Skip to content

Commit dba17e7

Browse files
nasbenchnasbench
committed
Update suspicious_copy_on_system32.yml
1 parent 1d2e689 commit dba17e7

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

detections/endpoint/suspicious_copy_on_system32.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ data_source:
2222
search:
2323
'| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
2424
as lastTime from datamodel=Endpoint.Processes where
25-
parent_process_name IN (
25+
Processes.parent_process_name IN (
2626
"cmd.exe",
2727
"powershell_ise.exe",
2828
"powershell.exe",
@@ -35,8 +35,8 @@ search:
3535
"* \"C:\\Windows\\System32\\*",
3636
"* \'C:\\Windows\\System32\\*",
3737
"* C:\\Windows\\System32\\*",
38-
"* \"C:\\Windows\\SysWow64\\*"
39-
"* \'C:\\Windows\\SysWow64\\*"
38+
"* \"C:\\Windows\\SysWow64\\*",
39+
"* \'C:\\Windows\\SysWow64\\*",
4040
"* C:\\Windows\\SysWow64\\*"
4141
)
4242
by Processes.action Processes.dest Processes.original_file_name

0 commit comments

Comments
 (0)