Merge branch 'master' into nasbench-rule-devel

2022-10-26 10:39:55 +02:00
parent c495a61692 1e5ae09c4b
commit bb84e503fa
566 changed files with 4245 additions and 4046 deletions
@@ -4,14 +4,17 @@ related:
    - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
      type: obsoletes
 status: experimental
-author: frack113
-date: 2022/01/30
 description: |
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
    Web browsers typically store the credentials in an encrypted format within a credential store.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
+author: frack113
+date: 2022/01/30
+tags:
+    - attack.credential_access
+    - attack.t1555.003
 logsource:
    product: windows
    category: ps_script
@@ -32,6 +35,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1555.003
@@ -2,11 +2,11 @@ title: Accessing WinAPI in PowerShell
 id: 03d83090-8cba-44a0-b02f-0b756a050306
 status: experimental
 description: Detecting use WinAPI Functions in PowerShell
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Nikita Nazarov, oscd.community, Tim Shelton
 date: 2020/10/06
 modified: 2022/09/29
-references:
-    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 tags:
    - attack.execution
    - attack.t1059.001
@@ -1,7 +1,9 @@
 title: Powershell Add Name Resolution Policy Table Rule
 id: 4368354e-1797-463c-bc39-a309effbe8d7
 status: test
-description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
+description: |
+  Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
+  This will bypass the default DNS server and uses a specified server for answering the query.
 references:
    - https://twitter.com/NathanMcNulty/status/1569497348841287681
    - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
@@ -5,13 +5,13 @@ description: Detects execution of ADRecon.ps1 for AD reconnaissance which has be
 references:
    - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
    - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
+author: Bhabesh Raj
+date: 2021/07/16
+modified: 2022/09/06
 tags:
    - attack.discovery
    - attack.execution
    - attack.t1059.001
-author: Bhabesh Raj
-date: 2021/07/16
-modified: 2022/09/06
 logsource:
    product: windows
    category: ps_script
@@ -2,11 +2,21 @@ title: Silence.EDA Detection
 id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
 status: test
 description: Detects Silence EmpireDNSAgent as described in the Group-IP report
+references:
+    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
 modified: 2022/10/05
-references:
-    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
+    - attack.g0091
+    - attack.s0363
 logsource:
    product: windows
    service: powershell
@@ -33,13 +43,3 @@ detection:
 falsepositives:
    - Unknown
 level: critical
-tags:
-    - attack.execution
-    - attack.t1059.001
-    - attack.command_and_control
-    - attack.t1071.004
-    - attack.t1572
-    - attack.impact
-    - attack.t1529
-    - attack.g0091
-    - attack.s0363
@@ -2,11 +2,14 @@ title: Get-ADUser Enumeration Using UserAccountControl Flags
 id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
 status: experimental
 description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
-date: 2022/03/17
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
    - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
+author: frack113
+date: 2022/03/17
+tags:
+    - attack.discovery
+    - attack.t1033
 logsource:
    product: windows
    category: ps_script
@@ -24,6 +27,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.discovery
-    - attack.t1033
@@ -1,12 +1,12 @@
 title: Automated Collection Command PowerShell
 id: c1dda054-d638-4c16-afc8-53e007f3fbc5
 status: experimental
-author: frack113
-date: 2021/07/28
-modified: 2021/12/02
 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
+author: frack113
+date: 2021/07/28
+modified: 2021/12/02
 tags:
    - attack.collection
    - attack.t1119
@@ -8,14 +8,6 @@ references:
 author: Austin Songer (@austinsonger)
 date: 2021/10/23
 modified: 2022/01/12
-logsource:
-    product: windows
-    category: ps_script
-    definition: Script Block Logging must be enabled
-detection:
-    selection:
-        ScriptBlockText|contains: Invoke-AzureHound
-    condition: selection
 tags:
    - attack.discovery
    - attack.t1482
@@ -25,6 +17,14 @@ tags:
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script Block Logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains: Invoke-AzureHound
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -9,6 +9,9 @@ references:
 author: frack113
 date: 2021/12/28
 modified: 2022/07/07
+tags:
+    - attack.collection
+    - attack.t1113
 logsource:
    product: windows
    category: ps_script
@@ -20,6 +23,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.collection
-    - attack.t1113
@@ -1,13 +1,13 @@
 title: Execution via CL_Invocation.ps1
 id: 4cd29327-685a-460e-9dac-c3ab96e549dc
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
 status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
 references:
    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
    - https://twitter.com/bohops/status/948061991012327424
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
 tags:
    - attack.defense_evasion
    - attack.t1216
@@ -1,13 +1,13 @@
 title: Execution via CL_Invocation.ps1 (2 Lines)
 id: f588e69b-0750-46bb-8f87-0e9320d57536
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
 status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
 references:
    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
    - https://twitter.com/bohops/status/948061991012327424
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
 tags:
    - attack.defense_evasion
    - attack.t1216
@@ -1,13 +1,13 @@
