Skip to content

Commit 4f75199

Browse files
tccontretccontre
committed
crypto_campaign
1 parent 7a46c66 commit 4f75199

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
1515
by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user
1616
| `drop_dm_object_name(Processes)`
1717
| rex field=process ":\\((?<permission>[^)]+)\\)"
18-
| eval has_read_execute=if(match(permission, "R"), "true", "false")
18+
| eval has_read_attribute=if(match(permission, "R"), "true", "false")
1919
| eval has_write_execute=if(match(permission, "(W|G|X|M|F|AD|DC|DE)"), "true", "false")
20-
| where has_write_execute="false" and has_read_execute = "true"
20+
| where has_write_execute="false" and has_read_attribute = "true"
2121
| `security_content_ctime(firstTime)`
2222
| `security_content_ctime(lastTime)`
2323
| `windows_file_and_directory_enable_readonly_permissions_filter`'

0 commit comments

Comments
 (0)