Update defense_evasion_powershell_windows_firewall_disabled.toml

w0rk3r · w0rk3r · commit f600962c83e4 · 2024-11-04T08:38:10.000-03:00
diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.action == "start" and
+process where host.os.type == "windows" and event.type == "start" and
   (
     process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
     ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ timestamp_override = "event.ingested"`
`95`	`95`	`type = "eql"`
`96`	`96`
`97`	`97`	`query = '''`
`98`		`-process where host.os.type == "windows" and event.action == "start" and`
	`98`	`+process where host.os.type == "windows" and event.type == "start" and`
`99`	`99`	`(`
`100`	`100`	`process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or`
`101`	`101`	`?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")`