security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor condition

Browse Source
This commit is contained in:
frack113
2022-06-03 15:35:24 +02:00
parent 2c1fd87a27
commit 8de0027ca3
58 changed files with 120 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
+2 -2
View File
@@ -15,7 +15,7 @@ logsource:
category: ps_script
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
Malicious:
selection:
ScriptBlockText|contains:
- 'AdjustTokenPrivileges'
- 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
@@ -37,7 +37,7 @@ detection:
- 'TOKEN_QUERY'
- 'Metasploit'
- 'Mimikatz'
condition: Malicious
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
+2 -2
View File
@@ -14,11 +14,11 @@ logsource:
category: ps_script
definition: Script block logging must be enabled
detection:
dump:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: dump
condition: selection
falsepositives:
- Diagnostics
level: high
rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+2 -2
View File
@@ -15,7 +15,7 @@ logsource:
category: ps_script
definition: Script block logging must be enabled
detection:
Nishang:
selection:
ScriptBlockText|contains:
- Add-ConstrainedDelegationBackdoor
- Set-DCShadowPermissions
@@ -88,7 +88,7 @@ detection:
- NotAllNameSpaces
- exfill
- FakeDC
condition: Nishang
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml
+2 -2
View File
@@ -16,9 +16,9 @@ logsource:
category: ps_script
definition: Script Block Logging must be enabled
detection:
PfxCertificate:
selection:
ScriptBlockText|contains: 'Export-PfxCertificate'
condition: PfxCertificate
condition: selection
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
+2 -2
View File
@@ -15,9 +15,9 @@ logsource:
category: ps_script
definition: Script Block Logging must be enabled
detection:
select_LSASS:
selection:
ScriptBlockText|contains: 'Get-Process lsass'
condition: select_LSASS
condition: selection
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
+2 -2
View File
@@ -18,7 +18,7 @@ logsource:
category: ps_script
definition: Script block logging must be enabled for 4104
detection:
framework:
selection:
ScriptBlockText|contains:
- 'System.Reflection.Assembly.Load($'
- '[System.Reflection.Assembly]::Load($'
@@ -31,7 +31,7 @@ detection:
# - 'FromBase64'
- 'Invoke-WMIMethod'
- 'http://127.0.0.1'
condition: framework
condition: selection
falsepositives:
- Unknown
level: high