Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove loose wildcard filter in powershell encoded cmd rule #314

Merged
merged 2 commits into from
Apr 14, 2019
Merged

Remove loose wildcard filter in powershell encoded cmd rule #314

merged 2 commits into from
Apr 14, 2019

Conversation

Karneades
Copy link
Contributor

@Karneades Karneades commented Apr 11, 2019

Remove easy to bypass CommandLine and environment-specific filter.

@Neo23x0
Copy link
Collaborator

Neo23x0 commented Apr 11, 2019

I don't understand that pull request

@Karneades
Copy link
Contributor Author

The purpose of the pull request is to remove a filter which is unused by most of the security teams using such a generic PowerShell detection rule. The filter only applies to very unique GRR deployments using such PowerShell commands but at the same time reduce the detection quality for all other teams which do not use such unique deployments in the means that a so small change in the Command Line (*\GRR\*) would allow an attacker to bypass this detection. The filter is more harmful to most environments than it helps security teams. Therefore, I would recommend to remove this filter at all to improve the quality. Security teams using such a unique deployment should add their filters by themselves. Furthermore, PowerSponse deployments are unrelated to that rule.

@thomaspatzke thomaspatzke merged commit 5463128 into SigmaHQ:master Apr 14, 2019
@Karneades Karneades deleted the patch-4 branch April 19, 2019 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants