security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f00aaf8461f97abec19f81aa4fc0edaa76ff6cf1
blue-team-tools/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
T

30 lines
748 B
YAML
Raw Normal View History

Added rules files split into folders
2020-06-10 16:32:30 +02:00
title: PowerShell Execution
id: 867613fb-fa60-4497-a017-a82df74a172c
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
Update Threat Hunter Playbook Reference
2021-05-22 01:01:07 -03:00
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
Added rules files split into folders
2020-06-10 16:32:30 +02:00
tags:
- attack.execution
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-25 01:09:17 +02:00
- attack.t1086 # an old one
Updated tags to include sub-techniques
2020-07-18 02:50:57 +01:00
- attack.t1059.001
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other
2020-08-25 01:09:17 +02:00
logsource:
category: image_load
product: windows
Added rules files split into folders
2020-06-10 16:32:30 +02:00
detection:
selection:
Modified some field values for case sensitive backends (SQL)
2021-05-13 06:19:04 +02:00
Description: 'System.Management.Automation'
ImageLoaded|contains: 'System.Management.Automation'
Added rules files split into folders
2020-06-10 16:32:30 +02:00
condition: selection
fields:
- ComputerName
- Image
- ProcessID
- ImageLoaded
falsepositives:
- Unknown
level: medium
Reference in New Issue Copy Permalink