security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ca52259dd91fe02f997c3240cb250ad448c8a56
blue-team-tools/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml
T
Thomas Patzke 924e1feb54 UUIDs + moved unsupported logic 
* Added UUIDs to all contributed rules
* Moved unsupported logic directory out of rules/ because this breaks CI
  testing.
2019-12-19 23:56:36 +01:00

23 lines
805 B
YAML
Raw Blame History

title: T1086 Alternate PowerShell Hosts
id: f67f6c57-257d-4919-a416-69cd31f9aac3
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Description: 'system.management.automation'
ImageLoaded|contains: 'system.management.automation'
filter:
Image|endswith: '\powershell.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink