SigmaHQ/rules/windows/powershell/powershell_psattack.yml

title: PowerShell PSAttack 
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
    - https://adsecurity.org/?p=2921
tags:
    - attack.execution
    - attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
    selection:
        EventID: 4103
    keyword: 
        - 'PS ATTACK!!!'
    condition: all of them
falsepositives:
    - Pentesters
level: high
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`title: PowerShell PSAttack`
			`status: experimental`
			`description: Detects the use of PSAttack PowerShell hack tool`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://adsecurity.org/?p=2921`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`author: Sean Metcalf (source), Florian Roth (rule)`
			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 09:22:13 +00:00			`product: windows`
			`service: powershell`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'`
			`detection:`
Fixed PSAttack rule 2017-10-18 19:49:38 +00:00			`selection:`
			`EventID: 4103`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`keyword:`
Fixed the fixed PSAttack rule 2017-10-19 07:52:40 +00:00			`- 'PS ATTACK!!!'`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`condition: all of them`
First PowerShell Ruleset 2017-03-05 00:47:25 +00:00			`falsepositives:`
			`- Pentesters`
			`level: high`