mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
16 lines
381 B
YAML
16 lines
381 B
YAML
alert:
|
|
- debug
|
|
description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
|
|
filter:
|
|
- query:
|
|
query_string:
|
|
query: data.win.eventdata.commandLine.keyword:*\-noni\ \-ep\ bypass\ $*
|
|
index: wazuh-alerts-3.x-*
|
|
name: 033fe7d6-66d1-4240-ac6b-28908009c71f_0
|
|
priority: 1
|
|
realert:
|
|
minutes: 0
|
|
type: any
|
|
|
|
|