 title: Execution via CL_Mutexverifiers.ps1
 id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
 status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
 references:
    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
    - https://twitter.com/pabraeken/status/995111125447577600
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
 tags:
    - attack.defense_evasion
    - attack.t1216
@@ -1,13 +1,13 @@
 title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
 id: 6609c444-9670-4eab-9636-fe4755a851ce
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
 status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
 references:
    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
    - https://twitter.com/pabraeken/status/995111125447577600
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
 tags:
    - attack.defense_evasion
    - attack.t1216
@@ -5,11 +5,14 @@ related:
      type: derived
 status: experimental
 description: Detects keywords that could indicate clearing PowerShell history
-author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 date: 2022/01/25
 modified: 2022/05/10
+tags:
+    - attack.defense_evasion
+    - attack.t1070.003
 logsource:
    product: windows
    category: ps_script
@@ -36,6 +39,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1070.003
@@ -1,13 +1,17 @@
 title: Clearing Windows Console History
 id: bde47d4b-9987-405c-94c7-b080410e8ea7
-description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
 status: experimental
-author: Austin Songer @austinsonger
-date: 2021/11/25
+description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
 references:
    - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
    - https://www.shellhacks.com/clear-history-powershell/
    - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
+author: Austin Songer @austinsonger
+date: 2021/11/25
+tags:
+    - attack.defense_evasion
+    - attack.t1070
+    - attack.t1070.003
 logsource:
    product: windows
    category: ps_script
@@ -24,10 +28,6 @@ detection:
            - ConsoleHost_history.txt
            - (Get-PSReadlineOption).HistorySavePath
    condition: selection1 or selection2a and selection2b
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - attack.t1070.003
-level: high
 falsepositives:
    - Unknown
+level: high
@@ -7,6 +7,9 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
 author: frack113
 date: 2021/12/28
+tags:
+    - attack.persistence
+    - attack.t1053.005
 logsource:
    product: windows
    category: ps_script
@@ -29,8 +32,5 @@ detection:
            - 'Root\Microsoft\Windows\TaskScheduler'
    condition: 1 of selection_*
 falsepositives:
-  - Unknown
+    - Unknown
 level: medium
-tags:
-  - attack.persistence
-  - attack.t1053.005
@@ -7,6 +7,9 @@ references:
 author: frack113, Nasreddine Bencherchali
 date: 2021/12/27
 modified: 2022/10/20
+tags:
+    - attack.credential_access
+    - attack.t1556.002
 logsource:
    product: windows
    category: ps_script
@@ -14,16 +17,13 @@ logsource:
 detection:
    selection_copy:
        ScriptBlockText|contains|all:
-           - 'Copy-Item '
-           - '-Destination '
+            - 'Copy-Item '
+            - '-Destination '
    selection_paths:
        ScriptBlockText|contains:
-           - '\Windows\System32'
-           - '\Windows\SysWOW64'
+            - '\Windows\System32'
+            - '\Windows\SysWOW64'
    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.credential_access
-    - attack.t1556.002
@@ -7,10 +7,13 @@ description: |
    These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
    (Citation: Microsoft Profiling Mar 2017)
    (Citation: Microsoft COR_PROFILER Feb 2013)
-author: frack113
-date: 2021/12/30
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
+author: frack113
+date: 2021/12/30
+tags:
+    - attack.persistence
+    - attack.t1574.012
 logsource:
    product: windows
    category: ps_script
@@ -23,8 +26,5 @@ detection:
            - '$env:COR_PROFILER_PATH'
    condition: selection
 falsepositives:
-  - Legitimate administrative script
+    - Legitimate administrative script
 level: medium
-tags:
-  - attack.persistence
-  - attack.t1574.012
@@ -4,14 +4,14 @@ status: experimental
 description: Detects creation of a local user via PowerShell
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
+author: '@ROxPinTeddy'
+date: 2020/04/11
+modified: 2021/10/16
 tags:
    - attack.execution
    - attack.t1059.001
    - attack.persistence
    - attack.t1136.001
-author: '@ROxPinTeddy'
-date: 2020/04/11
-modified: 2021/10/16
 logsource:
    product: windows
    category: ps_script
@@ -2,11 +2,14 @@ title: Create Volume Shadow Copy with Powershell
 id: afd12fed-b0ec-45c9-a13d-aa86625dac81
 status: experimental
 description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
-date: 2022/01/12
-author: frack113
 references:
    - https://attack.mitre.org/datasources/DS0005/
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
+date: 2022/01/12
+tags:
+    - attack.credential_access
+    - attack.t1003.003
 logsource:
    product: windows
    category: ps_script
@@ -21,6 +24,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: high
-tags:
-    - attack.credential_access
-    - attack.t1003.003 
@@ -2,11 +2,14 @@ title: Data Compressed - PowerShell
 id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
 status: experimental
 description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2021/10/16
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
+tags:
+    - attack.exfiltration
+    - attack.t1560
 logsource:
    product: windows
    category: ps_script
@@ -21,6 +24,3 @@ detection:
 falsepositives:
    - Highly likely if archive operations are done via PowerShell.
