Feature/rm submodule (#312)

* rm: submodule * Add: rules * Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
@@ -0,0 +1,26 @@
+
+title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
+ruletype: Sigma
+author: Ensar Şamil, @sblmsrsn, OSCD Community
+date: 2020/10/05
+description: Detects SyncAppvPublishingServer process execution which usually utilized
+  by adversaries to bypass PowerShell execution restrictions.
+detection:
+  condition: SyncAppvPublishingServer.exe
+falsepositives:
+- App-V clients
+id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
+level: medium
+logsource:
+  product: windows
+  service: powershell
+modified: 2021/09/11
+references:
+- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
+related:
+- id: fde7929d-8beb-4a4c-b922-be9974671667
+  type: derived
+status: deprecated
+tags:
+- attack.defense_evasion
+- attack.t1218