fix: multiple false positive conditions

2024-11-07 17:58:52 +00:00 · 2020-01-28 10:11:09 +01:00 · 2020-01-28 10:11:09 +01:00 · d48fc9d1ff
commit d48fc9d1ff
parent 240b764660
2 changed files with 6 additions and 2 deletions
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/sysmon/sysmon_ads_executable.yml
@ -18,7 +18,9 @@ detection:
    selection:
        EventID: 15
    filter:
-        Imphash: '00000000000000000000000000000000'
+        Imphash: 
+            - '00000000000000000000000000000000'
+            - null
    condition: selection and not filter
 fields:
    - TargetFilename
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
@ -24,7 +24,9 @@ detection:
    exec_exclusion1:
        Image: '*\explorer.exe'
    exec_exclusion2:
-        CommandLine: '*\netlogon.bat'
+        CommandLine: 
+            - '*\netlogon.bat'
+            - '*\UsrLogon.cmd'
    condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
 ---
 logsource: