paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 00:02:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #31 from landon-lengyel/patch-1

Browse Source 
Update 100535-win_powershell_rules.xml
This commit is contained in:
taylor_socfortress
2025-09-30 14:31:34 -05:00
committed by GitHub
parent 665c7ab5ee 843e238a4d
commit 90cd1c3b79
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Windows Powershell/100535-win_powershell_rules.xml
View File

@@ -64,7 +64,7 @@
<field name="win.system.severityValue">VERBOSE</field>
<description>Powershell script $(win.eventdata.scriptBlockText) Executed</description>
<mitre>
<id>T1087.002</id>>
<id>T1087.002</id>
</mitre>
<options>no_full_log</options>
</rule>
@@ -73,7 +73,7 @@
<field name="win.system.eventID">^4105$|^4106$</field>
<description>Disregard Powershell Text</description>
<mitre>
<id>T1087.002</id>>
<id>T1087.002</id>
</mitre>
</rule>
<rule id="100543" level="12">
@@ -81,7 +81,7 @@
<list field="win.eventdata.scriptBlockText" lookup="match_key">etc/lists/malicious-powershell</list>
<description>Malicious Powershell Command $(win.eventdata.scriptBlockText) Executed</description>
<mitre>
<id>T1087.002</id>>
<id>T1087.002</id>
</mitre>
<options>no_full_log</options>
</rule>
@@ -90,7 +90,7 @@
<field name="win.eventdata.scriptBlockText">PSMessageDetails|ErrorCategory_Message|OriginInfo</field>
<description>Disregard Powershell Prompt Text</description>
<mitre>
<id>T1087.002</id>>
<id>T1087.002</id>
</mitre>
</rule>
<rule id="100545" level="1">
@@ -98,7 +98,7 @@
<field name="win.eventdata.scriptBlockText">^prompt$</field>
<description>Disregard Powershell Prompt Text</description>
<mitre>
<id>T1087.002</id>>
<id>T1087.002</id>
</mitre>
</rule>
<rule id="100550" level="3">