SigmaHQ/rules/windows/powershell/powershell_psattack.yml

26 lines
688 B
YAML
Raw Normal View History

2019-11-12 22:12:27 +00:00
title: PowerShell PSAttack
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
2017-03-05 00:47:25 +00:00
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
2020-06-16 20:46:08 +00:00
- attack.t1059.001
- attack.t1086 #an old one
2017-03-05 00:47:25 +00:00
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
2017-03-05 00:47:25 +00:00
logsource:
product: windows
service: powershell
2019-06-29 12:35:59 +00:00
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
2017-03-05 00:47:25 +00:00
detection:
2017-10-18 19:49:38 +00:00
selection:
EventID: 4103
keyword:
2017-10-19 07:52:40 +00:00
- 'PS ATTACK!!!'
condition: all of them
2017-03-05 00:47:25 +00:00
falsepositives:
- Pentesters
level: high