Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
40 lines
1.0 KiB
YAML
40 lines
1.0 KiB
YAML
action: global
|
|
title: Alternate PowerShell Hosts
|
|
id: 64e8e417-c19a-475a-8d19-98ea705394cc
|
|
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
|
|
status: experimental
|
|
date: 2019/08/11
|
|
modified: 2021/08/03
|
|
author: Roberto Rodriguez @Cyb3rWard0g
|
|
references:
|
|
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 # an old one
|
|
falsepositives:
|
|
- Programs using PowerShell directly without invocation of a dedicated interpreter
|
|
- MSP Detection Searcher
|
|
- Citrix ConfigSync.ps1
|
|
level: medium
|
|
detection:
|
|
filter:
|
|
ContextInfo: 'powershell.exe'
|
|
condition: selection and not filter
|
|
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
detection:
|
|
selection:
|
|
EventID: 4103
|
|
ContextInfo: '*'
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: powershell-classic
|
|
detection:
|
|
selection:
|
|
EventID: 400
|
|
ContextInfo: '*' |