mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
Merge pull request #521 from Neo23x0/devel
fix: fixed false positive in suspicious shell spawn rule
This commit is contained in:
commit
ef0af10747
@ -25,4 +25,4 @@ detection:
|
|||||||
condition: selection1 or (selection2 and not selection3)
|
condition: selection1 or (selection2 and not selection3)
|
||||||
falsepositives:
|
falsepositives:
|
||||||
- Migration of an account into a new domain
|
- Migration of an account into a new domain
|
||||||
level: medium
|
level: low
|
||||||
|
@ -18,7 +18,7 @@ detection:
|
|||||||
ParentImage:
|
ParentImage:
|
||||||
- '*\mshta.exe'
|
- '*\mshta.exe'
|
||||||
- '*\powershell.exe'
|
- '*\powershell.exe'
|
||||||
- '*\cmd.exe'
|
# - '*\cmd.exe' # too many false positives
|
||||||
- '*\rundll32.exe'
|
- '*\rundll32.exe'
|
||||||
- '*\cscript.exe'
|
- '*\cscript.exe'
|
||||||
- '*\wscript.exe'
|
- '*\wscript.exe'
|
||||||
|
Loading…
Reference in New Issue
Block a user