security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
91c4c4ecc51de7a7ac5e2fb3e11dd45f4ddfbb2a
blue-team-tools/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml
T

30 lines
764 B
YAML
Raw Normal View History

Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
title: PowerShell Execution
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
id: 867613fb-fa60-4497-a017-a82df74a172c
added:
2019-10-24 15:48:38 +02:00
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
oscd task #6 done.
2019-11-10 18:43:41 +03:00
modified: 2019/11/10
added:
2019-10-24 15:48:38 +02:00
author: Roberto Rodriguez @Cyb3rWard0g
references:
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml
added:
2019-10-24 15:48:38 +02:00
logsource:
product: windows
service: sysmon
Removed ATT&CK technique ids from titles and added tags
2020-01-11 00:33:50 +01:00
tags:
- attack.execution
- attack.t1086
added:
2019-10-24 15:48:38 +02:00
detection:
selection:
EventID: 7
Description: 'system.management.automation'
oscd task #6 done.
2019-11-10 18:43:41 +03:00
ImageLoaded|contains: 'system.management.automation'
added:
2019-10-24 15:48:38 +02:00
condition: selection
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
fields:
- ComputerName
- Image
- ProcessID
- ImageLoaded
added:
2019-10-24 15:48:38 +02:00
falsepositives:
- Unknown
OSCD QA wave 1
2020-01-11 00:11:27 +01:00
level: medium
Reference in New Issue Copy Permalink