security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into nasbench-rule-devel

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-12-30 11:49:08 +01:00
committed by GitHub
parent d4b9df608b aee5ca7afc
commit 261bb8758a
35 changed files with 267 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+3 -3
View File
@@ -8,7 +8,7 @@ references:
- https://adsecurity.org/?p=2604
author: frack113
date: 2021/10/20
modified: 2022/12/02
modified: 2022/12/30
tags:
- attack.execution
- attack.t1059.001
@@ -25,8 +25,8 @@ detection:
- 'bypass'
- 'RemoteSigned'
filter:
- ParentImage: 'C:\ProgramData\chocolatey\choco.exe'
- ScriptBlockText|contains:
# - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' Powershell event id 4104 do not have ParentImage
ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- '\AppData\Roaming\Code\'
rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
+3 -3
View File
@@ -13,7 +13,7 @@ references:
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
author: Austin Songer @austinsonger
date: 2021/10/12
modified: 2022/10/11
modified: 2022/12/30
tags:
- attack.defense_evasion
- attack.t1562.004
@@ -23,12 +23,12 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_args:
CommandLine|contains|all:
ScriptBlockText|contains|all:
- 'Set-NetFirewallProfile '
- ' -Enabled '
- ' False'
selection_opt:
CommandLine|contains:
ScriptBlockText|contains:
- ' -All '
- 'Public'
- 'Domain'