SigmaHQ/rules/windows/powershell/powershell_psattack.yml
2019-11-12 23:12:27 +01:00

24 lines
636 B
YAML

title: PowerShell PSAttack
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection:
EventID: 4103
keyword:
- 'PS ATTACK!!!'
condition: all of them
falsepositives:
- Pentesters
level: high