1 <!-- OSSEC PowerShell event rules for Windows (https://www.rootusers.com/enable-and-configure-module-script-block-and-transcription-logging-in-windows-powershell/, https://www.searchdatacenter.de/tipp/PowerShell-Logging-steigert-die-Unternehmenssicherheit, https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5760096ecf80a129e0b17634/1465911664070/Windows-PowerShell+Logging+Cheat+Sheet+ver+June+2016+v2.pdf -->
3 <!-- Not recommended by CIS due to Windows default ACL settings -->
4 <!-- Turn on logging: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell -> Turn on PowerShell Script Block Logging -->
5 <!-- Add <localfile> <location>Powershell</location> <log_format>eventlog</log_format> </localfile> to ossec.conf on Windows Agent -->
7 <!-- Rule IDs 20500-2509 -->
9 <group name="windows,powershell,">
11 <rule id="20500" level="8">
12 <if_sid>18101</if_sid>
14 <match>PowerShell</match>
15 <description>Windows PowerShell was started.</description>
18 <rule id="20501" level="8">
19 <if_sid>18101</if_sid>
21 <match>PowerShell</match>
22 <description>Windows PowerShell command executed.</description>
25 <rule id="20502" level="8">
26 <if_sid>18101</if_sid>
28 <match>PowerShell</match>
29 <description>Windows PowerShell was stopped.</description>
32 <rule id="20503" level="2">
33 <if_sid>20501</if_sid>
34 <regex>Set-StrictMode -Version 1; \.+\w+</regex>
35 <description>A wrong/misspelled command was tried</description>
38 <rule id="20504" level="2">
39 <if_sid>20501</if_sid>
40 <match>CommandLine= CommandInvocation</match>
41 <description>Powershell background activity</description>
44 <rule id="20505" level="12">
45 <if_sid>20501</if_sid>
46 <match>Set-ExecutionPolicy|Mimikatz|EncodedCommand|Payload|Find-AVSignature|DllInjection|ReflectivePEInjection|Invoke-Shellcode|Invoke--Shellcode|Invoke-ShellcodeMSIL|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|Set-MasterBootRecord|New-ElevatedPersistenceOption|Invoke-CallbackIEX|Invoke-PSInject|Invoke-DllEncode|Get-ServiceUnquoted|Get-ServiceEXEPerms|Get-ServicePerms|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-UserAddMSI|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Invoke-FindDLLHijack|Invoke-FindPathHijack|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-UnattendedInstallFiles|Get-Webconfig|Get-Webconfig|Get-ApplicationHost|Invoke-AllChecks|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|HTTP-Backdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Execute-OnTime|DNS_TXT_Pwnage|Out-Word|Out-Excel|Out-Java|Out-Shortcut|Out-CHM|Out-HTA|Enable-DuplicateToken|Remove-Update|Execute-DNSTXT-Code|Download-Execute-PS|Execute-Command-MSSQL|Download_Execute|Get-PassHashes|Invoke-CredentialsPhish|Get-LsaSecret|Get-Information|Invoke-MimikatzWDigestDowngrade|Copy-VSS|Check-VM|Invoke-NetworkRelay|Create-MultipleSessions|Run-EXEonRemote|Invoke-BruteForce|Port-Scan|Invoke-PowerShellIcmp|Invoke-PowerShellUdp|Invoke-PsGcatAgent|Invoke-PoshRatHttps|Invoke-PowerShellTcp|Invoke-PoshRatHttp|Invoke-PowerShellWmi|Invoke-PSGcat|Remove-PoshRat|TexttoEXE|Invoke-Encode|Invoke-Decode|Base64ToString|StringtoBase64|Do-Exfiltration|Parse_Keys|Add-Exfiltration|Add-Persistence|Remove-Persistence|Invoke-CreateCertificate|powercat|Find-PSServiceAccounts|Get-PSADForestKRBTGTInfo|Discover-PSMSSQLServers|Discover-PSMSExchangeServers|Get-PSADForestInfo|Get-KerberosPolicy|Discover-PSInterestingServices</match>
47 <description>Possibly Dangerous Command Detected (https://gist.github.com/gfoss/2b39d680badd2cad9d82#file-powershell-command-line-logging)</description>
projects / ossec-hids.git / blob