security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1337116d840c6076cb1f6fa69ab1457384faaec4
blue-team-tools/rules/windows/powershell/powershell_script/powershell_psattack.yml
T
frack113 5c68c42058 order powershell_script
2021-10-09 10:30:36 +02:00

26 lines
649 B
YAML
Raw Blame History

title: PowerShell PSAttack
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
modified: 2021/08/21
logsource:
product: windows
service: powershell
definition: Script block logging must be enabled
detection:
selection:
EventID: 4104
ScriptBlockText|contains: 'PS ATTACK!!!'
condition: selection
falsepositives:
- Pentesters
level: high
Reference in New Issue View Git Blame Copy Permalink