From 055992eb05c4b35b32725949fdf96e7d6c07babd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 21 Mar 2017 10:22:13 +0100 Subject: [PATCH] Bugfix: PowerShell rules log source inconstency --- rules/windows/powershell/powershell_exe_calling_ps.yml | 4 ++-- rules/windows/powershell/powershell_malicious_commandlets.yml | 4 ++-- rules/windows/powershell/powershell_malicious_keywords.yml | 4 ++-- rules/windows/powershell/powershell_psattack.yml | 4 ++-- rules/windows/powershell/powershell_suspicious_download.yml | 4 ++-- .../powershell/powershell_suspicious_invocation_generic.yml | 4 ++-- .../powershell/powershell_suspicious_invocation_specific.yml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 32c4d3dd0..db327cea8 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -4,8 +4,8 @@ description: Detects PowerShell called from an executable by the version mismatc reference: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: - platform: windows - product: powershell + product: windows + service: powershell description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: selection1: diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index d78ba91af..743c84e20 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -4,8 +4,8 @@ description: Detects Commandlet names from well-known PowerShell exploitation fr reference: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: - platform: windows - product: powershell + product: windows + service: powershell description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index b477c927c..7a8399952 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -4,8 +4,8 @@ description: Detects Commandlet names from well-known PowerShell exploitation fr reference: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: - platform: windows - product: powershell + product: windows + service: powershell description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_psattack.yml index 3f7a9a23e..44e908272 100644 --- a/rules/windows/powershell/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_psattack.yml @@ -4,8 +4,8 @@ description: Detects the use of PSAttack PowerShell hack tool reference: https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (rule) logsource: - platform: windows - product: powershell + product: windows + service: powershell description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index 1fa32002b..e9997d1e0 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -3,8 +3,8 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth logsource: - platform: windows - product: powershell + product: windows + service: powershell detection: keywords: - 'System.Net.WebClient).DownloadString(' diff --git a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml index 9bb744e02..2a9c749c4 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml @@ -3,8 +3,8 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) logsource: - platform: windows - product: powershell + product: windows + service: powershell detection: encoded: - ' -enc ' diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index c48ea07d4..1ed95f75f 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -3,8 +3,8 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) logsource: - platform: windows - product: powershell + product: windows + service: powershell detection: keywords: - ' -nop -w hidden -c * [Convert]::FromBase64String'