Merge pull request #521 from Neo23x0/devel

fix: fixed false positive in suspicious shell spawn rule
This commit is contained in:
Florian Roth 2019-11-09 12:50:50 +01:00 committed by GitHub
commit ef0af10747
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions

View File

@ -25,4 +25,4 @@ detection:
condition: selection1 or (selection2 and not selection3) condition: selection1 or (selection2 and not selection3)
falsepositives: falsepositives:
- Migration of an account into a new domain - Migration of an account into a new domain
level: medium level: low

View File

@ -18,7 +18,7 @@ detection:
ParentImage: ParentImage:
- '*\mshta.exe' - '*\mshta.exe'
- '*\powershell.exe' - '*\powershell.exe'
- '*\cmd.exe' # - '*\cmd.exe' # too many false positives
- '*\rundll32.exe' - '*\rundll32.exe'
- '*\cscript.exe' - '*\cscript.exe'
- '*\wscript.exe' - '*\wscript.exe'