security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bugfix: PowerShell rules log source inconstency

Browse Source
This commit is contained in:
Florian Roth
2017-03-21 10:22:13 +01:00
parent 6f38a44ec1
commit 055992eb05
7 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_exe_calling_ps.yml
+2 -2
View File
@@ -4,8 +4,8 @@ description: Detects PowerShell called from an executable by the version mismatc
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection1:
rules/windows/powershell/powershell_malicious_commandlets.yml
+2 -2
View File
@@ -4,8 +4,8 @@ description: Detects Commandlet names from well-known PowerShell exploitation fr
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
rules/windows/powershell/powershell_malicious_keywords.yml
+2 -2
View File
@@ -4,8 +4,8 @@ description: Detects Commandlet names from well-known PowerShell exploitation fr
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
rules/windows/powershell/powershell_psattack.yml
+2 -2
View File
@@ -4,8 +4,8 @@ description: Detects the use of PSAttack PowerShell hack tool
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
platform: windows
product: powershell
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
EventID: 4103
rules/windows/powershell/powershell_suspicious_download.yml
+2 -2
View File
@@ -3,8 +3,8 @@ status: experimental
description: Detects suspicious PowerShell download command
author: Florian Roth
logsource:
platform: windows
product: powershell
product: windows
service: powershell
detection:
keywords:
- 'System.Net.WebClient).DownloadString('
rules/windows/powershell/powershell_suspicious_invocation_generic.yml
+2 -2
View File
@@ -3,8 +3,8 @@ status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule)
logsource:
platform: windows
product: powershell
product: windows
service: powershell
detection:
encoded:
- ' -enc '
rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+2 -2
View File
@@ -3,8 +3,8 @@ status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule)
logsource:
platform: windows
product: powershell
product: windows
service: powershell
detection:
keywords:
- ' -nop -w hidden -c * [Convert]::FromBase64String'