security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0b0435bf7a808aa164ae6ebd2e965addfad374cf
blue-team-tools/rules/windows/powershell/powershell_psattack.yml
T
Florian Roth 0b0435bf7a Fixed PSAttack rule
2017-10-18 21:49:38 +02:00

18 lines
543 B
YAML
Raw Blame History

title: PowerShell PSAttack
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
reference: https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection:
EventID: 4103
keywords: 'PS ATTACK!!!'
condition: selection and keywords
falsepositives:
- Pentesters
level: high
Reference in New Issue View Git Blame Copy Permalink