valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

flake 8

Browse Source
This commit is contained in:
ecco 2020-05-18 10:03:18 -04:00
parent 088800cd18
commit 1aa97fe577
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/sysmon/sysmon_webshell_creation_detect.yml
View File

@ -42,6 +42,6 @@ detection:
- '\Windows\Temp\'
# kind of ugly but sigmac seems not to handle double parenthesis "(("
# we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives)
condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives)
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder