valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
491049b92a
SigmaHQ/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml
cyb3rward0g 104b40ce8f 10 rules from THP - contributing soon
2020-10-12 15:42:34 -04:00

23 lines
581 B
YAML
Raw Blame History

title: T1086 PowerShell Execution
id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
description: Detects execution of PowerShell
status: experimental
date: 2019/09/12
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
- attack.t1059.001
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 17
PipeName: '\PSHost*'
condition: selection
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink