valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

added keywords & source to sysmon_powershell_download.yml

Browse Source
This commit is contained in:
Kyle Polley 2019-02-07 18:25:04 -08:00
parent 423fdca32c
commit c8c06763b4
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
rules/windows/sysmon/sysmon_powershell_download.yml
View File

@ -15,6 +15,9 @@ detection:
CommandLine:
- '*new-object system.net.webclient).downloadstring(*'
- '*new-object system.net.webclient).downloadfile(*'
- '*new-object net.webclient).downloadstring(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-2---bloodhound
- '*new-object net.webclient).downloadfile(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-3---obfuscation-tests
condition: selection
fields:
- CommandLine