paulmataruso/main
1
0
Fork 0
mirror of https://github.com/socfortress/Wazuh-Rules.git synced 2025-10-23 00:02:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
90cd1c3b790982efeff8c97c8bc9d28bf83383e5
main/Windows Powershell/100535-win_powershell_rules.xml
Landon Lengyel 843e238a4d Update 100535-win_powershell_rules.xml 
Removed double >> ending a few lines and breaking the XML
2024-10-16 14:57:00 -06:00

115 lines
3.9 KiB
XML
Raw Blame History

<var name="MS_FREQ">8</var>
<group name="windows,">
<rule id="100535" level="1">
<if_sid>60009</if_sid>
<field name="win.system.providerName">^PowerShell$</field>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>windows_powershell,</group>
<description>Powershell Information EventLog</description>
</rule>
<rule id="100536" level="5">
<if_sid>60010</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
<field name="win.system.severityValue">^WARNING$</field>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>windows_powershell,</group>
<description>Powershell Warning EventLog</description>
</rule>
<rule id="100537" level="7">
<if_sid>60011</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>windows_powershell,</group>
<description>Powershell Error EventLog</description>
</rule>
<rule id="100538" level="12">
<if_sid>60012</if_sid>
<field name="win.system.providerName">^Microsoft-Windows-PowerShell$</field>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>windows_powershell,</group>
<description>Powershell Critical EventLog</description>
</rule>
<rule id="100539" level="12" frequency="$MS_FREQ" timeframe="60">
<if_matched_sid>100537</if_matched_sid>
<description>Short-time multiple Windows Powershell error events</description>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100540" level="14" frequency="$MS_FREQ" timeframe="60">
<if_matched_sid>100538</if_matched_sid>
<description>Short-time multiple Windows Powershell critical events</description>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>pci_dss_10.6.1,gpg13_4.12,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="100541" level="3">
<if_sid>91802</if_sid>
<field name="win.system.severityValue">VERBOSE</field>
<description>Powershell script $(win.eventdata.scriptBlockText) Executed</description>
<mitre>
<id>T1087.002</id>
</mitre>
<options>no_full_log</options>
</rule>
<rule id="100542" level="1">
<if_sid>100541</if_sid>
<field name="win.system.eventID">^4105$|^4106$</field>
<description>Disregard Powershell Text</description>
<mitre>
<id>T1087.002</id>
</mitre>
</rule>
<rule id="100543" level="12">
<if_sid>100541</if_sid>
<list field="win.eventdata.scriptBlockText" lookup="match_key">etc/lists/malicious-powershell</list>
<description>Malicious Powershell Command $(win.eventdata.scriptBlockText) Executed</description>
<mitre>
<id>T1087.002</id>
</mitre>
<options>no_full_log</options>
</rule>
<rule id="100544" level="1">
<if_sid>100541</if_sid>
<field name="win.eventdata.scriptBlockText">PSMessageDetails|ErrorCategory_Message|OriginInfo</field>
<description>Disregard Powershell Prompt Text</description>
<mitre>
<id>T1087.002</id>
</mitre>
</rule>
<rule id="100545" level="1">
<if_sid>100541</if_sid>
<field name="win.eventdata.scriptBlockText">^prompt$</field>
<description>Disregard Powershell Prompt Text</description>
<mitre>
<id>T1087.002</id>
</mitre>
</rule>
<rule id="100550" level="3">
<if_sid>100535</if_sid>
<field name="win.system.eventID">^400$</field>
<mitre>
<id>T1086</id>
</mitre>
<options>no_full_log</options>
<group>windows_powershell,</group>
<description>Powershell Information EventLog</description>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink