AllthingsTimesketch Small Typo error in tags.yaml

Small Typo error in tags.yaml

Open Camel0101 opened this issue 11 months ago • 0 comments

Thanks for your work with the tags.yaml file. It's a great support when conducting an investigation !

I noticed an omitted "" in the two "source_short:REG" that causes this saved search to return 0 hit:

win_execution_indicator:
  query_string:  '(source_short:REG AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (source_short:EVTX AND event_identifier:"4688") OR (source_short:REG" AND key_path:"*LastVisitedPidlMRU*") OR (source_short:REG" AND key_path:"*LastVisitedMRU*") OR (source_short:EVTX AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")'
  tags: ['win-execution','T1204','Execution','User-Execution','Medium']
  emojis: ['MARK']
  create_view: true
  view_name: 'T1204-Execution'

Query updated:

win_execution_indicator:
  query_string:  '(source_short:REG AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (source_short:EVTX AND event_identifier:"4688") OR (source_short:"REG" AND key_path:"*LastVisitedPidlMRU*") OR (source_short:"REG" AND key_path:"*LastVisitedMRU*") OR (source_short:EVTX AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")'
  tags: ['win-execution','T1204','Execution','User-Execution','Medium']
  emojis: ['MARK']
  create_view: true
  view_name: 'T1204-Execution'

Mar 25 '24 16:03 Camel0101

AllthingsTimesketch AllthingsTimesketch copied to clipboard

Small Typo error in tags.yaml

AllthingsTimesketch
AllthingsTimesketch copied to clipboard