diff --git a/rules/windows/powershell/poweshell_detect_vm_env.yml b/rules/windows/powershell/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/poweshell_detect_vm_env.yml rename to rules/windows/powershell/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml new file mode 100644 index 000000000..3cf7777d5 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml @@ -0,0 +1,23 @@ +title: Powershell Suspicious Win32_PnPEntity +id: b26647de-4feb-4283-af6b-6117661283c5 +status: experimental +author: frack113 +date: 2021/08/23 +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md +tags: + - attack.discovery + - attack.t1120 +logsource: + product: windows + service: powershell + definition: EnableScriptBlockLogging must be set to enable +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: Win32_PnPEntity + condition: selection +falsepositives: + - admin script +level: low \ No newline at end of file diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 39ac4e712..6ebbdd452 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -5,6 +5,7 @@ status: experimental references: - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md author: juju4 date: 2019/01/16 modified: 2020/09/01