From 8cf259606871f76aa1c93c872a4770e13a1d04a7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 17:12:08 -0300 Subject: [PATCH] Update powershell_malicious_keywords.yml --- .../powershell_malicious_keywords.yml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index bf880995..f46ce60b 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -16,27 +16,27 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message: - - "*AdjustTokenPrivileges*" - - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" - - "*Microsoft.Win32.UnsafeNativeMethods*" - - "*ReadProcessMemory.Invoke*" - - "*SE_PRIVILEGE_ENABLED*" - - "*LSA_UNICODE_STRING*" - - "*MiniDumpWriteDump*" - - "*PAGE_EXECUTE_READ*" - - "*SECURITY_DELEGATION*" - - "*TOKEN_ADJUST_PRIVILEGES*" - - "*TOKEN_ALL_ACCESS*" - - "*TOKEN_ASSIGN_PRIMARY*" - - "*TOKEN_DUPLICATE*" - - "*TOKEN_ELEVATION*" - - "*TOKEN_IMPERSONATE*" - - "*TOKEN_INFORMATION_CLASS*" - - "*TOKEN_PRIVILEGES*" - - "*TOKEN_QUERY*" - - "*Metasploit*" - - "*Mimikatz*" + Message|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" condition: keywords falsepositives: - Penetration tests