diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_profile_create.yml rename to rules/windows/file_event/sysmon_suspicious_powershell_profile_create.yml diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml index 3976c19fb..054cd341e 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml index 5cd1d3add..246803a01 100644 --- a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection2: EventID: 4104 diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml index a9e742a2d..3430cdd73 100644 --- a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml index aa74974e9..f7ed287ec 100644 --- a/rules/windows/powershell/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_adrecon_execution.yml index f041ac685..af2ba36ae 100644 --- a/rules/windows/powershell/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_adrecon_execution.yml @@ -14,7 +14,7 @@ date: 2021/07/16 logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_automated_collection.yml index d482a22b3..d19a88eac 100644 --- a/rules/windows/powershell/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_automated_collection.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml index 0479fcd14..98ec30525 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 detection: selection_4104: EventID: 4104 diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml index bdef59f86..19028f6a8 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml index 26282f89e..542c432c5 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -13,7 +13,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index 8438323a1..45c57fa3b 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml index dd5771b8b..9b030a97d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index f1969a380..a8b5d3432 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index 61e5ee7ec..f84762624 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index 8fde7bb9d..165d13d29 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index e26c5a29f..e47cf4f44 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 5adbdedcc..30749fc4e 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index 07f71af31..ceaab3492 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index cc5e50e6c..445355bc7 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index f1d98861d..60a0fe2bb 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: selection_1: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml index 6a621346a..b39cf109e 100644 --- a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -14,12 +14,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + PfxCertificate: EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" - condition: keywords + condition: PfxCertificate falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index c08f0ca50..eccd3337d 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -13,12 +13,12 @@ modified: 2021/08/04 logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' + definition: Script Block Logging must be enable detection: - keywords: + select_LSASS: EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' - condition: keywords + condition: select_LSASS falsepositives: - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 39da524b4..7ae574e14 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -11,6 +11,7 @@ date: 2017/03/05 logsource: product: windows service: powershell + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: convert_b64: - '-nop' diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 991dfc3cd..356730482 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: keywords: - "System.Reflection.Assembly.Load($" diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_suspicious_mail_acces.yml index 13210d4ad..18b6b4600 100644 --- a/rules/windows/powershell/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_suspicious_mail_acces.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: EnableScriptBlockLogging must be set to enable + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml index c040e3a50..941ef606c 100644 --- a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_suspicious_recon.yml index 78368cdf0..a46b1d1b6 100644 --- a/rules/windows/powershell/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_suspicious_recon.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection_eventid: EventID: 4104 diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 026d82402..d15724be1 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -10,7 +10,7 @@ references: logsource: product: windows service: powershell - definition: 'Script block logging must be enabled' + definition: Script block logging must be enabled detection: selection: EventID: 4104 diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_wmimplant.yml index 8ff61cde2..ec0915ffa 100644 --- a/rules/windows/powershell/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_wmimplant.yml @@ -14,7 +14,7 @@ date: 2020/03/26 logsource: product: windows service: powershell - definition: "Script block logging must be enabled" + definition: Script block logging must be enabled detection: selection: ScriptBlockText|contains: