Skip to content

Commit

Permalink
Add filter gpo
Browse files Browse the repository at this point in the history
  • Loading branch information
@frack113
frack113 committed Apr 11, 2024
1 parent 9078b85 commit ac18788
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/12
modified: 2024/04/04
modified: 2024/04/11
tags:
- attack.defense_evasion
- attack.t1036
Expand Down Expand Up @@ -54,6 +54,16 @@ detection:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- ':\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
Expand Down

0 comments on commit ac18788

Please sign in to comment.