crypto_campaign

tccontre · tccontre · commit 1e781875acd9 · 2025-01-08T11:12:15.000+01:00
diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml
@@ -16,7 +16,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   | `drop_dm_object_name(Processes)`
   | rex field=process ":\\((?<permission>[^)]+)\\)"
   | eval has_read_attribute=if(match(permission, "R"), "true", "false")
-  | eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC|DE)"), "true", "false")
+  | eval has_write_execute=if(match(permission, "(W|GA|X|M|F|AD|DC|DE)"), "true", "false")
   | where has_write_execute="false" and has_read_attribute = "true"
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
