valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1136725728
SigmaHQ/rules/windows/powershell/powershell_clear_powershell_history.yml

26 lines
795 B
YAML
Raw Normal View History

ilyas ochkov contribution
2019-10-29 00:44:22 +00:00
title: Clear PowerShell History
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
2019-12-19 22:56:36 +00:00
id: dfba4ce1-e0ea-495f-986e-97140f31af2d
ilyas ochkov contribution
2019-10-29 00:44:22 +00:00
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
- attack.defense_evasion
fix: wrong MITRE ATT&CK ids used in the beta version
2020-07-14 15:53:32 +00:00
- attack.t1070.003
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
- attack.t1146 # an old one
ilyas ochkov contribution
2019-10-29 00:44:22 +00:00
logsource:
product: windows
service: powershell
detection:
keywords:
- 'del (Get-PSReadlineOption).HistorySavePath'
- 'Set-PSReadlineOption HistorySaveStyle SaveNothing'
- 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
- 'rm (Get-PSReadlineOption).HistorySavePath'
condition: keywords
falsepositives:
- some PS-scripts
level: medium
Reference in New Issue Copy Permalink