security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1901 from frack113/redcanary

Browse Source 
Redcanary Powershell Suspicious Win32_PnPEntity T1120
This commit is contained in:
frack113
2021-08-23 19:44:16 +02:00
committed by GitHub
parent 07c808d35c 25072e37b3
commit a04fbe2a99
3 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/poweshell_detect_vm_env.yml → rules/windows/powershell/powershell_detect_vm_env.yml
View File
rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml
+23
View File
@@ -0,0 +1,23 @@
title: Powershell Suspicious Win32_PnPEntity
id: b26647de-4feb-4283-af6b-6117661283c5
status: experimental
author: frack113
date: 2021/08/23
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
tags:
- attack.discovery
- attack.t1120
logsource:
product: windows
service: powershell
definition: EnableScriptBlockLogging must be set to enable
detection:
selection:
EventID: 4104
ScriptBlockText|contains: Win32_PnPEntity
condition: selection
falsepositives:
- admin script
level: low
rules/windows/process_creation/win_possible_applocker_bypass.yml
+1
View File
@@ -5,6 +5,7 @@ status: experimental
references:
- https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
- https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md
author: juju4
date: 2019/01/16
modified: 2020/09/01