 level: low
-tags:
-    - attack.exfiltration
-    - attack.t1560
@@ -1,13 +1,15 @@
 title: Powershell Detect Virtualization Environment
 id: d93129cd-1ee0-479f-bc03-ca6f129882e3
 status: experimental
-author: frack113, Duc.Le-GTSC
-date: 2021/08/03
-modified: 2022/03/03
-description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
+description: |
+  Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
+  This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
+author: frack113, Duc.Le-GTSC
+date: 2021/08/03
+modified: 2022/03/03
 tags:
    - attack.defense_evasion
    - attack.t1497.001
@@ -2,10 +2,13 @@ title: DirectorySearcher Powershell Exploitation
 id: 1f6399cf-2c80-4924-ace1-6fcff3393480
 status: experimental
 description: Enumerates Active Directory to determine computers that are joined to the domain
-date: 2022/02/12
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
 author: frack113
+date: 2022/02/12
+tags:
+    - attack.discovery
+    - attack.t1018
 logsource:
    product: windows
    category: ps_script
@@ -22,6 +25,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.discovery
-    - attack.t1018
@@ -9,6 +9,9 @@ references:
    - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0
 author: frack113
 date: 2021/12/28
+tags:
+    - attack.persistence
+    - attack.t1136.002
 logsource:
    product: windows
    category: ps_script
@@ -20,6 +23,3 @@ detection:
 falsepositives:
    - Legitimate administrative script
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1136.002
@@ -6,6 +6,9 @@ references:
    - https://twitter.com/DissectMalware/status/1062879286749773824
 author: Ali Alwashali
 date: 2022/08/21
+tags:
+    - attack.defense_evasion
+    - attack.t1070.003
 logsource:
    product: windows
    category: ps_script
@@ -19,6 +22,3 @@ detection:
 falsepositives:
    - Legitimate script that disables the command history
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1070.003
@@ -1,14 +1,14 @@
 title: Disable-WindowsOptionalFeature Command PowerShell
 id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
 status: experimental
-author: frack113
-date: 2022/09/10
 description: |
-  Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
-  Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+    Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
    - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+author: frack113
+date: 2022/09/10
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -1,7 +1,7 @@
 title: Dnscat Execution
 id: a6d67db4-6220-436d-8afc-f3842fe05d43
-description: Dnscat exfiltration tool execution
 status: experimental
+description: Dnscat exfiltration tool execution
 author: Daniil Yugoslavskiy, oscd.community
 date: 2019/10/24
 modified: 2021/10/16
@@ -1,13 +1,16 @@
 title: Dump Credentials from Windows Credential Manager With PowerShell
 id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
 status: experimental
-author: frack113
-date: 2021/12/20
 description: |
-  Adversaries may search for common password storage locations to obtain user credentials.
-  Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
+    Adversaries may search for common password storage locations to obtain user credentials.
+    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
+author: frack113
+date: 2021/12/20
+tags:
+    - attack.credential_access
+    - attack.t1555
 logsource:
    product: windows
    category: ps_script
@@ -32,6 +35,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1555
@@ -7,6 +7,9 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
 author: frack113
 date: 2022/01/07
+tags:
+    - attack.lateral_movement
+    - attack.t1021.006
 logsource:
    product: windows
    category: ps_script
@@ -18,6 +21,3 @@ detection:
 falsepositives:
    - Legitimate script
 level: medium
-tags:
-    - attack.lateral_movement
-    - attack.t1021.006
@@ -1,13 +1,13 @@
 title: Enable-WindowsOptionalFeature Command PowerShell
 id: 55c925c1-7195-426b-a136-a9396800e29b
 status: experimental
-author: frack113
-date: 2022/09/10
 description: |
-  Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
-  Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+    Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
 references:
    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
+author: frack113
+date: 2022/09/10
 tags:
    - attack.defense_evasion
 logsource:
@@ -1,13 +1,16 @@
 title: Enumerate Credentials from Windows Credential Manager With PowerShell
 id: 603c6630-5225-49c1-8047-26c964553e0e
 status: experimental
-author: frack113
-date: 2021/12/20
 description: |
    Adversaries may search for common password storage locations to obtain user credentials.
    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
+author: frack113
+date: 2021/12/20
+tags:
+    - attack.credential_access
+    - attack.t1555
 logsource:
    product: windows
    category: ps_script
@@ -25,6 +28,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1555
@@ -5,10 +5,15 @@ related:
      type: derived
 status: experimental
 description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
-author: Nasreddine Bencherchali
 references:
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
+author: Nasreddine Bencherchali
 date: 2022/06/28
+tags:
+    - attack.defense_evasion
+    - attack.t1070
+    - attack.t1562.006
+    - car.2016-04-002
 logsource:
    product: windows
    category: ps_script
@@ -24,8 +29,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-    - attack.t1562.006
-    - car.2016-04-002
@@ -1,13 +1,17 @@
 title: Powershell File and Directory Discovery
 id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
+status: experimental
 description: |
    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
-    Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+    Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
+    including whether or not the adversary fully infects the target and/or attempts specific actions.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
-status: experimental
 author: frack113
 date: 2021/12/15
+tags:
+    - attack.discovery
+    - attack.t1083
 logsource:
    product: windows
    category: ps_script
@@ -24,6 +28,3 @@ detection:
 falsepositives:
    - Unknown
 level: low
-tags:
-    - attack.discovery
-    - attack.t1083
@@ -10,6 +10,9 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
 author: frack113
 date: 2021/12/30
+tags:
+    - attack.persistence
+    - attack.t1574.011
 logsource:
    product: windows
    category: ps_script
@@ -23,6 +26,3 @@ detection:
 falsepositives:
    - Legitimate administrative script
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1574.011
@@ -4,11 +4,14 @@ status: experimental
 description: |
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
-date: 2022/02/06
-author: frack113
 references:
    - https://www.powershellgallery.com/packages/DSInternals
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
+author: frack113
+date: 2022/02/06
+tags:
+    - attack.credential_access
+    - attack.t1003.006
 logsource:
    product: windows
    category: ps_script
@@ -23,6 +26,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1003.006
@@ -1,14 +1,17 @@
 title: Automated Collection Bookmarks Using Get-ChildItem PowerShell
 id: e0565f5d-d420-4e02-8a68-ac00d864f9cf
 status: experimental
-author: frack113
-date: 2021/12/13
 description: |
    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
