sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Samirbous	56fc2beb46	[New] Suspicious PowerShell Execution via Windows Scripts (#4060 ) * [New] Suspicious PowerShell Execution via Windows Scripts this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon. * Update execution_powershell_susp_args_via_winscript.toml * Create defense_evasion_script_via_html_app.toml * ++ * Update defense_evasion_script_via_html_app.toml * Update execution_powershell_susp_args_via_winscript.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2024-09-15 19:51:21 +01:00

Author

SHA1

Message

Date

Samirbous

56fc2beb46

[New] Suspicious PowerShell Execution via Windows Scripts (#4060 )

* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

2024-09-15 19:51:21 +01:00

1 Commits