valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Replace start of paths with placeholders

Browse Source
This commit is contained in:
Ryan Plas 2020-10-17 09:36:25 -04:00
parent 53f0261a62
commit ff84852803
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/windows/builtin/win_access_fake_files_with_stored_credentials.yml → rules-unsupported/win_access_fake_files_with_stored_credentials.yml
View File

@ -17,8 +17,8 @@ detection:
EventID: 4663
AccessList|contains: '%%4416'
ObjectName|endswith:
- '\{641ECF7F-6AC4-4A63-BF85-DFDE140E9F89}\Machine\Preferences\Groups\Groups.xml'
- '\Panther\Unattend.xml'
- '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
- '\%FOLDER_NAME%\Unattend.xml'
condition: selection
fields:
- EventID