valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Removed unnecessary '1 of them' in condition

Browse Source
This commit is contained in:
Tareq AlKhatib 2019-02-13 21:26:02 +03:00
parent 8d819cfeea
commit cd3cdc9451
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/windows/builtin/win_psexesvc_start.yml
View File

@ -15,7 +15,7 @@ detection:
selection:
EventID: 4688
ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
condition: 1 of them
condition: selection
falsepositives:
- Administrative activity
level: low

2
rules/windows/sysmon/sysmon_win_reg_persistence.yml
View File

@ -15,7 +15,7 @@ detection:
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode'
- '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess'
EventType: 'SetValue'
condition: 1 of them
condition: selection_reg1
tags:
- attack.privilege_escalation
- attack.persistence