Cleanup PS rules

2021-08-21 09:58:58 +02:00
parent da839775fe
commit 0fb6c35b1f
12 changed files with 12 additions and 14 deletions
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection2:
        EventID: 4104
@@ -17,7 +17,7 @@ modified: 2021/08/04
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -10,7 +10,7 @@ references:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski
 logsource:
    product: windows
    service: powershell
-    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
+    definition: Script Block Logging must be enable
 detection:
  selection:
      EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -10,13 +10,13 @@ tags:
    - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
 date: 2017/03/05
-modified: 2020/10/11
+modified: 2021/08/21
 logsource:
    product: windows
    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+    definition: Script Block Logging must be enable
 detection:
-    keywords:
+    select_Malicious:
        EventID: 4104
        ScriptBlockText|contains:
            - "Invoke-DllInjection"
@@ -115,10 +115,8 @@ detection:
            - "Invoke-Mimikittenz"
            - "Invoke-AllChecks"
    false_positives:
-        EventID: 4104
-        ScriptBlockText|contains:
-            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
-    condition: keywords and not false_positives
+        ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+    condition: select_Malicious and not false_positives
 falsepositives:
    - Penetration testing
 level: high