security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Powershell Defender Exclusion (#1644)

Browse Source 
* Split process.args condition

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2021-12-08 11:51:32 -03:00
committed by GitHub
parent b85818f49c
commit ee548328d5
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/20"
maturity = "production"
updated_date = "2021/10/17"
updated_date = "2021/12/03"
[rule]
author = ["Elastic"]
@@ -58,7 +58,8 @@ type = "eql"
query = '''
process where event.type == "start" and
(process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
process.args : ("*Add-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and
process.args : ("*-Exclusion*")
'''