Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Commit 03690bb

Browse files
billy-secbilly-sec
authored
Update scheduled task creation.txt
The original intent of the Sigma rule is to identify scheduled tasks created by user accounts, not the system account.
1 parent 4d4073b commit 03690bb

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Persistence/scheduled task creation.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22
//Questions via Twitter: @janvonkirchheim
33
DeviceEvents
44
| where ActionType == "ScheduledTaskCreated"
5-
and InitiatingProcessAccountSid == "S-1-5-18"
5+
and InitiatingProcessAccountSid != "S-1-5-18"

0 commit comments

Comments
 (0)