fix: FPs with Wincred in log files

V1D1AN · Nov 20, 2021 · c746283 · c746283
1 parent dfbaadf
commit c746283
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml
@@ -21,7 +21,7 @@ detection:
         - "Webshell"
         - "Portscan"
         - "Mimikatz"
-        - "WinCred"
+        - ".WinCred."  # . are needed to avoid false positives with many other strings
         - "PlugX"
         - "Korplug"
         - "Pwdump"
@@ -33,7 +33,6 @@ detection:
     filter:
         - "Keygen"
         - "Crack"
-        - "wincredui"
     condition: keywords and not filter
 falsepositives:
     - Some software piracy tools (key generators, cracks) are classified as hack tools