Update sysmon_long_powershell_commandline.yml

2024-11-08 02:08:54 +00:00 · 2020-10-12 18:28:28 +03:00 · 2020-10-12 18:28:28 +03:00 · df8cd24a5d
commit df8cd24a5d
parent 59610517a0
1 changed files with 6 additions and 6 deletions
--- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml
+++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml
@ -1,5 +1,5 @@
 title: Too Long PowerShell Commandlines
-id: 3f07b9d1-2082-4c56-9277-613a621983cc
+id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
 description: Detects Too long PowerShell command lines
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
@ -14,13 +14,13 @@ logsource:
    product: windows
 detection:
    Powershell_selection:
-      - CommandLine: 
-        - '*powershell*'
-        - '*pwsh*'
+      - CommandLine|contains: 
+        - 'powershell'
+        - 'pwsh'
      - Description: 'Windows Powershell'
      - Product: 'PowerShell Core 6'
-    Length_selection|re:
-      CommandLine: '(.){1000,}'
+    Length_selection:
+      CommandLine|re: '(.){1000,}'
    condition: all of them
 falsepositives: Unknown
 level: medium