Closed frack113 closed 2 months ago
Add FP when use ps1 or bat in the startup machine GPO
fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
File created: RuleName: T1165 UtcTime: redacted ProcessGuid: {ea5c891b-3d3b-63c3-9320-000000001500} ProcessId: 9308 Image: C:\Windows\system32\svchost.exe TargetFilename: C:\Windows\System32\GroupPolicy\DataStore\0\sysvol\redacted\Policies\{uuid redacted}\Machine\Scripts\Startup\redacted.bat CreationUtcTime: redacted File created: RuleName: T1165 UtcTime: redacted ProcessGuid: {ea5c891b-3d3b-63c3-9320-000000001500} ProcessId: 9308 Image: C:\Windows\system32\svchost.exe TargetFilename: C:\Windows\System32\GroupPolicy\DataStore\0\sysvol\redacted\Policies\{uuid redacted}\Machine\Scripts\Startup\redacted.ps1 CreationUtcTime: redacted
N/A
Summary of the Pull Request
Add FP when use ps1 or bat in the startup machine GPO
Changelog
fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.
Example Log Event
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions