Merge branch 'master' of https://github.com/Neo23x0/sigma

2024-11-08 02:08:54 +00:00 · 2018-08-02 22:45:25 +02:00 · 2018-08-02 22:45:25 +02:00 · e6c3313168
commit e6c3313168
parent af9f636199 acfdb591d0
1 changed files with 2 additions and 2 deletions
--- a/rules/windows/builtin/win_susp_process_creations.yml
+++ b/rules/windows/builtin/win_susp_process_creations.yml
@ -1,7 +1,7 @@
 ---
 action: global
 title: Suspicious Process Creation
-description: Detects suspicious process starts on Windows systems bsed on keywords
+description: Detects suspicious process starts on Windows systems based on keywords
 status: experimental
 references:
    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
@ -65,7 +65,7 @@ detection:
            # AddInProcess
            - '*AddInProcess*'
            # NotPowershell (nps) attack
-            - '*msbuild*'
+            # - '*msbuild*'  # too many false positives
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment