security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep main for 9.1 (#4555)

Browse Source 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
This commit is contained in:
shashank-elastic
2025-03-26 20:34:14 +05:30
committed by GitHub
parent 2d2c5b4d88
commit e8c54169a4
422 changed files with 11786 additions and 12086 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/execution_scheduled_task_powershell_source.toml
+25 -27
View File
@@ -2,9 +2,7 @@
creation_date = "2020/12/15"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -23,30 +21,6 @@ index = [
language = "eql"
license = "Elastic License v2"
name = "Outbound Scheduled Task Activity via PowerShell"
references = [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
]
risk_score = 47
rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan = 5s
[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -80,6 +54,30 @@ PowerShell, a powerful scripting language in Windows, can automate tasks via the
- Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the attack.
- Implement enhanced monitoring for similar PowerShell and scheduled task activities across the network to detect and respond to future threats promptly."""
references = [
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
]
risk_score = 47
rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan = 5s
[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
(?dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")]
[network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")]
'''
[[rule.threat]]