    internal network resources such as servers, tools/dashboards, or other related infrastructure.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
+author: frack113
+date: 2021/12/13
+tags:
+    - attack.discovery
+    - attack.t1217
 logsource:
    product: windows
    category: ps_script
@@ -26,6 +29,3 @@ detection:
 falsepositives:
    - Unknown
 level: low
-tags:
-    - attack.discovery
-    - attack.t1217
@@ -2,10 +2,12 @@ title: PowerShell Hotfix Enumeration
 id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
 status: experimental
 description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
-author: Nasreddine Bencherchali
 references:
    - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
+author: Nasreddine Bencherchali
 date: 2022/06/21
+tags:
+    - attack.discovery
 logsource:
    product: windows
    category: ps_script
@@ -19,5 +21,3 @@ detection:
 falsepositives:
    - Legitimate administration scripts
 level: medium
-tags:
-    - attack.discovery
@@ -17,9 +17,9 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains|all:
-          - 'New-Object'
-          - 'System.Net.NetworkInformation.Ping'
-          - '.Send('
+            - 'New-Object'
+            - 'System.Net.NetworkInformation.Ping'
+            - '.Send('
    condition: selection
 falsepositives:
    - Legitimate usage of System.Net.NetworkInformation.Ping class
@@ -6,6 +6,9 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
 author: Nasreddine Bencherchali
 date: 2022/07/07
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -32,6 +35,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -7,6 +7,9 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
 author: frack113
 date: 2022/01/07
+tags:
+    - attack.lateral_movement
+    - attack.t1021.006
 logsource:
    product: windows
    category: ps_script
@@ -20,6 +23,3 @@ detection:
 falsepositives:
    - Legitimate script
 level: medium
-tags:
-    - attack.lateral_movement
-    - attack.t1021.006
@@ -7,6 +7,9 @@ references:
    - https://github.com/Arno0x/DNSExfiltrator
 author: frack113
 date: 2022/01/07
+tags:
+    - attack.exfiltration
+    - attack.t1048
 logsource:
    product: windows
    category: ps_script
@@ -24,6 +27,3 @@ detection:
 falsepositives:
    - Legitimate script
 level: high
-tags:
-    - attack.exfiltration
-    - attack.t1048
@@ -2,22 +2,22 @@ title: PrintNightmare Powershell Exploitation
 id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
 status: test
 description: Detects Commandlet name for PrintNightmare exploitation.
-date: 2021/08/09
-modified: 2021/10/16
 references:
    - https://github.com/calebstewart/CVE-2021-1675
 author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+modified: 2021/10/16
+tags:
+    - attack.privilege_escalation
+    - attack.t1548
 logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enabled
 detection:
-  selection:
-      ScriptBlockText|contains: Invoke-Nightmare
-  condition: selection
+    selection:
+        ScriptBlockText|contains: Invoke-Nightmare
+    condition: selection
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.privilege_escalation
-    - attack.t1548
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation CLIP+ Launcher
 id: 73e67340-0d25-11eb-adc1-0242ac120002
-description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009  #(Task 26)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
 modified: 2021/10/16
-references:
-     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -22,4 +22,4 @@ detection:
    condition: selection_4104
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -1,9 +1,9 @@
 title: Invoke-Obfuscation Obfuscated IEX Invocation
 id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+status: experimental
 description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
 references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
-status: experimental
 author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
 date: 2019/11/08
 modified: 2022/01/27
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation STDIN+ Launcher
 id: 779c8c12-0eb1-11eb-adc1-0242ac120002
-description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
+description: Detects Obfuscated use of stdin to execute PowerShell
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009  #(Task 25)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2021/10/16
-references:
-     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -22,4 +22,4 @@ detection:
    condition: selection_4104
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation VAR+ Launcher
 id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
-description: Detects Obfuscated use of Environment Variables to execute PowerShell
 status: experimental
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009  #(Task 24)
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2021/10/16
-references:
-     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -22,4 +22,4 @@ detection:
    condition: selection_4104
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -1,22 +1,27 @@
 title: Invoke-Obfuscation COMPRESS OBFUSCATION
 id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
-description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2022/03/08
-references:
-    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
    selection_4104:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        ScriptBlockText|endswith: 'readtoend'
@@ -24,8 +29,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
@@ -1,12 +1,17 @@
 title: Invoke-Obfuscation RUNDLL LAUNCHER
 id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
-description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2022/03/08
-references:
-    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -22,8 +27,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation Via Stdin
 id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
-description: Detects Obfuscated Powershell via Stdin in Scripts
 status: experimental
+description: Detects Obfuscated Powershell via Stdin in Scripts
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009  #(Task28)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
 modified: 2021/10/16
-references:
-     - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation Via Use Clip
 id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
-description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 status: experimental
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009  #(Task29)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/10/16
-references:
-     - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -1,12 +1,17 @@
 title: Invoke-Obfuscation Via Use MSHTA
 id: e55a5195-4724-480e-a77e-3ebe64bd3759
-description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
 modified: 2022/03/07
-references:
-    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -24,8 +29,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
@@ -1,12 +1,17 @@
 title: Invoke-Obfuscation Via Use Rundll32
 id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
-description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009
 author: Nikita Nazarov, oscd.community
 date: 2019/10/08
 modified: 2022/03/08
-references:
-    - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -27,8 +32,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
 id: e54f5149-6ba3-49cf-b153-070d24679126
-description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
 modified: 2021/10/16
