From b5e4b04cb5f72819aceaa7f7af4d8c18c24f7f7e Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 3 Aug 2021 10:04:15 +0200 Subject: [PATCH] fix eventid 400 powershell-classic --- .../powershell_alternate_powershell_hosts.yml | 8 +++---- ...powershell_delete_volume_shadow_copies.yml | 6 ++--- .../powershell_remote_powershell_session.yml | 22 ++++++++++++++----- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index 6346854c..dcf6fb16 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -4,7 +4,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 -modified: 2021/06/01 +modified: 2021/08/03 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -31,8 +31,7 @@ logsource: service: powershell detection: selection: - EventID: - - 4103 + EventID: 4103 ContextInfo: '*' --- logsource: @@ -40,6 +39,5 @@ logsource: service: powershell-classic detection: selection: - EventID: - - 400 + EventID: 400 ContextInfo: '*' \ No newline at end of file diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml index ed6e4d16..b899f3a9 100644 --- a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml @@ -11,6 +11,7 @@ tags: status: experimental author: frack113 date: 2021/06/03 +modified: 2021/08/03 logsource: product: windows service: powershell-classic @@ -24,10 +25,7 @@ detection: - 'Delete()' - 'Remove-WmiObject' selection_eventid: - EventID: - - 400 - - 403 - - 600 + EventID: 400 condition: selection_obj and selection_del and selection_eventid fields: - CommandLine diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 80f74507..f2b4587a 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -1,3 +1,4 @@ +action: global title: Remote PowerShell Session id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions @@ -14,17 +15,26 @@ tags: - attack.lateral_movement - attack.t1021.006 - attack.t1028 #an old one +falsepositives: + - Legitimate use remote PowerShell sessions +level: high +--- logsource: product: windows service: powershell detection: selection: - EventID: - - 4103 - - 400 + EventID: 4103 HostName: 'ServerRemoteHost' HostApplication|contains: 'wsmprovhost.exe' condition: selection -falsepositives: - - Legitimate use remote PowerShell sessions -level: high +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: 400 + HostName: 'ServerRemoteHost' + HostApplication|contains: 'wsmprovhost.exe' + condition: selection \ No newline at end of file