mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
Merge pull request #2077 from frack113/remove_re
Convert re to endswith
This commit is contained in:
commit
8fe222a92c
@ -11,7 +11,7 @@ tags:
|
||||
- attack.t1053
|
||||
author: Sreeman
|
||||
date: 2020/09/29
|
||||
modified: 2021/09/09
|
||||
modified: 2021/09/24
|
||||
fields:
|
||||
- EventID
|
||||
- CommandLine
|
||||
@ -23,7 +23,20 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
|
||||
Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$'
|
||||
Details|endswith:
|
||||
- .sh
|
||||
- .exe
|
||||
- .dll
|
||||
- .bin
|
||||
- .bat
|
||||
- .cmd
|
||||
- .js
|
||||
- .ps
|
||||
- .vb
|
||||
- .jar
|
||||
- .hta
|
||||
- .msi
|
||||
- .vbs
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- none
|
||||
|
Loading…
Reference in New Issue
Block a user