2021-10-11 07:42:04 +02:00
|
|
|
title: Conversion of Generic Rules into Powershell Specific EventID Rules
|
2021-10-16 08:19:25 +02:00
|
|
|
order: 15
|
2021-10-16 08:37:51 +02:00
|
|
|
#
|
|
|
|
|
# some references :
|
|
|
|
|
# https://redblueteam.wordpress.com/2020/02/08/enable-command-line-and-powershell-audit-for-better-threat-hunting/
|
|
|
|
|
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1
|
|
|
|
|
#
|
2021-10-11 07:42:04 +02:00
|
|
|
logsources:
|
|
|
|
|
ps_module:
|
|
|
|
|
category: ps_module
|
|
|
|
|
product: windows
|
|
|
|
|
conditions:
|
|
|
|
|
EventID: 4103
|
|
|
|
|
rewrite:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell
|
|
|
|
|
ps_script:
|
|
|
|
|
category: ps_script
|
|
|
|
|
product: windows
|
|
|
|
|
conditions:
|
|
|
|
|
EventID: 4104
|
|
|
|
|
rewrite:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell
|
2021-10-11 07:44:48 +02:00
|
|
|
# for the "classic" channel
|
|
|
|
|
ps_classic_start:
|
2021-10-11 07:42:04 +02:00
|
|
|
category: ps_classic_start
|
|
|
|
|
product: windows
|
|
|
|
|
conditions:
|
|
|
|
|
EventID: 400
|
|
|
|
|
rewrite:
|
|
|
|
|
product: windows
|
2021-10-11 07:44:48 +02:00
|
|
|
service: powershell-classic
|
|
|
|
|
ps_classic_provider_start:
|
2021-10-11 07:42:04 +02:00
|
|
|
category: ps_classic_provider_start
|
|
|
|
|
product: windows
|
|
|
|
|
conditions:
|
|
|
|
|
EventID: 600
|
|
|
|
|
rewrite:
|
|
|
|
|
product: windows
|
2021-10-11 07:44:48 +02:00
|
|
|
service: powershell-classic
|
|
|
|
|
ps_classic_script:
|
2021-10-11 07:42:04 +02:00
|
|
|
category: ps_classic_script
|
|
|
|
|
product: windows
|
|
|
|
|
conditions:
|
|
|
|
|
EventID: 800
|
|
|
|
|
rewrite:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell-classic
|
