Update proc_creation_win_python_pty_spawn.yml

SigmaHQ · Feb 3, 2023 · 5bd3aba · 5bd3aba
1 parent 4d57187
commit 5bd3aba
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml b/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml
@@ -9,25 +9,26 @@ references:
     - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
 author: Nextron Systems
 date: 2022/06/03
+modified: 2023/02/03
 tags:
     - attack.execution
     - attack.t1059
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_image:
+    selection_img:
         Image|endswith:
             - 'python.exe' # no \ bc of e.g. ipython.exe
             - 'python3.exe'
             - 'python2.exe'
-    selection_cli1:
+    selection_cli_1:
         CommandLine|contains|all:
             - 'import pty'
             - '.spawn('
-    selection_cli2:
+    selection_cli_2:
         CommandLine|contains: 'from pty import spawn'
-    condition: selection_image and 1 of selection_cli*
+    condition: selection_img and 1 of selection_cli_*
 falsepositives:
     - Unknown
 level: high