security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Windows DR Tuning - 11 (#3359)

Browse Source 
* [Rule Tuning] Windows DR Tuning - 10

* Update execution_posh_hacktool_functions.toml

* Update impact_backup_file_deletion.toml
This commit is contained in:
Jonhnathan
2024-01-15 10:55:50 -03:00
committed by GitHub
parent 24d5528ab0
commit caf38fd1b1
5 changed files with 60 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/initial_access_script_executing_powershell.toml
+7 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2024/01/03"
[rule]
author = ["Elastic"]
@@ -85,7 +85,12 @@ type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe"
process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" and
not (
process.parent.name : "wscript.exe" and
process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\IntuneDriveMapping-VBSHelper.vbs" and
process.parent.args : "?:\\ProgramData\\intune-drive-mapping-generator\\DriveMapping.ps1"
)
'''