From c585aed3e2b9173d49445f7633054db92207e519 Mon Sep 17 00:00:00 2001 From: TotalKnob Date: Fri, 5 Aug 2022 15:38:41 +0200 Subject: [PATCH] Remove ambiguity from impact_modification_of_boot_config.toml (#2199) Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan (cherry picked from commit b043695833ed9674bb5296c85f7c9f85001a3006) --- rules/windows/impact_modification_of_boot_config.toml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 7e86a6184..08bd6c265 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2022/05/09" +updated_date = "2022/07/29" [rule] author = ["Elastic"] @@ -75,8 +75,10 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and (process.name : "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and - (process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or - (process.args : "no" and process.args : "recoveryenabled") + ( + (process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or + (process.args : "no" and process.args : "recoveryenabled") + ) '''