Updated rules

2021-11-06 09:51:38 +09:00
parent cb5bf450bb
commit f29b7d2d1a
32 changed files with 176 additions and 114 deletions
--- a/rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml
+++ b/rules/PowershellOperational/400_T1562.010_PowershellV2DowngradeAttack.yml
@@ -0,0 +1,19 @@
+title: Powershell 2.0 Downgrade Attack
+title: Powershell 2.0へのダウングレード攻撃
+description: An attacker may have started Powershell 2.0 to evade detection.
+description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
+author: Matsui
+contributor: James Takai, itiB, Zach Mathis
+mitre_attack: T1562.010
+level: high
+detection:
+    selection:
+        Channel: Microsoft-Windows-PowerShell/Operational
+        EventID: 400
+        EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
+falsepositives:
+    - legacy application
+output: 'Powershell 2.0 downgrade attack detected!'
+output_jp: 'Powershell 2.0へんおダウングレード攻撃は検知された！'
+creation_date: 2020/11/08
+updated_date:  2021/11/06
--- a/rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
+++ b/rules/PowershellOperational/4103_T1059_PowershellExecutionPipeline.yml
@@ -0,0 +1,22 @@
+title: PowerShell Execution Pipeline
+title_jp: PowerShell実行
+description: Displays powershell execution
+description_jp: Powershellの実行を出力する。
+author: Eric Conrad
+contributor: Zach Mathis
+mitre_attack: T1059
+level: medium
+detection:
+    selection:
+        Channel: Microsoft-Windows-PowerShell/Operational
+        EventID: 4103
+        ContextInfo:
+            - Host Application
+            - ホスト アプリケーション
+    # condition: selection
+falsepositives:
+    - normal system usage
+output: 'Command = %CommandLine%'
+output_jp: 'コマンド = %CommandLine%'
+creation_date: 2020/11/08
+updated_date:  2021/11/06
--- a/rules/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml
+++ b/rules/PowershellOperational/4104_T1059_PowershellExecutionRemoteCommand.yml
@@ -0,0 +1,21 @@
+title: PowerShell Execution Remote Command
+title_jp: Powershellのリモートコマンドの実行
+description: Powershell command executed remotely.
+description_jp: Powershell command executed remotely.
+author: Eric Conrad
+contributor: Zach Mathis
+mitre_attack: T1059
+level: medium
+detection:
+    selection:
+        Channel: Microsoft-Windows-PowerShell/Operational
+        EventID: 4104
+        Path: null
+        ScriptBlockText|re: '.+'
+    # condition: selection
+falsepositives:
+    - normal system usage
+output: 'Command = %ScriptBlockText%'
+output: 'コマンド = %ScriptBlockText%'
+creation_date: 2020/11/08
+updated_date:  2021/11/06