rules/windows/powershell/powershell_psattack.yml

title: PowerShell PSAttack 
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    EventID: 4103
    keywords:
        - 'PS ATTACK!!!'
    condition: keywords
falsepositives:
    - Pentesters
level: high
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`title: PowerShell PSAttack`
			`status: experimental`
			`description: Detects the use of PSAttack PowerShell hack tool`
			`reference: https://adsecurity.org/?p=2921`
			`author: Sean Metcalf (source), Florian Roth (rule)`
			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
			`service: powershell`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
			`detection:`
PowerShell Rules Revision 2017-03-05 14:14:31 +01:00			`EventID: 4103`
First PowerShell Ruleset 2017-03-05 01:47:25 +01:00			`keywords:`
			`- 'PS ATTACK!!!'`
			`condition: keywords`
			`falsepositives:`
			`- Pentesters`
			`level: high`