Update CVE-2022-26134-Confluence.yaml
This commit is contained in:
Родитель
1df1e4f31e
Коммит
02dc3a90be
|
@ -16,8 +16,8 @@ tactics:
|
|||
relevantTechniques:
|
||||
- T1203
|
||||
query: |
|
||||
DeviceProcessEvents
|
||||
| where InitiatingProcessFileName hasprefix "tomcat" and InitiatingProcessCommandLine has "confluence"
|
||||
| where (ProcessCommandLine has_any("certutil", "whoami", "nltest", " dir ", "curl", "ifconfig", "cat ", "net user",
|
||||
"net time /domain","tasklist","-c ls","ipconfig","arp","ping","net view","net group","netstat", "wmic datafile"))
|
||||
or (FileName =~ "powershell.exe" and ProcessCommandLine hasprefix "-e")
|
||||
DeviceProcessEvents
|
||||
| where InitiatingProcessFileName hasprefix "tomcat" and InitiatingProcessCommandLine has "confluence"
|
||||
| where (ProcessCommandLine has_any("certutil", "whoami", "nltest", " dir ", "curl", "ifconfig", "cat ", "net user",
|
||||
"net time /domain","tasklist","-c ls","ipconfig","arp","ping","net view","net group","netstat", "wmic datafile"))
|
||||
or (FileName =~ "powershell.exe" and ProcessCommandLine hasprefix "-e")
|
||||
|
|
Загрузка…
Ссылка в новой задаче