security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
T

24 lines
788 B
YAML
Raw Normal View History

New Rules
2022-06-21 11:47:18 +01:00
title: PowerShell Hotfix Enumeration
Update ID's
2022-06-21 15:46:00 +01:00
id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17 14:35:26 +02:00
status: test
New Rules
2022-06-21 11:47:18 +01:00
description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
references:
Update Ref+Selection
2022-07-11 14:11:53 +01:00
- https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
author: Nasreddine Bencherchali (Nextron Systems)
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
date: 2022-06-21
Order yaml field
2022-10-26 09:43:39 +02:00
tags:
- attack.discovery
New Rules
2022-06-21 11:47:18 +01:00
logsource:
product: windows
category: ps_script
feat: updates and enhancements
2023-01-04 17:49:32 +01:00
definition: 'Requirements: Script Block Logging must be enabled'
New Rules
2022-06-21 11:47:18 +01:00
detection:
selection:
ScriptBlockText|contains|all:
- 'Win32_QuickFixEngineering'
- 'HotFixID'
condition: selection
falsepositives:
- Legitimate administration scripts
level: medium
Reference in New Issue Copy Permalink