Small Typo error in tags.yaml #15
Description
Thanks for your work with the tags.yaml file. It's a great support when conducting an investigation !
I noticed an omitted "" in the two "source_short:REG" that causes this saved search to return 0 hit:
win_execution_indicator:
query_string: '(source_short:REG AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (source_short:EVTX AND event_identifier:"4688") OR (source_short:REG" AND key_path:"*LastVisitedPidlMRU*") OR (source_short:REG" AND key_path:"*LastVisitedMRU*") OR (source_short:EVTX AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")'
tags: ['win-execution','T1204','Execution','User-Execution','Medium']
emojis: ['MARK']
create_view: true
view_name: 'T1204-Execution'Query updated:
win_execution_indicator:
query_string: '(source_short:REG AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (source_short:EVTX AND event_identifier:"4688") OR (source_short:"REG" AND key_path:"*LastVisitedPidlMRU*") OR (source_short:"REG" AND key_path:"*LastVisitedMRU*") OR (source_short:EVTX AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500")'
tags: ['win-execution','T1204','Execution','User-Execution','Medium']
emojis: ['MARK']
create_view: true
view_name: 'T1204-Execution'