Merge pull request #521 from Neo23x0/devel

fix: fixed false positive in suspicious shell spawn rule
2024-11-08 18:23:52 +00:00 · 2019-11-09 12:50:50 +01:00 · 2019-11-09 12:50:50 +01:00 · ef0af10747
commit ef0af10747
parent 465e41bfbb 9835950f04
2 changed files with 2 additions and 2 deletions
--- a/rules/windows/builtin/win_susp_add_sid_history.yml
+++ b/rules/windows/builtin/win_susp_add_sid_history.yml
@ -25,4 +25,4 @@ detection:
    condition: selection1 or (selection2 and not selection3)
 falsepositives:
    - Migration of an account into a new domain
-level: medium
+level: low
--- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml
+++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml
@ -18,7 +18,7 @@ detection:
        ParentImage:
            - '*\mshta.exe'
            - '*\powershell.exe'
-            - '*\cmd.exe'
+            # - '*\cmd.exe'  # too many false positives
            - '*\rundll32.exe'
            - '*\cscript.exe'
            - '*\wscript.exe'