Skip to content

Commit

Permalink
[Rule Tuning] Potential PowerShell HackTool Script by Function Names (#…
Browse files Browse the repository at this point in the history 
…2692)

(cherry picked from commit 1a9b0e7)
  • Loading branch information
@w0rk3r @github-actions
w0rk3r authored and github-actions[bot] committed Apr 5, 2023
1 parent 95dc445 commit b305afc
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions rules/windows/execution_posh_hacktool_functions.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
updated_date = "2023/02/22"
updated_date = "2023/04/05"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"

Expand Down Expand Up @@ -152,7 +152,7 @@ event.category:process and host.os.type:windows and
"Set-DomainObjectOwner" or "Set-DomainUserPassword" or
"Set-ServiceBinaryPath" or "Sub-SignedIntAsUnsigned" or
"Test-AdminAccess" or "Test-MemoryRangeValid" or
"Test-ServiceDaclPermission" or"Update-ExeFunctions" or
"Test-ServiceDaclPermission" or "Update-ExeFunctions" or
"Update-MemoryAddresses" or "Update-MemoryProtectionFlags" or
"Write-BytesToMemory" or "Write-HijackDll" or
"Write-PortscanOut" or "Write-ServiceBinary" or
Expand Down

0 comments on commit b305afc

Please sign in to comment.