-references:
-    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -1,13 +1,13 @@
 title: Powershell Keylogging
 id: 34f90d3c-c297-49e9-b26d-911b05a4866c
 status: experimental
-author: frack113
-date: 2021/07/30
-modified: 2022/07/11
 description: Adversaries may log user keystrokes to intercept credentials as the user types them.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
+author: frack113
+date: 2021/07/30
+modified: 2022/07/11
 tags:
    - attack.collection
    - attack.t1056.001
@@ -9,6 +9,9 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
 author: frack113
 date: 2021/12/28
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
    product: windows
    category: ps_script
@@ -27,6 +30,3 @@ detection:
 falsepositives:
    - Legitimate administrative script
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1098
@@ -2,15 +2,18 @@ title: Malicious PowerShell Commandlets
 id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
 status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp)
 references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp)
 date: 2017/03/05
 modified: 2022/10/25
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -201,6 +204,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -4,12 +4,12 @@ status: experimental
 description: Detects keywords from well-known PowerShell exploitation frameworks
 references:
    - https://adsecurity.org/?p=2921
-tags:
-    - attack.execution
-    - attack.t1059.001
 author: Sean Metcalf (source), Florian Roth (rule)
 date: 2017/03/05
 modified: 2021/10/16
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -2,13 +2,13 @@ title: Live Memory Dump Using Powershell
 id: cd185561-4760-45d6-a63e-a51325112cae
 status: experimental
 description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
-date: 2021/09/21
-modified: 2021/10/16
 references:
    - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
+author: Max Altgelt
+date: 2021/09/21
+modified: 2021/10/16
 tags:
    - attack.t1003
-author: Max Altgelt
 logsource:
    product: windows
    category: ps_script
@@ -1,14 +1,18 @@
 title: Modify Group Policy Settings - ScriptBlockLogging
 id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
 related:
-  - id: ada4b0c4-758b-46ac-9033-9004613a150d
-    type: similar
+    - id: ada4b0c4-758b-46ac-9033-9004613a150d
+      type: similar
 status: experimental
 description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
 author: frack113
 date: 2022/08/19
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1484.001
 logsource:
    product: windows
    category: ps_script
@@ -28,7 +32,3 @@ detection:
 falsepositives:
    - Legitimate use
 level: medium
-tags:
-  - attack.defense_evasion
-  - attack.privilege_escalation
-  - attack.t1484.001
@@ -5,13 +5,16 @@ description: |
    Adversaries may abuse PowerShell commands and scripts for execution.
    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
-author: frack113, MatilJ
-date: 2022/01/19
-modified: 2022/05/19
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
    - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
    - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
+author: frack113, MatilJ
+date: 2022/01/19
+modified: 2022/05/19
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -27,6 +30,3 @@ detection:
 falsepositives:
    - Legitimate administrative script
 level: medium
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -2,14 +2,14 @@ title: Malicious Nishang PowerShell Commandlets
 id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
 status: experimental
 description: Detects Commandlet names and arguments from the Nishang exploitation framework
-date: 2019/05/16
-modified: 2022/08/29
 references:
    - https://github.com/samratashok/nishang
+author: Alec Costello
+date: 2019/05/16
+modified: 2022/08/29
 tags:
    - attack.execution
    - attack.t1059.001
-author: Alec Costello
 logsource:
    product: windows
    category: ps_script
@@ -5,14 +5,14 @@ description: Detects writing data into NTFS alternate data streams from powershe
 references:
    - http://www.powertheshell.com/ntfsstreams/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
+author: Sami Ruohonen
+date: 2018/07/24
+modified: 2021/12/02
 tags:
    - attack.defense_evasion
    - attack.t1564.004
    - attack.execution
    - attack.t1059.001
-author: Sami Ruohonen
-date: 2018/07/24
-modified: 2021/12/02
 logsource:
    product: windows
    category: ps_script
@@ -8,6 +8,9 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
 author: frack113
 date: 2021/12/28
+tags:
+    - attack.persistence
+    - attack.t1137.006
 logsource:
    product: windows
    category: ps_script
@@ -23,6 +26,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.persistence
-    - attack.t1137.006
@@ -1,17 +1,17 @@
 title: Potential Invoke-Mimikatz PowerShell Script
 id: 189e3b02-82b2-4b90-9662-411eb64486d4
 status: experimental
-author: Tim Rauch
-date: 2022/09/28
 description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
 references:
    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
-logsource:
-    category: ps_script
-    product: windows
+author: Tim Rauch
+date: 2022/09/28
 tags:
    - attack.credential_access
    - attack.t1003
+logsource:
+    category: ps_script
+    product: windows
 detection:
    selection_1:
        ScriptBlockText|contains|all:
@@ -26,4 +26,4 @@ detection:
    condition: 1 of selection*
 falsepositives:
    - Mimikatz can be useful for testing the security of networks
-level: high
+level: high
@@ -2,17 +2,17 @@ title: Malicious PowerView PowerShell Commandlets
 id: dcd74b95-3f36-4ed9-9598-0490951643aa
 status: experimental
 description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
-date: 2021/05/18
-modified: 2021/10/16
 references:
    - https://powersploit.readthedocs.io/en/stable/Recon/README
    - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
    - https://thedfirreport.com/2020/10/08/ryuks-return
    - https://adsecurity.org/?p=2277
+author: Bhabesh Raj
+date: 2021/05/18
+modified: 2021/10/16
 tags:
    - attack.execution
    - attack.t1059.001
-author: Bhabesh Raj
 logsource:
    product: windows
    category: ps_script
@@ -5,13 +5,13 @@ description: Detects PowerShell calling a credential prompt
 references:
    - https://twitter.com/JohnLaTwC/status/850381440629981184
    - https://t.co/ezOTGy1a1G
+author: John Lambert (idea), Florian Roth (rule)
+date: 2017/04/09
+modified: 2021/10/16
 tags:
    - attack.credential_access
    - attack.execution
    - attack.t1059.001
-author: John Lambert (idea), Florian Roth (rule)
-date: 2017/04/09
-modified: 2021/10/16
 logsource:
    product: windows
    category: ps_script
@@ -20,6 +20,6 @@ detection:
    selection:
        ScriptBlockText|contains: 'PromptForCredential'
    condition: selection
-falsepositives: 
+falsepositives:
    - Unknown
 level: high
@@ -4,12 +4,12 @@ status: experimental
 description: Detects the use of PSAttack PowerShell hack tool
 references:
    - https://adsecurity.org/?p=2921
-tags:
-    - attack.execution
-    - attack.t1059.001
 author: Sean Metcalf (source), Florian Roth (rule)
 date: 2017/03/05
 modified: 2021/10/16
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -2,13 +2,16 @@ title: PowerShell Remote Session Creation
 id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
 status: experimental
 description: |
-  Adversaries may abuse PowerShell commands and scripts for execution.
