fix logsource for remote_powershell_session_process.yml

2024-11-07 17:58:52 +00:00 · 2019-11-10 23:10:24 +03:00 · 2019-11-10 23:10:24 +03:00 · 1f5a31f0e7
commit 1f5a31f0e7
parent 5756df1922
1 changed files with 5 additions and 8 deletions
--- a/rules/windows/process_creation/win_remote_powershell_session_process.yml
+++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml
@ -7,16 +7,13 @@ author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
-    selection_1: 
-        EventID: 1
-        Image|endswith: '\wsmprovhost.exe'
-    selection_2:
-        EventID: 1
-        ParentImage|endswith: '\wsmprovhost.exe'
-    condition: selection_1 or selection_2
+    selection:
+        - Image|endswith: '\wsmprovhost.exe'
+        - ParentImage|endswith: '\wsmprovhost.exe'
+    condition: selection
 falsepositives:
    - Unknown
 level: critical