21 lines
630 B
YAML
21 lines
630 B
YAML
title: PowerShell Execution Remote Command
|
|
title_jp: Powershellのリモートコマンドの実行
|
|
description: Powershell command executed remotely.
|
|
description_jp: Powershell command executed remotely.
|
|
author: Eric Conrad, Zach Mathis
|
|
mitre_attack: T1059
|
|
level: medium
|
|
detection:
|
|
selection:
|
|
Channel: Microsoft-Windows-PowerShell/Operational
|
|
EventID: 4104
|
|
Path: null
|
|
ScriptBlockText|re: '.+'
|
|
# condition: selection
|
|
falsepositives:
|
|
- normal system usage
|
|
output: 'Command: %ScriptBlockText%'
|
|
output: 'コマンド: %ScriptBlockText%'
|
|
creation_date: 2020/11/08
|
|
updated_date: 2021/11/06
|