blue-team-tools/tools/config/generic/powershell.yml

title: Conversion of Generic Rules into Powershell Specific EventID Rules
order: 15
#
# some references :
#   https://redblueteam.wordpress.com/2020/02/08/enable-command-line-and-powershell-audit-for-better-threat-hunting/
#   https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1
#
logsources:
    ps_module:
        category: ps_module
        product: windows
        conditions:
            EventID: 4103
        rewrite:
            product: windows
            service: powershell
    ps_script:
        category: ps_script
        product: windows
        conditions:
            EventID: 4104
        rewrite:
            product: windows
            service: powershell
    # for the "classic" channel   
    ps_classic_start:
        category: ps_classic_start
        product: windows
        conditions:
            EventID: 400
        rewrite:
            product: windows
            service: powershell-classic
    ps_classic_provider_start:
        category: ps_classic_provider_start
        product: windows
        conditions:
            EventID: 600
        rewrite:
            product: windows
            service: powershell-classic
    ps_classic_script:
        category: ps_classic_script
        product: windows
        conditions:
            EventID: 800
        rewrite:
            product: windows
            service: powershell-classic