mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
41 lines
1.6 KiB
Markdown
41 lines
1.6 KiB
Markdown
# Standards and References - Detecting Suspicious Powershell Execution
|
|
|
|
## MITRE ATT&CK Mappings
|
|
|
|
| Technique | Name | Description |
|
|
|-----------|------|-------------|
|
|
| T1059.001 | PowerShell | See attack.mitre.org/techniques/T1059/001 |
|
|
| T1059.003 | Windows Command Shell | See attack.mitre.org/techniques/T1059/003 |
|
|
| T1562.001 | Disable or Modify Tools | See attack.mitre.org/techniques/T1562/001 |
|
|
|
|
## Detection Data Sources
|
|
|
|
| Source | Event ID | Purpose |
|
|
|--------|----------|---------|
|
|
| Sysmon | 1 | Process creation with command line |
|
|
| Sysmon | 3 | Network connection initiated |
|
|
| Sysmon | 7 | Image loaded (DLL) |
|
|
| Sysmon | 10 | Process access (LSASS) |
|
|
| Sysmon | 11 | File creation |
|
|
| Sysmon | 12/13 | Registry create/set |
|
|
| Sysmon | 22 | DNS query |
|
|
| Sysmon | 25 | Process tampering |
|
|
| Windows Security | 4624 | Successful logon |
|
|
| Windows Security | 4625 | Failed logon |
|
|
| Windows Security | 4648 | Explicit credential logon |
|
|
| Windows Security | 4672 | Special privileges assigned |
|
|
| Windows Security | 4688 | Process creation |
|
|
| Windows Security | 4697 | Service installed |
|
|
| Windows Security | 4698 | Scheduled task created |
|
|
| Windows Security | 4769 | Kerberos TGS requested |
|
|
| Windows Security | 5140 | Network share accessed |
|
|
|
|
## References
|
|
|
|
- MITRE ATT&CK Framework: https://attack.mitre.org/
|
|
- Sigma Detection Rules: https://github.com/SigmaHQ/sigma
|
|
- LOLBAS Project: https://lolbas-project.github.io/
|
|
- Atomic Red Team Tests: https://github.com/redcanaryco/atomic-red-team
|
|
- Red Canary Threat Detection Report
|
|
- SANS Threat Hunting Summit Resources
|