Skip to content

Commit

Permalink
Merge pull request SigmaHQ#4311 from frack113/FP_lolbin
Browse files Browse the repository at this point in the history 
fix: fp in proc_creation_win_lolbin_gpscript.yml
  • Loading branch information
@nasbench
nasbench authored Jun 14, 2023
2 parents 6f21321 + 917e5be commit 93881d6
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ references:
- https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
author: frack113
date: 2022/05/16
modified: 2023/06/14
tags:
- attack.defense_evasion
- attack.t1218
Expand All @@ -21,7 +22,9 @@ detection:
CommandLine|contains:
- ' /logon'
- ' /startup'
condition: all of selection*
filter_main_svchost:
ParentCommandLine: 'C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate uses of logon scripts distributed via group policy
level: medium

0 comments on commit 93881d6

Please sign in to comment.