Open berggren opened 4 years ago
jaegeral
commented
4 years ago So for that, we could actually use Sigma, as there are already a lot of Sigma rules for powershell available.
Some examples to test stuff: https://github.com/sans-blue-team/DeepBlueCLI/tree/master/evtx
eljeffeg
commented
1 year ago What is normally used to convert a evtx file to csv / json for TimeSketch? I was playing with hayabusa and importing it into TimeSketch, but it doesn't recognize the data_type as windows:evtx:record. Was thinking of trying to do a more direct import, since TimeSketch can do Sigma, but it doesn't read evtx files. Would be nice if it did (and zip files that contain evtx, winevt/Logs).
jaegeral
commented
1 year ago The normal way would be to use Plaso for this.
Create an analyzer to tag suspicious PowerShell activity to detect things such as a base64 payload, usage of a pen testing framework such as PowerShell empire, etc. The following presentation link gives some insightful ideas of searches we can potentially run: https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse