paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-05 14:23:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #30 from thanegill/main

Browse Source 
Add Exception to 100502 for SCCM `Windows\CCM\CcmExec.exe`
This commit is contained in:
taylor_socfortress
2024-08-22 10:04:56 -05:00
committed by GitHub
parent 63cb5480bb ba0968d043
commit d1f9d9f44f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Windows_Sysmon/100100-MITRE_TECHNIQUES_FROM_SYSMON_EVENT1.xml
View File

@@ -976,7 +976,7 @@
<if_sid>100100</if_sid> <if_sid>100100</if_sid>
<field name="win.eventdata.image">powershell.exe$|pwsh.exe$</field> <field name="win.eventdata.image">powershell.exe$|pwsh.exe$</field>
<field name="win.eventdata.commandLine">ExecutionPolicy Bypass</field> <field name="win.eventdata.commandLine">ExecutionPolicy Bypass</field>
<field name="win.eventdata.parentImage" negate="yes">cmd.exe$|explorer.exe$|wazuh-agent.exe$|^C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe$</field> <field name="win.eventdata.parentImage" negate="yes">cmd.exe$|explorer.exe$|wazuh-agent.exe$|^C:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\SenseIR.exe$|\\\\Windows\\\\CCM\\\\CcmExec.exe$</field>
<description>Sysmon - Event 1: PowerShell Execution Policy Bypass detected.</description> <description>Sysmon - Event 1: PowerShell Execution Policy Bypass detected.</description>
<mitre> <mitre>
<id>T1548</id> <id>T1548</id>