Merge pull request #1940 from frack113/fix_ps_fp

Powershell correction
2024-11-06 17:35:19 +00:00 · 2021-08-28 20:48:07 +02:00 · 2021-08-28 20:48:07 +02:00 · a7456d4d6c
commit a7456d4d6c
parent 3e355c64db 68237dffc4
3 changed files with 8 additions and 8 deletions
--- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
@ -4,7 +4,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: test
 date: 2019/08/11
-modified: 2021/08/18
+modified: 2021/08/28
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
@ -39,5 +39,5 @@ detection:
        EventID: 400
        HostApplication: '*'
    filter:
-        HostApplication|endswith: 'powershell.exe'
+        HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'
    condition: selection and not filter        
--- a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml
+++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml
@ -11,26 +11,25 @@ tags:
 status: experimental
 author: frack113
 date: 2021/06/03
-modified: 2021/08/03
+modified: 2021/08/28
 logsource:
    product: windows
    service: powershell-classic
    definition: fields have to be extract from event
 detection:
    selection_obj:
-        CommandLine|contains|all:
+        HostApplication|contains|all:
            - 'Get-WmiObject'
            - ' Win32_Shadowcopy'
    selection_del:
-        CommandLine|contains:
+        HostApplication|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    selection_eventid:
        EventID: 400
    condition: selection_obj and selection_del and selection_eventid
 fields:
-    - CommandLine
-    - ParentCommandLine
+    - HostApplication
 falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
 level: critical
--- a/rules/windows/powershell/powershell_xor_commandline.yml
+++ b/rules/windows/powershell/powershell_xor_commandline.yml
@ -4,6 +4,7 @@ description: Detects suspicious powershell process which includes bxor command,
 status: experimental
 author: Teymur Kheirkhabarov, Harish Segar (rule)
 date: 2020/06/29
+modified: 2021/08/28
 tags:
  - attack.execution
  - attack.t1059.001
@ -17,7 +18,7 @@ detection:
    EventID: 400
    HostName: "ConsoleHost"
  filter:
-    CommandLine|contains:
+    HostApplication|contains:
      - "bxor"
      - "join"
      - "char"