order powershell_module

2024-11-06 09:25:17 +00:00 · 2021-10-09 09:50:49 +02:00 · 2021-10-09 09:50:49 +02:00 · fe7fbfd5fc
commit fe7fbfd5fc
parent 0d04b469f7
20 changed files with 119 additions and 142 deletions
--- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml
@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: ModuleLogging must be enable
+    definition: Module Logging must be enable
 detection:
    selection:
        EventID: 4103
--- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml
+++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml
@ -1,5 +1,8 @@
 title: Bad Opsec Powershell Code Artifacts
-id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
+related:
+    - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+      type: derived
 description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
 status: experimental
 references:
@ -8,7 +11,7 @@ references:
    - https://www.mdeditor.tw/pl/pgRt
 author: 'ok @securonix invrep_de, oscd.community'
 date: 2020/10/09
-modified: 2020/10/09
+modified: 2021/10/07
 tags:
    - attack.execution
    - attack.t1059.001
@ -16,17 +19,8 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_4104:
-        EventID: 4104
-        ScriptBlockText|contains:
-            - '$DoIt'
-            - 'harmj0y'
-            - 'mattifestation'
-            - '_RastaMouse'
-            - 'tifkin_'
-            - '0xdeadbeef'
    selection_4103:
        EventID: 4103
        Payload|contains:
@ -36,7 +30,7 @@ detection:
            - '_RastaMouse'
            - 'tifkin_'
            - '0xdeadbeef'
-    condition: selection_4104 or selection_4103
+    condition: selection_4103
 falsepositives:
    - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
 level: critical
--- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml
@ -1,5 +1,8 @@
 title: Clear PowerShell History
-id: dfba4ce1-e0ea-495f-986e-97140f31af2d
+id: f99276ad-d122-4989-a09a-d00904a5f9d2
+related:
+    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
+      type: derived
 status: experimental
 description: Detects keywords that could indicate clearing PowerShell history
 date: 2019/10/25
@ -14,22 +17,8 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-    selection_2:
-        ScriptBlockText|contains:
-            - 'del'
-            - 'Remove-Item'
-            - 'rm'
-        ScriptBlockText|contains|all:
-            - '(Get-PSReadlineOption).HistorySavePath'
-    selection_3:
-        ScriptBlockText|contains|all:
-            - 'Set-PSReadlineOption'
-            - '–HistorySaveStyle'
-            - 'SaveNothing'
    selection_4:
        EventID: 4103
    selection_5:
@ -44,8 +33,7 @@ detection:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'
            - 'SaveNothing'
-    condition: selection_1 and ( selection_2 or selection_3 ) or 
-               selection_4 and ( selection_5 or selection_6 ) 
+    condition: selection_4 and ( selection_5 or selection_6 ) 
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
--- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml
+++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml
@ -1,8 +1,12 @@
 title: PowerShell Decompress Commands
-id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
+related:
+    - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+      type: derived
 description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
 status: experimental
 date: 2020/05/02
+modified: 2021/10/07
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.defense_evasion
@ -13,15 +17,12 @@ references:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection1:
-        EventID: 4104
-        ScriptBlockText|contains: 'Expand-Archive'
    selection2:
        EventID: 4103
        Payload|contains: 'Expand-Archive'
-    condition: selection1 or selection2
+    condition: selection2
 falsepositives:
    - unknown
 level: informational
--- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml
+++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml
@ -1,8 +1,12 @@
 title: PowerShell Get Clipboard
-id: 5486f63a-aa4c-488d-9a61-c9192853099f
+id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
+related:
+    - id: 5486f63a-aa4c-488d-9a61-c9192853099f
+      type: derived
 description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
 status: experimental
 date: 2020/05/02
+modified: 2021/10/07
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.collection
@ -13,15 +17,12 @@ references:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection1:
-        EventID: 4104
-        ScriptBlockText|contains: 'Get-Clipboard'
    selection2:
        EventID: 4103
        Payload|contains: 'Get-Clipboard'
-    condition: selection1 or selection2
+    condition: selection2
 falsepositives:
    - unknown
 level: medium
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml
@ -1,9 +1,13 @@
 title: Invoke-Obfuscation CLIP+ Launcher
-id: 73e67340-0d25-11eb-adc1-0242ac120002
+id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
+related :
+    - id: 73e67340-0d25-11eb-adc1-0242ac120002
+      type: derived
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
+modified: 2021/10/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
 tags:
@ -14,15 +18,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
@ -1,10 +1,13 @@
 title: Invoke-Obfuscation Obfuscated IEX Invocation
-id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+id: 2f211361-7dce-442d-b78a-c04039677378
+related:
+    - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+      type: derived
 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
-modified: 2020/08/24
+modified: 2021/10/07
 tags:
    - attack.defense_evasion
    - attack.t1027
@ -14,18 +17,8 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-    selection_2:
-        - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
-        - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
-        - ScriptBlockText|re: '\String\]\s*\$VerbosePreference'
    selection_3:
        EventID: 4103
    selection_4:
@ -36,7 +29,7 @@ detection:
        - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
        - Payload|re: '\$VerbosePreference\.ToString\('
        - Payload|re: '\String\]\s*\$VerbosePreference'
-    condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
+    condition: selection_3 and selection_4
