Skip to content

Commit ddbb78e

Browse files
SamirbousSamirbous
authored
Update defense_evasion_whitespace_padding_command_line.toml
1 parent 4f8d690 commit ddbb78e

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

rules/windows/defense_evasion_whitespace_padding_command_line.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ tags = [
7777
"Use Case: Threat Detection",
7878
"Tactic: Defense Evasion",
7979
"Tactic: Execution",
80+
"Resources: Investigation Guide"
8081
]
8182
timestamp_override = "event.ingested"
8283
type = "esql"
@@ -87,7 +88,7 @@ FROM logs-* metadata _id, _version, _index
8788
// more than 100 spaces in process.command_line
8889
| eval multi_spaces = LOCATE(process.command_line, space(100))
8990
| where multi_spaces > 0
90-
| keep user.name, host.id, host.name, process.command_line
91+
| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
9192
'''
9293

9394

0 commit comments

Comments
 (0)