From 1ae596b634de23386aba382e93a34088a64de519 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 4 Nov 2021 17:07:00 +0000 Subject: [PATCH 1/3] removing rule 867613fb-fa60-4497-a017-a82df74a172c . this is a duplicate of 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f and does not contain an allow list of known processes. --- ...sysmon_powershell_execution_moduleload.yml | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100755 rules/windows/image_load/sysmon_powershell_execution_moduleload.yml diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml deleted file mode 100755 index 111759c39..000000000 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: PowerShell Execution -id: 867613fb-fa60-4497-a017-a82df74a172c -description: Detects execution of PowerShell -status: experimental -date: 2019/09/12 -modified: 2019/11/10 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html -tags: - - attack.execution - - attack.t1086 # an old one - - attack.t1059.001 -logsource: - category: image_load - product: windows -detection: - selection: - Description: 'System.Management.Automation' - ImageLoaded|contains: 'System.Management.Automation' - condition: selection -fields: - - ComputerName - - Image - - ProcessID - - ImageLoaded -falsepositives: - - Unknown -level: medium From e266491f0a270b210d2c7dc83e4a9f0b146b8f5f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 4 Nov 2021 18:36:55 +0000 Subject: [PATCH 2/3] adding obsoletes tags --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index d4f1dcd25..16e0993fa 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -1,5 +1,8 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f +related: + id: 867613fb-fa60-4497-a017-a82df74a172c + type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova From dda204bd51e193751a00d5abe60398565871d254 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 4 Nov 2021 18:56:07 +0000 Subject: [PATCH 3/3] updating yaml --- rules/windows/image_load/sysmon_in_memory_powershell.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 16e0993fa..5ca45f7d1 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -1,8 +1,8 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f related: - id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes + - id: 867613fb-fa60-4497-a017-a82df74a172c + type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova