Added Sigma Rules

2021-11-14 11:00:56 +09:00
parent ac3ea7b20b
commit 50aebce32e
1078 changed files with 45490 additions and 0 deletions
--- a/rules/Sigma/win_powershell_script_installed_as_service.yml
+++ b/rules/Sigma/win_powershell_script_installed_as_service.yml
@@ -0,0 +1,29 @@
+title: PowerShell Scripts Installed as Services
+author: oscd.community, Natalia Shornikova
+date: 2020/10/06
+description: Detects powershell script installed as a Service
+detection:
+    SELECTION_1:
+        EventID: 7045
+    SELECTION_2:
+        ImagePath: '*powershell*'
+    SELECTION_3:
+        ImagePath: '*pwsh*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
+level: high
+logsource:
+    product: windows
+    service: system
+modified: 2021/09/21
+references:
+- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+status: experimental
+tags:
+- attack.execution
+- attack.t1569.002
+yml_filename: win_powershell_script_installed_as_service.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
+