-  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
+    Adversaries may abuse PowerShell commands and scripts for execution.
+    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
 author: frack113
 date: 2022/01/06
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -22,6 +25,3 @@ detection:
 falsepositives:
    - Legitimate administrative script
 level: medium
-tags:
-    - attack.execution
-    - attack.t1059.001
@@ -2,12 +2,15 @@ title: Use Remove-Item to Delete File
 id: b8af5f36-1361-4ebe-9e76-e36128d947bf
 status: experimental
 description: Powershell Remove-Item  with -Path to delete a file or a folder with "-Recurse"
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
 date: 2022/01/15
 modified: 2022/03/17
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
 logsource:
    product: windows
    category: ps_script
@@ -25,6 +28,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: low
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004
@@ -2,13 +2,16 @@ title: Request A Single Ticket via PowerShell
 id: a861d835-af37-4930-bcd6-5b178bfb54df
 status: experimental
 description: |
-  utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
-  This behavior is typically used during a kerberos or silver ticket attack.
-  A successful execution will output the SPNs for the endpoint in question.
+    utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
+    This behavior is typically used during a kerberos or silver ticket attack.
+    A successful execution will output the SPNs for the endpoint in question.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
 author: frack113
 date: 2021/12/28
+tags:
+    - attack.credential_access
+    - attack.t1558.003
 logsource:
    product: windows
    category: ps_script
@@ -20,6 +23,3 @@ detection:
 falsepositives:
    - Unknown
 level: high
-tags:
-    - attack.credential_access
-    - attack.t1558.003
@@ -2,11 +2,14 @@ title: Suspicious Invoke-Item From Mount-DiskImage
 id: 902cedee-0398-4e3a-8183-6f3a89773a96
 status: experimental
 description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
-date: 2022/02/01
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
    - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
+author: frack113
+date: 2022/02/01
+tags:
+    - attack.defense_evasion
+    - attack.t1553.005
 logsource:
    product: windows
    category: ps_script
@@ -24,6 +27,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1553.005
@@ -1,13 +1,16 @@
 title: Security Software Discovery by Powershell
 id: 904e8e61-8edf-4350-b59c-b905fc8e810c
 status: experimental
-author: frack113
-date: 2021/12/16
 description: |
    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.
    This may include things such as firewall rules and anti-viru
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
+author: frack113
+date: 2021/12/16
+tags:
+    - attack.discovery
+    - attack.t1518.001
 logsource:
    product: windows
    category: ps_script
@@ -28,6 +31,3 @@ detection:
 falsepositives:
    - Unknown
 level: low
-tags:
-    - attack.discovery
-    - attack.t1518.001
@@ -10,6 +10,9 @@ references:
    - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
 date: 2022/09/26
+tags:
+    - attack.exfiltration
+    - attack.t1048.003
 logsource:
    product: windows
    category: ps_script
@@ -23,6 +26,3 @@ detection:
 falsepositives:
    - Legitimate script
 level: medium
-tags:
-    - attack.exfiltration
-    - attack.t1048.003
@@ -3,12 +3,15 @@ id: 7d416556-6502-45b2-9bad-9d2f05f38997
 related:
    - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
      type: derived
+status: experimental
 description: Detect adversaries enumerate sensitive files
 references:
    - https://twitter.com/malmoeb/status/1570814999370801158
-status: experimental
 author: frack113
 date: 2022/09/16
+tags:
+    - attack.discovery
+    - attack.t1083
 logsource:
    product: windows
    category: ps_script
@@ -30,6 +33,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.discovery
-    - attack.t1083
@@ -1,17 +1,17 @@
 title: Change PowerShell Policies to an Insecure Level
 id: 61d0475c-173f-4844-86f7-f3eebae1c66b
-description: Detects use of Set-ExecutionPolicy to set insecure policies
 status: experimental
+description: Detects use of Set-ExecutionPolicy to set insecure policies
 references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
    - https://adsecurity.org/?p=2604
-tags:
-    - attack.execution
-    - attack.t1059.001
 author: frack113
 date: 2021/10/20
 modified: 2022/09/10
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -4,15 +4,15 @@ status: experimental
 description: Detects Base64 encoded Shellcode
 references:
    - https://twitter.com/cyb3rops/status/1063072865992523776
+author: David Ledbetter (shellcode), Florian Roth (rule)
+date: 2018/11/17
+modified: 2021/10/16
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
    - attack.execution
    - attack.t1059.001
-author: David Ledbetter (shellcode), Florian Roth (rule)
-date: 2018/11/17
-modified: 2021/10/16
 logsource:
    product: windows
    category: ps_script
@@ -2,26 +2,26 @@ title: Malicious ShellIntel PowerShell Commandlets
 id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
 status: experimental
 description: Detects Commandlet names from ShellIntel exploitation scripts.
