CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add: sigma rules (#175)

Browse Source
This commit is contained in:
itiB
2021-11-22 08:45:44 +09:00
committed by GitHub
parent b53342218c
commit 034f9c0957
1086 changed files with 40715 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
rules/sigma/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Alternate PowerShell Hosts
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
ContextInfo: '*'
SELECTION_3:
ContextInfo: '*powershell.exe*'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: 64e8e417-c19a-475a-8d19-98ea705394cc
level: medium
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/09/21
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

42
rules/sigma/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Bad Opsec Powershell Code Artifacts
author: ok @securonix invrep_de, oscd.community
date: 2020/10/09
description: Focuses on trivial artifacts observed in variants of prevalent offensive
ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
Powersploit, and other attack payloads that often undergo minimal changes by attackers
due to bad opsec.
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload:
- '*$DoIt*'
- '*harmj0y*'
- '*mattifestation*'
- '*_RastaMouse*'
- '*tifkin_*'
- '*0xdeadbeef*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
of high specificity, fp appears to be fairly limited in many environments.
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
level: critical
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

42
rules/sigma/windows/powershell/powershell_module/powershell_clear_powershell_history.yml Normal file
View File

@@ -0,0 +1,42 @@
title: Clear PowerShell History
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019/10/25
description: Detects keywords that could indicate clearing PowerShell history
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload:
- '*del*'
- '*Remove-Item*'
- '*rm*'
SELECTION_3:
Payload: '*(Get-PSReadlineOption).HistorySavePath*'
SELECTION_4:
Payload: '*Set-PSReadlineOption*'
SELECTION_5:
Payload: '*HistorySaveStyle*'
SELECTION_6:
Payload: '*SaveNothing*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6)))
falsepositives:
- Legitimate PowerShell scripts
id: f99276ad-d122-4989-a09a-d00904a5f9d2
level: medium
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2020/11/28
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.003
- attack.t1146

31
rules/sigma/windows/powershell/powershell_module/powershell_decompress_commands.yml Normal file
View File

@@ -0,0 +1,31 @@
title: PowerShell Decompress Commands
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for specific decompress commands in PowerShell logs.
This could be an adversary decompressing files.
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload: '*Expand-Archive*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
level: informational
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/8
- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
related:
- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1140

31
rules/sigma/windows/powershell/powershell_module/powershell_get_clipboard.yml Normal file
View File

@@ -0,0 +1,31 @@
title: PowerShell Get Clipboard
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for the Get-Clipboard commands in PowerShell logs.
This could be an adversary capturing clipboard contents.
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload: '*Get-Clipboard*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
level: medium
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
related:
- id: 5486f63a-aa4c-488d-9a61-c9192853099f
type: derived
status: experimental
tags:
- attack.collection
- attack.t1115

31
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

44
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml Normal file
View File

@@ -0,0 +1,44 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_7:
Payload|re: \$VerbosePreference\.ToString\(
SELECTION_8:
Payload|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: 2f211361-7dce-442d-b78a-c04039677378
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
level: medium
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: a23791fe-8846-485a-b16b-ca691e1b03d4
level: medium
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
level: high
logsource:
definition: PowerShell Module Logging must be enabledd
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation Via Use Rundll32
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
Payload|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
level: high
logsource:
definition: PowerShell Module Logging must be enabledd
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e54f5149-6ba3-49cf-b153-070d24679126
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_module/powershell_powercat.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Netcat The Powershell Version
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
ContextInfo:
- '*powercat *'
- '*powercat.ps1*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
level: medium
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/09/07
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
status: experimental
tags:
- attack.command_and_control
- attack.t1095

32
rules/sigma/windows/powershell/powershell_module/powershell_remote_powershell_session.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Remote PowerShell Session
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
ContextInfo: '* = ServerRemoteHost *'
SELECTION_3:
ContextInfo: '*wsmprovhost.exe*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
level: high
logsource:
definition: PowerShell Module Logging must be enabled
product: windows
service: powershell
modified: 2021/09/21
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028

39
rules/sigma/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_3:
ContextInfo:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
level: medium
logsource:
definition: PowerShell Module Logging must be enabledd
product: windows
service: powershell
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

36
rules/sigma/windows/powershell/powershell_module/powershell_susp_zip_compress.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
EventID: 4103
SELECTION_2:
ContextInfo: '*Compress-Archive *'
SELECTION_3:
ContextInfo: '* -Path *'
SELECTION_4:
ContextInfo: '* -DestinationPath *'
SELECTION_5:
ContextInfo: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: daf7eb81-35fd-410d-9d7a-657837e602bb
level: medium
logsource:
definition: PowerShell Module Logging must be enabledd
product: windows
service: powershell
modified: 2021/10/09
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001