Skip to content

Commit

Permalink
fix: typo in condition
Browse files Browse the repository at this point in the history
  • Loading branch information
@nasbench
nasbench committed Nov 20, 2023
1 parent e782704 commit e49c0df
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ detection:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
condition: selection_wmi or all of selection_wevtutil_* or selection_wmic_* or selection_cmdlet
condition: selection_wmi or all of selection_wevtutil_* or all selection_wmic_* or selection_cmdlet
falsepositives:
- Legitimate log access by administrators or troubleshooting tools
level: medium
2 changes: 1 addition & 1 deletion rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ detection:
- 'System[EventID=25]'
- 'EventCode=?25?'
- "EventIdentifier=?25?"
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or selection_wmic_* or selection_cmdlet)
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all selection_wmic_* or selection_cmdlet)
falsepositives:
- Legitimate usage of the utility by administrators to query the event log
level: medium

0 comments on commit e49c0df

Please sign in to comment.