From 3ddca10161b5b73d0b355aad57140b39b7a7727b Mon Sep 17 00:00:00 2001
From: huoji <root@key08.com>
Date: Wed, 21 Sep 2022 15:49:40 +0800
Subject: [PATCH] Update process.py

---
 Server/rules/py/attck/process.py | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/Server/rules/py/attck/process.py b/Server/rules/py/attck/process.py
index a1354d5..dc93e0f 100644
--- a/Server/rules/py/attck/process.py
+++ b/Server/rules/py/attck/process.py
@@ -1,9 +1,9 @@
 rule = [
     {
         'rules': [
-            'originalfilename =~ ".*taskill.exe.*"',
-            'originalfilename =~ ".*net.exe.*" and commandline =~ ".*stop.*"',
-            'originalfilename =~ ".*sc.exe.*" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"',
+            'originalfilename == "taskill.exe"',
+            'originalfilename == "net.exe" and commandline =~ ".*stop.*"',
+            'originalfilename == "sc.exe" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"',
         ],
         'attck_hit':['T1489'],
         'score': 30,
@@ -44,7 +44,7 @@ rule = [
     },
     {
         'rules': [
-            'originalfilename =~ ".*vssadmin.exe.*" and commandline =~ ".*create.*"',
+            'originalfilename =~ ".*vssadmin.exe" and commandline =~ ".*create.*"',
         ],
         'attck_hit':['T1003.003'],
         'score': 30,
@@ -52,7 +52,7 @@ rule = [
     },
     {
         'rules': [
-            'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"',
+            'originalfilename =~ ".*wbadmin.exe" and commandline =~ ".*delete.*"',
             'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"',
             'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"',
             'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"',
@@ -64,9 +64,9 @@ rule = [
     },
     {
         'rules': [
-            'originalfilename =~ ".*net.exe.*" and commandline =~ ".*view.*"',
-            'originalfilename =~ ".*net.exe.*" and commandline =~ ".*group.*"',
-            'originalfilename =~ ".*ping.exe"',
+            'originalfilename == "net.exe" and commandline =~ ".*view.*"',
+            'originalfilename == "net.exe" and commandline =~ ".*group.*"',
+            'originalfilename == "ping.exe"',
 
         ],
         'attck_hit':['T1018'],
@@ -75,7 +75,7 @@ rule = [
     },
     {
         'rules': [
-            'originalfilename =~ ".*fsutil.exe.*" and commandline =~ ".*deletejournal.*"',
+            'originalfilename =~ ".*fsutil.exe" and commandline =~ ".*deletejournal.*"',
         ],
         'attck_hit':['T1070.004'],
         'score': 10,
@@ -83,11 +83,11 @@ rule = [
     },
     {
         'rules': [
-            'originalfilename =~ ".*net.exe.*" and commandline =~ ".*user.*"',
-            'originalfilename =~ ".*whoami.*"',
+            'originalfilename == ".*net.exe" and commandline =~ ".*user.*"',
+            'originalfilename =~ ".*whoami.exe"',
             'originalfilename =~ ".*query.exe"',
             'originalfilename =~ ".*setspn.exe"',
-            'originalfilename =~ ".*cmdkey.exe.*"'
+            'originalfilename =~ ".*cmdkey.exe"'
         ],
         'attck_hit':['T1087.001'],
         'score': 30,