Skip to content

Commit

Permalink
Merge PR #4851 from @frack113 - Fix typo in modifier usage
Browse files Browse the repository at this point in the history 
fix: Forest Blizzard APT - Process Creation Activity - Typo in modifier
  • Loading branch information
@frack113
frack113 committed May 13, 2024
1 parent 6412c1a commit 9341930
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion ...erging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/04/23
modified: 2024/05/11
tags:
- attack.defense_evasion
- attack.execution
Expand Down Expand Up @@ -37,7 +38,7 @@ detection:
- '/F '
- '\Microsoft\Windows\WinSrv'
selection_powershell:
CommandLine|contains:
CommandLine|contains|all:
- 'Get-ChildItem'
- '.save'
- 'Compress-Archive -DestinationPath C:\ProgramData\'
Expand Down

0 comments on commit 9341930

Please sign in to comment.