valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
519e480333
SigmaHQ/rules/windows/powershell/powershell_ntfs_ads_access.yml

31 lines
862 B
YAML
Raw Normal View History

Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 17:49:08 +00:00
title: NTFS Alternate Data Stream
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 8c521530-5169-495d-a199-0a3a881ad24e
Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 17:49:08 +00:00
status: experimental
Update powershell_NTFS_Alternate_Data_Streams
2018-07-26 15:54:08 +00:00
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 17:49:08 +00:00
references:
- http://www.powertheshell.com/ntfsstreams/
tags:
ATT&CK tagging QA
2018-09-20 10:44:44 +00:00
- attack.defense_evasion
Initial round of subtechnique updates
2020-06-16 20:46:08 +00:00
- attack.t1564.004
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
- attack.t1096 # an old one
- attack.execution
- attack.t1059.001
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes
2020-08-25 23:51:22 +00:00
- attack.t1086 # an old one
Update powershell_NTFS_Alternate_Data_Streams
2018-07-24 18:03:07 +00:00
author: Sami Ruohonen
fix: fixed missing date fields in remaining files
2020-01-30 15:07:37 +00:00
date: 2018/07/24
att&ck tags review: windows/powershell, windows/process_access, windows/network_connection
2020-08-24 23:31:26 +00:00
modified: 2020/08/24
Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 17:49:08 +00:00
logsource:
product: windows
service: powershell
Replace "logsource: description" with "definition" to match the specs
2018-11-15 06:00:06 +00:00
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 17:49:08 +00:00
detection:
Changes I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
2018-07-25 05:35:59 +00:00
keyword1:
Added quotation marks I've added quotation marks to make it clearer (leading dash looks weird)
2018-07-26 16:10:21 +00:00
- "set-content"
Add 'Add-Content' to powershell_ntfs_ads_access
2020-05-13 09:57:10 +00:00
- "add-content"
Changes I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
2018-07-25 05:35:59 +00:00
keyword2:
Added quotation marks I've added quotation marks to make it clearer (leading dash looks weird)
2018-07-26 16:10:21 +00:00
- "-stream"
Changes I think that this is what you've wanted, right? If both keywords appear in a single log entry, right? Don't you think that this still causes false positives? Could "set-content" and "stream" be more common than expected?
2018-07-25 05:35:59 +00:00
condition: keyword1 and keyword2
Create powershell_NTFS_Alternate_Data_Streams
2018-07-24 17:49:08 +00:00
falsepositives:
- unknown
level: high
Reference in New Issue Copy Permalink