-date: 2021/08/09
-modified: 2021/10/16
 references:
    - https://github.com/Shellntel/scripts/
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+modified: 2021/10/16
 tags:
    - attack.execution
    - attack.t1059.001
-author: Max Altgelt, Tobias Michalski
 logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enabled
 detection:
-  selection:
-      ScriptBlockText|contains:
-        - Invoke-SMBAutoBrute
-        - Invoke-GPOLinks
-        - Out-Minidump
-        - Invoke-Potato
-  condition: selection
+    selection:
+        ScriptBlockText|contains:
+            - Invoke-SMBAutoBrute
+            - Invoke-GPOLinks
+            - Out-Minidump
+            - Invoke-Potato
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -1,13 +1,13 @@
 title: Detected Windows Software Discovery
 id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
-description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 status: experimental
-author: Nikita Nazarov, oscd.community
-date: 2020/10/16
-modified: 2021/11/12
+description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+modified: 2021/11/12
 tags:
    - attack.discovery
    - attack.t1518
@@ -24,6 +24,6 @@ detection:
            - 'select-object'
            - 'format-table'
    condition: selection
-level: medium
 falsepositives:
    - Legitimate administration activities
+level: medium
@@ -1,12 +1,12 @@
 title: Powershell Store File In Alternate Data Stream
 id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
 status: experimental
-author: frack113
-date: 2021/09/02
-modified: 2021/10/16
 description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
+author: frack113
+date: 2021/09/02
+modified: 2021/10/16
 tags:
    - attack.defense_evasion
    - attack.t1564.004
@@ -1,14 +1,17 @@
 title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
 id: 88f0884b-331d-403d-a3a1-b668cf035603
+status: experimental
 description: |
    Adversaries may attempt to find domain-level groups and permission settings.
    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
-status: experimental
 author: frack113
 date: 2021/12/15
+tags:
+    - attack.discovery
+    - attack.t1069.001
 logsource:
    product: windows
    category: ps_script
@@ -26,6 +29,3 @@ detection:
 falsepositives:
    - Unknown
 level: low
-tags:
-    - attack.discovery
-    - attack.t1069.001
@@ -3,14 +3,17 @@ id: 0f017df3-8f5a-414f-ad6b-24aff1128278
 related:
    - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
      type: derived
+status: experimental
 description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs
 references:
    - https://twitter.com/oroneequalsone/status/1568432028361830402
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
-status: experimental
 author: Nasreddine Bencherchali
 date: 2022/09/12
+tags:
+    - attack.defense_evasion
+    - attack.t1070.001
 logsource:
    product: windows
    category: ps_script
@@ -26,6 +29,3 @@ detection:
 falsepositives:
    - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1070.001
@@ -2,11 +2,14 @@ title: Powershell Directory Enumeration
 id: 162e69a7-7981-4344-84a9-0f1c9a217a52
 status: experimental
 description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
-date: 2022/03/17
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
    - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+author: frack113
+date: 2022/03/17
+tags:
+    - attack.discovery
+    - attack.t1083
 logsource:
    product: windows
    category: ps_script
@@ -25,6 +28,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.discovery
-    - attack.t1083
@@ -5,12 +5,12 @@ related:
      type: derived
 status: experimental
 description: Detects suspicious PowerShell download command
-tags:
-    - attack.execution
-    - attack.t1059.001
 author: Florian Roth
 date: 2017/03/05
 modified: 2021/10/18
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -25,4 +25,4 @@ detection:
    condition: webclient and download
 falsepositives:
    - PowerShell scripts that download content from the Internet
-level: medium
+level: medium
@@ -1,5 +1,6 @@
 title: Powershell Execute Batch Script
 id: b5522a23-82da-44e5-9c8b-e10ed8955f88
+status: experimental
 description: |
    Adversaries may abuse the Windows command shell for execution.
    The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
@@ -8,9 +9,11 @@ description: |
    Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
-status: experimental
 author: frack113
 date: 2022/01/02
+tags:
+    - attack.execution
+    - attack.t1059.003
 logsource:
    product: windows
    category: ps_script
@@ -26,6 +29,3 @@ detection:
 falsepositives:
    - Legitimate administration script
 level: medium
-tags:
-    - attack.execution
-    - attack.t1059.003
@@ -1,14 +1,17 @@
 title: Extracting Information with PowerShell
 id: bd5971a7-626d-46ab-8176-ed643f694f68
 status: experimental
-author: frack113
-date: 2021/12/19
 description: |
    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
    These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
    configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
+date: 2021/12/19
+tags:
+    - attack.credential_access
+    - attack.t1552.001
 logsource:
    product: windows
    category: ps_script
@@ -24,6 +27,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1552.001
@@ -1,12 +1,15 @@
 title: Troubleshooting Pack Cmdlet Execution
 id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
 status: experimental
-author: Nasreddine Bencherchali
-date: 2022/06/21
 description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
 references:
    - https://twitter.com/nas_bench/status/1537919885031772161
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
+author: Nasreddine Bencherchali
+date: 2022/06/21
+tags:
+    - attack.defense_evasion
+    - attack.t1202
 logsource:
    product: windows
    category: ps_script
@@ -22,6 +25,3 @@ detection:
 falsepositives:
    - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1202
@@ -1,11 +1,14 @@
 title: Suspicious Enumerate Active Directory Computers with Get-AdComputer
 id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
 status: experimental
-author: frack113
-date: 2022/03/17
 description: utilize Get-AdComputer to enumerate Computers within Active Directory.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
+author: frack113
+date: 2022/03/17
+tags:
+    - attack.discovery
+    - attack.t1018
 logsource:
    product: windows
    category: ps_script
@@ -19,6 +22,3 @@ detection:
 falsepositives:
    - Unknown
 level: low
-tags:
-    - attack.discovery
-    - attack.t1018
@@ -2,11 +2,14 @@ title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
 id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
 status: experimental
 description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
-date: 2022/03/17
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
    - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy
+author: frack113
+date: 2022/03/17
+tags:
+    - attack.discovery
+    - attack.t1201
 logsource:
    product: windows
    category: ps_script
@@ -18,6 +21,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: low
-tags:
-    - attack.discovery
-    - attack.t1201
@@ -1,11 +1,14 @@
 title: Suspicious Enumerate Active Directory Groups with Get-AdComputer
 id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
 status: experimental
-author: frack113
-date: 2022/03/17
 description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
+author: frack113
+date: 2022/03/17
+tags:
+    - attack.discovery
+    - attack.t1069.002
 logsource:
    product: windows
    category: ps_script
@@ -19,6 +22,3 @@ detection:
 falsepositives:
    - Unknown
 level: low
-tags:
-    - attack.discovery
-    - attack.t1069.002
@@ -2,11 +2,14 @@ title: Suspicious PowerShell Get Current User
 id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
 status: experimental
 description: Detects the use of PowerShell to identify the current logged user.
