具有发现能力的 PowerShell 脚本

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    (
      "Get-ADDefaultDomainPasswordPolicy" or
      "Get-ADDomain" or "Get-ComputerInfo" or
      "Get-Disk" or "Get-DnsClientCache" or
      "Get-GPOReport" or "Get-HotFix" or
      "Get-LocalUser" or "Get-NetFirewallProfile" or
      "get-nettcpconnection" or "Get-NetAdapter" or
      "Get-PhysicalDisk" or "Get-Process" or
      "Get-PSDrive" or "Get-Service" or
      "Get-SmbShare" or "Get-WinEvent"
    ) or
    (
      ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or
       "gcim" or "Management.ManagementObjectSearcher" or
       "System.Management.ManagementClass" or
       "[WmiClass]" or "[WMI]") and
      (
        "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or
        "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or
        "CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or
        "Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or
        "Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or
        "Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or
        "Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or
        "win32_service" or "Win32_Share" or "Win32_UserAccount"
      )
    ) or
    (
      ("ADSI" and "WinNT") or
      ("Get-ChildItem" and "sysmondrv.sys") or
      ("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or
      ("ServiceProcess.ServiceController" and "::GetServices") or
      ("Diagnostics.Process" and "::GetProcesses") or
      ("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or
      ("DirectoryServices.AccountManagement" and "PrincipalSearcher") or
      ("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or
      ("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or
      ("Automation.PSDriveInfo") or
      ("Microsoft.Win32.RegistryHive")
    ) or
    (
      "Get-ItemProperty" and
      (
        "\Control\SecurityProviders\WDigest" or
        "\microsoft\windows\currentversion\explorer\runmru" or
        "\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or
        "\Microsoft\Windows\CurrentVersion\Uninstall" or
        "\Microsoft\Windows\WindowsUpdate" or
        "Policies\Microsoft\Windows\Installer" or
        "Software\Microsoft\Windows\CurrentVersion\Policies" or
        ("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or
        ("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable")
      )
    ) or
    (
      ("Directoryservices.Activedirectory" or
      "DirectoryServices.AccountManagement") and
      (
        "Domain Admins" or "DomainControllers" or
        "FindAllGlobalCatalogs" or "GetAllTrustRelationships" or
        "GetCurrentDomain" or "GetCurrentForest"
      ) or
      "DirectoryServices.DirectorySearcher" and
      (
        "samAccountType=805306368" or
        "samAccountType=805306369" or
        "objectCategory=group" or
        "objectCategory=groupPolicyContainer" or
        "objectCategory=site" or
        "objectCategory=subnet" or
        "objectClass=trustedDomain"
      )
    ) or
    (
      "Get-Process" and
      (
        "mcshield" or "windefend" or "savservice" or
        "TMCCSF" or "symantec antivirus" or
        "CSFalcon" or "TmPfw" or "kvoop"
      )
    )
  ) and
  not powershell.file.script_block_text : (
    (
      "__cmdletization_BindCommonParameters" and
      "Microsoft.PowerShell.Core\Export-ModuleMember" and
      "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter"
    ) or
    "CmdletsToExport=@(\"Add-Content\","
  ) and
  not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")