paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 08:12:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 900000-exclusion_rules.xml

Browse Source
This commit is contained in:
taylor_socfortress
2023-08-14 14:47:54 -05:00
committed by GitHub
parent c05ed85436
commit 2a0d1b47d3
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Exclusion Rules/900000-exclusion_rules.xml
View File

@@ -322,7 +322,9 @@
<!-- Exclude OpenAudit Scanning -->
<rule id="900048" level="1">
<if_sid>200051</if_sid>
<field name="event.Hashes" type="pcre2">(?i)^SHA1=D9127654E13FD43FCDDB4FC95CB5E6593BBF5050,MD5=6FB9D6A070365F03954569C1CA9A9C23,SHA256=02771D364902B233AE60604A3A9770B6E50C0A30BE68CA1B4BB416492EAB0D76,IMPHASH=EE559EFEAB91B5B2C2E8E2DA64B693E5$</field>
<field name="event.ParentCommandLine" type="pcre2">(?i)^"C:\\Windows\\System32\\cscript\.exe" \/\/nologo "C:\\Program Files \(x86\)\\ossec-agent\\active-response\\bin\\open_audit\.vbs"$</field>
<field name="event.ParentImage" type="pcre2">(?i)^C:\\Windows\\System32\\cscript.exe$</field>
<field name="event.CommandLine" type="pcre2">(?i)^schtasks.exe \/query \/v \/fo csv$</field>
<description>Exclude OpenAudit Scanning SIGMA Alert</description>
<options>no_full_log</options>
</rule>