da839775fe
Update PS rules
2021-08-21 09:50:59 +02:00
6f05e33feb
fix: Correct incorrect message / keyword usage
...
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
2021-08-12 16:28:07 +02:00
728276ef13
Improve Logic
2020-11-20 01:22:20 -03:00
eb6b9be5a2
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
399f378269
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00
ba2e891433
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
0fbfcc6ba9
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
e79e99c4aa
fix: fixed missing date fields in remaining files
2020-01-30 16:07:37 +01:00
0592cbb67a
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
aafab2e936
fix: bound keywords to field in multiple PS rules
...
Rules changed:
- rules/windows/powershell/powershell_malicious_commandlets.yml
- rules/windows/powershell/powershell_malicious_keywords.yml
- rules/windows/powershell/powershell_suspicious_download.yml
- rules/windows/powershell/powershell_suspicious_invocation_specific.yml
2019-10-29 19:53:18 +01:00
c99dc9f643
Tagged windows powershell, other and malware rules.
2018-07-24 10:56:41 +02:00
055992eb05
Bugfix: PowerShell rules log source inconstency
2017-03-21 10:22:13 +01:00
a0047f7c67
Sysmon as 'service' of product 'windows'
2017-03-13 09:23:08 +01:00
de689c32b5
Suspicious PowerShell Invocation
2017-03-12 17:06:53 +01:00
frack113