-date: 2022/04/04
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
+author: frack113
+date: 2022/04/04
+tags:
+    - attack.discovery
+    - attack.t1033
 logsource:
    product: windows
    category: ps_script
@@ -21,6 +24,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: low
-tags:
-    - attack.discovery
-    - attack.t1033
@@ -2,11 +2,14 @@ title: Suspicious GPO Discovery With Get-GPO
 id: eb2fd349-ec67-4caa-9143-d79c7fb34441
 status: experimental
 description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
-date: 2022/06/04
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
    - https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
+author: frack113
+date: 2022/06/04
+tags:
+    - attack.discovery
+    - attack.t1615
 logsource:
    product: windows
    category: ps_script
@@ -18,6 +21,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: low
-tags:
-    - attack.discovery
-    - attack.t1615
@@ -2,11 +2,14 @@ title: Suspicious Process Discovery With Get-Process
 id: af4c87ce-bdda-4215-b998-15220772e993
 status: experimental
 description: Get the processes that are running on the local computer.
-date: 2022/03/17
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7
+author: frack113
+date: 2022/03/17
+tags:
+    - attack.discovery
+    - attack.t1057
 logsource:
    product: windows
    category: ps_script
@@ -18,6 +21,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: low
-tags:
-    - attack.discovery
-    - attack.t1057
@@ -4,12 +4,12 @@ status: experimental
 description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
 references:
    - https://twitter.com/PythonResponder/status/1385064506049630211
-tags:
-    - attack.credential_access
-    - attack.t1003.001
 author: Florian Roth
 date: 2021/04/23
 modified: 2021/10/16
+tags:
+    - attack.credential_access
+    - attack.t1003.001
 logsource:
    product: windows
    category: ps_script
@@ -2,10 +2,14 @@ title: Suspicious GetTypeFromCLSID ShellExecute
 id: 8bc063d5-3a3a-4f01-a140-bc15e55e8437
 status: experimental
 description: Detects suspicious Powershell code that execute COM Objects
-date: 2022/04/02
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
+author: frack113
+date: 2022/04/02
+tags:
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1546.015
 logsource:
    product: windows
    category: ps_script
@@ -19,7 +23,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.privilege_escalation
-    - attack.persistence
-    - attack.t1546.015
@@ -2,11 +2,14 @@ title: Suspicious Get-WmiObject
 id: 0332a266-b584-47b4-933d-a00b103e1b37
 status: experimental
 description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
-date: 2022/01/12
-author: frack113
 references:
    - https://attack.mitre.org/datasources/DS0005/
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
+date: 2022/01/12
+tags:
+    - attack.persistence
+    - attack.t1546
 logsource:
    product: windows
    category: ps_script
@@ -20,6 +23,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: low
-tags:
-    - attack.persistence
-    - attack.t1546
@@ -2,11 +2,14 @@ title: Suspicious Hyper-V Cmdlets
 id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd
 status: experimental
 description: Adversaries may carry out malicious operations using a virtual instance to avoid detection
-date: 2022/04/09
-author: frack113
 references:
    - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
+author: frack113
+date: 2022/04/09
+tags:
+    - attack.defense_evasion
+    - attack.t1564.006
 logsource:
    product: windows
    category: ps_script
@@ -21,6 +24,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1564.006
@@ -5,12 +5,12 @@ related:
      type: derived
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
-tags:
-    - attack.execution
-    - attack.t1059.001
 author: Florian Roth (rule)
 date: 2017/03/12
 modified: 2021/12/02
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -5,12 +5,12 @@ related:
      type: derived
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
-tags:
-    - attack.execution
-    - attack.t1059.001
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
 modified: 2022/02/21
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
    product: windows
    category: ps_script
@@ -1,13 +1,16 @@
 title: Change User Agents with WebRequest
 id: d4488827-73af-4f8d-9244-7b7662ef046e
 status: experimental
-author: frack113
-date: 2022/01/23
 description: |
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
+author: frack113
+date: 2022/01/23
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
 logsource:
    product: windows
    category: ps_script
@@ -21,6 +24,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1071.001
@@ -2,11 +2,14 @@ title: Suspicious IO.FileStream
 id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
 status: experimental
 description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
-date: 2022/01/09
-modified: 2022/03/05
-author: frack113
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
+author: frack113
+date: 2022/01/09
+modified: 2022/03/05
+tags:
+    - attack.defense_evasion
+    - attack.t1070.003
 logsource:
    product: windows
    category: ps_script
@@ -21,6 +24,3 @@ detection:
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1070.003
--- a/Show More
+++ b/Show More