From c537507793dad10fb962e51ec78b7c5eacb18a33 Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 11:20:33 -0700 Subject: [PATCH] remove wrong detection --- .../endpoint/powershell_encoded_command.yml | 44 ------------------- 1 file changed, 44 deletions(-) delete mode 100644 detections/endpoint/powershell_encoded_command.yml diff --git a/detections/endpoint/powershell_encoded_command.yml b/detections/endpoint/powershell_encoded_command.yml deleted file mode 100644 index 5d12de64c8..0000000000 --- a/detections/endpoint/powershell_encoded_command.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Powershell Encoded Command -id: 20df5805-f5c0-45ca-b3d5-1abf049f248b -version: 1 -date: '2024-10-29' -author: '' -data_sources: [] -type: TTP -status: production -description: UPDATE_DESCRIPTION -search: '| UPDATE_SPL | `powershell_encoded_command_filter`' -how_to_implement: UPDATE_HOW_TO_IMPLEMENT -known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES -references: -- REFERENCE -tags: - analytic_story: - - UPDATE_STORY_NAME - asset_type: UPDATE asset_type - confidence: UPDATE value between 1-100 - impact: UPDATE value between 1-100 - message: UPDATE message - mitre_attack_id: - - T1003.002 - observable: - - name: UPDATE - type: UPDATE - role: - - UPDATE - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - UPDATE - risk_score: UPDATE (impact * confidence)/100 - security_domain: endpoint - cve: - - UPDATE WITH CVE(S) IF APPLICABLE -tests: -- name: True Positive Test - attack_data: - - data: https://github.com/splunk/contentctl/wiki - sourcetype: UPDATE SOURCETYPE - source: UPDATE SOURCE