security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Allow dsac to perform powershell execution over named pipes. DSAC - Active Directory Admin Client

Browse Source
This commit is contained in:
Tim Shelton
2022-01-18 19:55:00 +00:00
parent 926b9c964c
commit a0983a3659
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml
+3 -2
View File
@@ -2,11 +2,11 @@ title: Alternate PowerShell Hosts Pipe
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
author: Roberto Rodriguez @Cyb3rWard0g
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
date: 2019/09/12
modified: 2021/12/17
modified: 2022/01/18
logsource:
product: windows
category: pipe_created
@@ -19,6 +19,7 @@ detection:
- '\powershell_ise.exe'
- '\WINDOWS\System32\sdiagnhost.exe'
- '\WINDOWS\System32\wsmprovhost.exe'
- '\Windows\system32\dsac.exe'
filter2:
Image: null
condition: selection and not 1 of filter*