Merge pull request #1769 from frack113/fix_powershell_400

Cleanup eventid 400 powershell-classic
2024-11-07 09:48:58 +00:00 · 2021-08-05 15:47:04 +02:00 · 2021-08-05 15:47:04 +02:00 · 6a11190e79
commit 6a11190e79
parent da6b5f8ec5 b5e4b04cb5
3 changed files with 21 additions and 15 deletions
--- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
@ -4,7 +4,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: experimental
 date: 2019/08/11
-modified: 2021/06/01
+modified: 2021/08/03
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
@ -31,8 +31,7 @@ logsource:
    service: powershell
 detection:
    selection:
-        EventID:
-            - 4103
+        EventID: 4103
        ContextInfo: '*'
 ---
 logsource:
@ -40,6 +39,5 @@ logsource:
    service: powershell-classic
 detection:
    selection:
-        EventID:
-            - 400
+        EventID: 400
        ContextInfo: '*'
--- a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml
+++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml
@ -11,6 +11,7 @@ tags:
 status: experimental
 author: frack113
 date: 2021/06/03
+modified: 2021/08/03
 logsource:
    product: windows
    service: powershell-classic
@ -24,10 +25,7 @@ detection:
            - 'Delete()'
            - 'Remove-WmiObject'
    selection_eventid:
-        EventID:
-            - 400
-            - 403
-            - 600
+        EventID: 400
    condition: selection_obj and selection_del and selection_eventid
 fields:
    - CommandLine
--- a/rules/windows/powershell/powershell_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_remote_powershell_session.yml
@ -1,3 +1,4 @@
+action: global
 title: Remote PowerShell Session
 id: 96b9f619-aa91-478f-bacb-c3e50f8df575
 description: Detects remote PowerShell sessions
@ -14,17 +15,26 @@ tags:
    - attack.lateral_movement
    - attack.t1021.006
    - attack.t1028  #an old one
+falsepositives:
+    - Legitimate use remote PowerShell sessions
+level: high
+---
 logsource:
    product: windows
    service: powershell
 detection:
    selection:
-        EventID:
-            - 4103
-            - 400
+        EventID: 4103
        HostName: 'ServerRemoteHost'
        HostApplication|contains: 'wsmprovhost.exe'
    condition: selection
-falsepositives:
-    - Legitimate use remote PowerShell sessions
-level: high
+---
+logsource:
+    product: windows
+    service: powershell-classic
+detection:
+    selection:
+        EventID: 400
+        HostName: 'ServerRemoteHost'
+        HostApplication|contains: 'wsmprovhost.exe'
+    condition: selection