Add logic to win_security_gpo_scheduledtasks.yml - Githubissues

SigmaHQ / sigma

Main Sigma Rule Repository

Other

8.19k stars 2.17k forks source link

Add logic to win_security_gpo_scheduledtasks.yml #5000

Closed joshnck closed 3 weeks ago

joshnck commented 3 weeks ago

Added selection_5136 with new detection logic to support both detections
Modified ShareName to |endswith; as the previous string wouldn't convert properly with default pipeline configuration and sysvol should never appear in any other way unless there are weird configurations
Added reference: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html

Summary of the Pull Request

Changelog

update: Persistence and Execution at Scale via GPO Scheduled Task - Increase coverage by adding selection for EID 5136

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions