valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add 'contains' for the ps encoded chars rule

Browse Source
This commit is contained in:
Daniel Masse 2020-07-22 10:49:22 -04:00
parent 9682d37ead
commit 13cf0488ae
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/process_creation/win_susp_powershell_encoded_param.yml
View File

@ -17,7 +17,7 @@ logsource:
product: windows
detection:
selection:
CommandLine: '(WCHAR)0x'
CommandLine|contains: '(WCHAR)0x'
condition: selection
falsepositives:
- Unknown