : "no" and process.args : "recoveryenabled")
(
(process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or
(process.args : "no" and process.args : "recoveryenabled")
)
'''