fix: delete value-modifier in Search-Identifier (SigmaHQ#4210)

SavinSpring · Apr 30, 2023 · ef95e52 · ef95e52
1 parent 4bff10d
commit ef95e52
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml
@@ -7,6 +7,7 @@ references:
     - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
 date: 2023/04/18
+modified: 2023/04/30
 tags:
     - attack.command_and_control
     - attack.t1219
@@ -17,8 +18,8 @@ detection:
     selection_img:
         - Image|endswith: '\mstsc.exe'
         - OriginalFileName: 'mstsc.exe'
-    selection_cli|endswith:
-        CommandLine|contains:
+    selection_cli:
+        CommandLine|endswith:
             - '.rdp'
             - '.rdp"'
     filter_optional_wsl:

diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
@@ -31,9 +31,9 @@ detection:
             - ':\Windows\Temp\'
             - ':\Windows\Tracing\'
             - '\AppData\Local\Temp\'
-            # - '\Desktop\' # Could be source of FP depending on the environement
-            - '\Downloads\' # Could be source of FP depending on the environement
+            # - '\Desktop\' # Could be source of FP depending on the environment
+            - '\Downloads\' # Could be source of FP depending on the environment
     condition: all of selection_*
 falsepositives:
-    - Likelihood is related to how often the paths are used in the environement
+    - Likelihood is related to how often the paths are used in the environment
 level: high