 Samirbous
|
8f73b88884
|
[Tuning / New] Execution of a downloaded windows script (#4434)
* [New] Execution of a downloaded windows script
using 8.15 file events with MOTW info we can focus on js/vbs/wsh/vbe/jse/hta downloaded from internet followed by execution
* Update defense_evasion_posh_assembly_load.toml
* Update execution_powershell_susp_args_via_winscript.toml
* Update guides
* Update defense_evasion_network_connection_from_windows_binary.toml
* Update execution_windows_script_from_internet.toml
* Update execution_windows_script_from_internet.toml
* Update rules/windows/execution_windows_script_from_internet.toml
* Update rules/windows/execution_powershell_susp_args_via_winscript.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update rules/windows/execution_windows_script_from_internet.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* Update execution_windows_script_from_internet.toml
* Create command_and_control_tool_transfer_via_curl.toml
* Update command_and_control_tool_transfer_via_curl.toml
* Update command_and_control_tool_transfer_via_curl.toml
* Update execution_windows_script_from_internet.toml
* Create defense_evasion_indirect_exec_forfiles.toml
* Update execution_windows_script_from_internet.toml
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
|
2025-02-03 14:33:59 +00:00 |
|