security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Powershell Atomics test gaps for T1059.001 (#5380)

Browse Source 
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md
This commit is contained in:
Samirbous
2025-12-01 15:06:48 +00:00
committed by GitHub
parent 20d86c8b47
commit 5e1ac4f450
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_posh_hacktool_functions.toml
+3 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
updated_date = "2025/09/03"
updated_date = "2025/12/01"
[transform]
[[transform.osquery]]
@@ -321,7 +321,8 @@ event.category:process and host.os.type:windows and
"Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or
"Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or
"Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" or
"Invoke-AzureHound" or "Invoke-SharpHound"
"Invoke-AzureHound" or "Invoke-SharpHound" or "Invoke-DownloadCradle" or
"Invoke-AppPathBypass"
) and
not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint"
rules/windows/execution_windows_powershell_susp_args.toml
+9 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/06"
integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
maturity = "production"
updated_date = "2025/09/18"
updated_date = "2025/12/01"
[rule]
author = ["Elastic"]
@@ -150,7 +150,9 @@ process where host.os.type == "windows" and event.type == "start" and
"*$env:computername*http*",
"*;InVoKe-ExpRESsIoN $COntent.CONTENt;*",
"*WebClient*example.com*",
"*=iwr $*;iex $*"
"*=iwr $*;iex $*",
"*ServerXmlHttp*IEX*",
"*XmlDocument*IEX*"
) or
(process.args : "-c" and process.args : "&{'*") or
@@ -161,6 +163,11 @@ process where host.os.type == "windows" and event.type == "start" and
process.args : "$*$*;set-alias" or
process.args == "-e" or
// ATHPowerShellCommandLineParameter
process.args : ("-EncodedCommandParamVariation", "-UseEncodedArguments", "-CommandParamVariation") or
(
process.parent.name : ("explorer.exe", "cmd.exe") and
process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))