Merge pull request #2077 from frack113/remove_re

Convert re to endswith
2024-11-06 09:25:17 +00:00 · 2021-09-25 07:55:22 +02:00 · 2021-09-25 07:55:22 +02:00 · 8fe222a92c
commit 8fe222a92c
parent 278fb0a2de ef75695647
1 changed files with 15 additions and 2 deletions
--- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml
@ -11,7 +11,7 @@ tags:
    - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2021/09/09
+modified: 2021/09/24
 fields:
    - EventID
    - CommandLine
@ -23,7 +23,20 @@ logsource:
 detection:
    selection:
        TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
-        Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
+        Details|endswith: 
+            - .sh
+            - .exe
+            - .dll
+            - .bin
+            - .bat
+            - .cmd
+            - .js
+            - .ps
+            - .vb
+            - .jar
+            - .hta
+            - .msi
+            - .vbs
    condition: selection
 falsepositives:
    - none