valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

remove TAB from cli escape as it's currently unsupported in sigmac

Browse Source
This commit is contained in:
ecco 2019-09-23 04:46:10 -04:00
parent 9630635e25
commit c2868f6e03
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/process_creation/win_susp_cli_escape.yml
View File

@ -18,7 +18,7 @@ logsource:
detection:
selection:
CommandLine:
- <TAB>
# - <TAB> # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
- ^h^t^t^p
- h"t"t"p
condition: selection