security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ca52259dd91fe02f997c3240cb250ad448c8a56
blue-team-tools/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
T
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
2019-12-19 23:56:36 +01:00

22 lines
710 B
YAML
Raw Blame History

title: T1086 Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
logsource:
product: windows
service: powershell
detection:
selection:
EventID:
- 4103
- 400
filter:
HostApplication: 'powershell.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink