Skip to content

Commit

Permalink
fix: filter events that cannot be investigated anyway
Browse files Browse the repository at this point in the history
  • Loading branch information
@phantinuss
phantinuss committed Sep 1, 2023
1 parent e11ad35 commit eae0385
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions rules/windows/network_connection/net_connection_win_susp_epmap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://github.com/RiccardoAncarani/TaskShell/
author: frack113, Tim Shelton (fps)
date: 2022/07/14
modified: 2022/07/18
modified: 2023/09/01
tags:
- attack.lateral_movement
logsource:
Expand All @@ -18,11 +18,15 @@ detection:
Initiated: 'true'
DestinationPort: 135
#DestinationPortName: epmap
filter:
filter_image:
Image|startswith:
- C:\Windows\
- C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
condition: selection and not filter
filter_image_null1:
Image: null
filter_image_null2:
Image: ''
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high

0 comments on commit eae0385

Please sign in to comment.