valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
28febe5dd2
SigmaHQ/rules/windows/powershell/powershell_alternate_powershell_hosts.yml

33 lines
1.1 KiB
YAML
Raw Normal View History

Removed ATT&CK technique ids from titles and added tags
2020-01-10 23:33:50 +00:00
title: Alternate PowerShell Hosts
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
2019-12-19 22:56:36 +00:00
id: 64e8e417-c19a-475a-8d19-98ea705394cc
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml
2019-10-24 13:48:38 +00:00
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
Removed ATT&CK technique ids from titles and added tags
2020-01-10 23:33:50 +00:00
tags:
- attack.execution
Initial round of subtechnique updates
2020-06-16 20:46:08 +00:00
- attack.t1059.001
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
- attack.t1086 # an old one
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml
2019-10-24 13:48:38 +00:00
logsource:
product: windows
service: powershell
detection:
Initial round of subtechnique updates
2020-06-16 20:46:08 +00:00
selection:
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml
2019-10-24 13:48:38 +00:00
EventID:
- 4103
- 400
Fixed rule
2020-02-02 11:54:56 +00:00
ContextInfo: '*'
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml
2019-10-24 13:48:38 +00:00
filter:
OSCD QA wave 1 * Checked all rules against Mordor and EVTX samples datasets * Added field names * Some severity adjustments * Fixes
2020-01-10 23:11:27 +00:00
- ContextInfo: 'powershell.exe'
- Message: 'powershell.exe'
# Both fields contain key=value pairs where the key HostApplication ist relevant but
# can't be referred directly as event field.
added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml
2019-10-24 13:48:38 +00:00
condition: selection and not filter
falsepositives:
fix: lowered level due to false positives
2020-02-25 10:12:11 +00:00
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
docs: more false positive conditions
2020-02-25 10:13:58 +00:00
- Citrix ConfigSync.ps1
fix: lowered level due to false positives
2020-02-25 10:12:11 +00:00
level: medium
Reference in New Issue Copy Permalink