fix: bound sysmon logon script rule to field

Fixed rule: - rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
2024-11-08 02:08:54 +00:00 · 2019-11-02 11:43:04 +01:00 · 2019-11-02 11:43:04 +01:00 · 0117dac1db
commit 0117dac1db
parent 3107c0c268
1 changed files with 11 additions and 5 deletions
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
@ -18,17 +18,23 @@ detection:
    exec_exclusion:
        Image: '*\explorer.exe'
        CommandLine: '*\netlogon.bat'
-    create_selection:
+    create_selection_cli:
        EventID:
            - 1
+    create_selection_reg:
+        EventID:
            - 11
            - 12
            - 13
            - 14
-    create_keywords:
-        - UserInitMprLogonScript
-    condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords)
+    create_keywords_reg:
+        TargetObject:
+            - '*UserInitMprLogonScript*'
+    create_keywords_cli:
+        CommandLine:
+            - '*UserInitMprLogonScript*'
+    condition: (exec_selection and not exec_exclusion) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli)
 falsepositives:
    - exclude legitimate logon scripts
    - penetration tests, red teaming
-level: high
+level: high