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml
@ -1,5 +1,8 @@
 title: Invoke-Obfuscation STDIN+ Launcher
-id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
+related:
+    - id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+      type: derived    
 description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
@ -14,15 +17,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml
@ -1,5 +1,8 @@
 title: Invoke-Obfuscation VAR+ Launcher
-id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
+related:
+    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+      type: derived
 description: Detects Obfuscated use of Environment Variables to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
@ -14,15 +17,11 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103
-detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
-    selection_2:
+    definition: Module Logging must be enable
+    selection_4103:
        EventID: 4103
        Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml
@ -1,9 +1,13 @@
 title: Invoke-Obfuscation COMPRESS OBFUSCATION
-id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
+related:
+    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+      type: derived
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
+modified: 2021/10/07
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
 tags:
@ -14,15 +18,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - unknown
 level: medium
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml
@ -1,9 +1,13 @@
 title: Invoke-Obfuscation RUNDLL LAUNCHER
-id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+id: a23791fe-8846-485a-b16b-ca691e1b03d4
+related:
+    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+      type: derived
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
+modified: 2021/10/07
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
 tags:
@ -14,15 +18,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: medium
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml
@ -1,5 +1,8 @@
 title: Invoke-Obfuscation Via Stdin
-id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
+related:
+    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+      type: derived
 description: Detects Obfuscated Powershell via Stdin in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -14,15 +17,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-    selection_2:
+     selection_4103:
        EventID: 4103
        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml
@ -1,5 +1,8 @@
 title: Invoke-Obfuscation Via Use Clip
-id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
+related:
+    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+      type: derived
 description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
@ -14,15 +17,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml
@ -1,9 +1,13 @@
 title: Invoke-Obfuscation Via Use MSHTA
-id: e55a5195-4724-480e-a77e-3ebe64bd3759
+id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
+related:
+    - id: e55a5195-4724-480e-a77e-3ebe64bd3759
+      type: derived
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
+modified: 2021/10/07
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 tags:
@ -14,15 +18,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enabled
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml
@ -1,9 +1,13 @@
 title: Invoke-Obfuscation Via Use Rundll32
-id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
+related:
+    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+      type: derived
 description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2019/10/08
+modified: 2021/10/07
 references:
    - https://github.com/Neo23x0/sigma/issues/1009
 tags:
@ -14,15 +18,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enable
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
-    condition: 1 of them
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml
@ -1,10 +1,13 @@
 title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
-id: e54f5149-6ba3-49cf-b153-070d24679126
+id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
+related:
+    - id: e54f5149-6ba3-49cf-b153-070d24679126
+      type: derived
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2021/07/15
+modified: 2021/10/07
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 tags:
@ -15,15 +18,12 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Module Logging must be enabled
 detection:
-    selection_1:
-        EventID: 4104
-        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
-    selection_2:
+    selection_4103:
        EventID: 4103
        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
-    condition: selection_1 or selection_2
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_module/powershell_powercat.yml
+++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml
--- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml
@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: Module Logging must be enable and fields have to be extract from event
+    definition: Module Logging must be enable
 detection:
    selection:
        EventID: 4103 
--- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml
--- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml
@ -1,9 +1,12 @@
 title: Zip A Folder With PowerShell For Staging In Temp
-id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+id: daf7eb81-35fd-410d-9d7a-657837e602bb
+related:
+    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+      related: derived
 status: experimental
 author: frack113
 date: 2021/07/20
-modified: 2021/09/30
+modified: 2021/10/09
 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
@ -13,7 +16,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable
+    definition: Module Logging must be enabled
 detection:
    selection_4103:
        EventID: 4103
@ -22,14 +25,7 @@ detection:
            - ' -Path '
            - ' -DestinationPath '
            - '$env:TEMP\'
-    selection_4104:
-        EventID: 4104
-        ScriptBlockText|contains|all:
-            - 'Compress-Archive '
-            - ' -Path '
-            - ' -DestinationPath '
-            - '$env:TEMP\'
-    condition: selection_4103 or  selection_4104
+    condition: selection_4103
 falsepositives:
    - Unknown
 level: medium