Update lateral_movement_scheduled_task_target.toml to fix null values

theusername-sudo · web-flow · commit 07d552a2abe7 · 2025-10-16T08:36:56.000-05:00
diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml
@@ -68,7 +68,7 @@ query = '''
 sequence by host.id, process.entity_id with maxspan = 1m
    [network where host.os.type == "windows" and process.name : "svchost.exe" and
    network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and
-   source.ip != "127.0.0.1" and source.ip != "::1"
+   source.ip != "127.0.0.1" and source.ip != "::1" and source.ip != null
    ]
    [registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and
     registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"]

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@ query = '''`
`68`	`68`	`sequence by host.id, process.entity_id with maxspan = 1m`
`69`	`69`	`[network where host.os.type == "windows" and process.name : "svchost.exe" and`
`70`	`70`	`network.direction : ("incoming", "ingress") and source.port >= 49152 and destination.port >= 49152 and`
`71`		`- source.ip != "127.0.0.1" and source.ip != "::1"`
	`71`	`+ source.ip != "127.0.0.1" and source.ip != "::1" and source.ip != null`
`72`	`72`	`]`
`73`	`73`	`[registry where host.os.type == "windows" and event.type == "change" and registry.value : "Actions" and`
`74`	`74`	`registry.path : "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\\\Actions"]`