paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-11-03 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 100535-win_powershell_rules.xml

Browse Source 
Added exclustion to rule 100542
This commit is contained in:
taylor_socfortress
2022-09-30 09:06:10 -05:00
committed by GitHub
parent 966887b5e3
commit 4290a8a590
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Windows Powershell/100535-win_powershell_rules.xml
View File

@@ -69,12 +69,13 @@
</rule> </rule>
<rule id="100542" level="1"> <rule id="100542" level="1">
<if_sid>100541</if_sid> <if_sid>100541</if_sid>
<field name="win.eventdata.scriptBlockText">prompt</field> <field name="win.eventdata.scriptBlockText">prompt|PSMessageDetails|ErrorCategory_Message|OriginInfo</field>
<description>Disregard Powershell prompt</description> <description>Disregard Powershell prompt</description>
<mitre> <mitre>
<id>T1087.002</id>> <id>T1087.002</id>>
</mitre> </mitre>
</rule> </rule>
<!--https://bradleyjkemp.dev/sigmadoc/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml/-->
<rule id="100543" level="12"> <rule id="100543" level="12">
<if_sid>100541</if_sid> <if_sid>100541</if_sid>
<list field="win.eventdata.scriptBlockText" lookup="match_key">etc/lists/malicious-powershell</list> <list field="win.eventdata.scriptBlockText" lookup="match_key">etc/lists/malicious-powershell</list>