Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID

2021-06-01 10:47:17 +02:00
parent b191efaab1
commit bf98f43850
4 changed files with 55 additions and 12 deletions
@@ -1,8 +1,10 @@
+action: global
 title: Alternate PowerShell Hosts
 id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
 date: 2019/08/11
+modified: 2021/06/01
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
@@ -10,6 +12,20 @@ tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
+falsepositives:
+    - Programs using PowerShell directly without invocation of a dedicated interpreter
+    - MSP Detection Searcher
+    - Citrix ConfigSync.ps1
+level: medium   
+detection:
+    filter:
+        - ContextInfo: 'powershell.exe'
+        - Message: 'powershell.exe'
+        # Both fields contain key=value pairs where the key HostApplication is relevant but
+        # can't be referred directly as event field.
+    condition: selection and not filter
+ 
+---
 logsource:
    product: windows
    service: powershell
@@ -17,16 +33,13 @@ detection:
    selection:
        EventID:
            - 4103
-            - 400
        ContextInfo: '*'
-    filter:
-        - ContextInfo: 'powershell.exe'
-        - Message: 'powershell.exe'
-        # Both fields contain key=value pairs where the key HostApplication is relevant but
-        # can't be referred directly as event field.
-    condition: selection and not filter
-falsepositives:
-    - Programs using PowerShell directly without invocation of a dedicated interpreter
-    - MSP Detection Searcher
-    - Citrix ConfigSync.ps1
-level: medium
+---
+logsource:
+    product: windows
+    service: powershell-classic
+detection:
+    selection:
+        EventID:
+            - 400
+        ContextInfo: '*'
@@ -35,6 +35,16 @@ logsources:
    service: sysmon
    conditions:
      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
+  windows-powershell:
+    product: windows
+    service: powershell
+    conditions:
+      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
+  windows-classicpowershell:
+    product: windows
+    service: powershell-classic
+    conditions:
+      winlog.channel: 'Windows PowerShell'
  windows-dns-server:
    product: windows
    service: dns-server
@@ -34,6 +34,16 @@ logsources:
    service: sysmon
    conditions:
      log_name: 'Microsoft-Windows-Sysmon/Operational'
+  windows-powershell:
+    product: windows
+    service: powershell
+    conditions:
+      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
+  windows-classicpowershell:
+    product: windows
+    service: powershell-classic
+    conditions:
+      winlog.channel: 'Windows PowerShell'
  windows-dns-server:
    product: windows
    service: dns-server
@@ -34,6 +34,16 @@ logsources:
    service: sysmon
    conditions:
      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'
+  windows-powershell:
+    product: windows
+    service: powershell
+    conditions:
+      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'
+  windows-classicpowershell:
+    product: windows
+    service: powershell-classic
+    conditions:
+      winlog.channel: 'Windows PowerShell'
  windows-dns-server:
    product: windows
    service: dns-server