change to category: ps_script

2021-10-16 08:18:49 +02:00
parent 0ca16b18f4
commit f6b0a89161
51 changed files with 107 additions and 152 deletions
@@ -10,14 +10,13 @@ tags:
    - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
 date: 2017/03/05
-modified: 2021/08/21
+modified: 2021/10/16
 logsource:
    product: windows
-    service: powershell
+    category: ps_script
    definition: Script Block Logging must be enable
 detection:
    select_Malicious:
-        EventID: 4104
        ScriptBlockText|contains:
            - "Invoke-DllInjection"
            - "Invoke-Shellcode"