Added Sigma Rules
This commit is contained in:
Tanaka Zakku
32
rules/Sigma/powershell_remote_powershell_session.yml
Normal file
32
rules/Sigma/powershell_remote_powershell_session.yml
Normal file
@@ -0,0 +1,32 @@
|
||||
title: Remote PowerShell Session
|
||||
author: Roberto Rodriguez @Cyb3rWard0g
|
||||
date: 2019/08/10
|
||||
description: Detects remote PowerShell sessions
|
||||
detection:
|
||||
SELECTION_1:
|
||||
ContextInfo: '* = ServerRemoteHost *'
|
||||
SELECTION_2:
|
||||
ContextInfo: '*wsmprovhost.exe*'
|
||||
condition: (SELECTION_1 and SELECTION_2)
|
||||
falsepositives:
|
||||
- Legitimate use remote PowerShell sessions
|
||||
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
|
||||
level: high
|
||||
logsource:
|
||||
category: ps_module
|
||||
definition: PowerShell Module Logging must be enabled
|
||||
product: windows
|
||||
modified: 2021/10/16
|
||||
references:
|
||||
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
|
||||
status: test
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
- attack.t1086
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.006
|
||||
- attack.t1028
|
||||
yml_filename: powershell_remote_powershell_session.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
|
||||
|
||||
Reference in New Issue
Block a user