mateopc
commented
7 months ago 1st iteration :
index= CommandLine=\powershell.exe OR CommandLine=*\powershell.exe\" | stats count by host
Closed mateopc closed 7 months ago
mateopc
commented
7 months ago 1st iteration :
index= CommandLine=\powershell.exe OR CommandLine=*\powershell.exe\" | stats count by host
mateopc
commented
6 months ago index= ((Image="powershell.exe" OR Image="*pwsh.exe") AND ProcessCommandLine="-Elevated") AND (ProcessCreationUid=0x0 OR ProcessCreationUid=0x1) host=DC01
Cette règle est censé détecter lorsqu'un programme spécifique est exécuté.
Programmes utilisés à détecter :