security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b64ab552f94de507753860b6ff0268d4a656321
blue-team-tools/rules/windows/powershell/powershell_suspicious_download.yml
T

27 lines
726 B
YAML
Raw Normal View History

More PowerShell rules
2017-03-05 15:01:51 +01:00
title: Suspicious PowerShell Download
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 65531a81-a694-4e31-ae04-f8ba5bc33759
More PowerShell rules
2017-03-05 15:01:51 +01:00
status: experimental
description: Detects suspicious PowerShell download command
Tagged windows powershell, other and malware rules.
2018-07-24 10:56:41 +02:00
tags:
- attack.execution
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
- attack.t1059.001
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
- attack.t1086 #an old one
More PowerShell rules
2017-03-05 15:01:51 +01:00
author: Florian Roth
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
date: 2017/03/05
More PowerShell rules
2017-03-05 15:01:51 +01:00
logsource:
Bugfix: PowerShell rules log source inconstency
2017-03-21 10:22:13 +01:00
product: windows
service: powershell
More PowerShell rules
2017-03-05 15:01:51 +01:00
detection:
fix: converted CRLF line break to LF
2020-03-25 14:36:34 +01:00
downloadfile:
Message|contains|all:
- 'System.Net.WebClient'
- '.DownloadFile('
downloadstring:
Message|contains|all:
- 'System.Net.WebClient'
- '.DownloadString('
condition: downloadfile or downloadstring
More PowerShell rules
2017-03-05 15:01:51 +01:00
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
Reference in New Issue Copy Permalink