valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ba83b8862a
SigmaHQ/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml
Thomas Patzke 9bb50f3d60 OSCD QA wave 2 
* Improved rules
* Added filtering
* Adjusted severity
2020-01-17 15:46:28 +01:00

27 lines
918 B
YAML
Raw Blame History

title: Alternate PowerShell Hosts
id: f67f6c57-257d-4919-a416-69cd31f9aac3
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
tags:
- attack.execution
- attack.t1086
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Description: 'system.management.automation'
ImageLoaded|contains: 'system.management.automation'
filter:
Image|endswith: '\powershell.exe'
condition: selection and not filter
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter.
level: high
Reference in New Issue View Git Blame Copy Permalink