2017-03-05 00:47:25 +00:00
|
|
|
title: Malicious PowerShell Commandlets
|
2019-11-12 22:12:27 +00:00
|
|
|
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
|
2017-03-05 00:47:25 +00:00
|
|
|
status: experimental
|
|
|
|
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
|
2018-01-27 23:24:16 +00:00
|
|
|
references:
|
|
|
|
- https://adsecurity.org/?p=2921
|
2018-07-24 08:56:41 +00:00
|
|
|
tags:
|
|
|
|
- attack.execution
|
2020-06-16 20:46:08 +00:00
|
|
|
- attack.t1059.001
|
2020-08-24 00:01:50 +00:00
|
|
|
- attack.t1086 #an old one
|
2020-10-15 23:59:27 +00:00
|
|
|
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
|
2020-01-30 15:07:37 +00:00
|
|
|
date: 2017/03/05
|
2020-10-15 23:59:27 +00:00
|
|
|
modified: 2020/10/11
|
2017-03-05 00:47:25 +00:00
|
|
|
logsource:
|
2017-03-21 09:22:13 +00:00
|
|
|
product: windows
|
|
|
|
service: powershell
|
2019-06-29 12:35:59 +00:00
|
|
|
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
2017-03-05 00:47:25 +00:00
|
|
|
detection:
|
|
|
|
keywords:
|
2020-10-15 23:59:27 +00:00
|
|
|
EventID: 4104
|
|
|
|
ScriptBlockText|contains:
|
2020-10-15 20:11:20 +00:00
|
|
|
- "Invoke-DllInjection"
|
|
|
|
- "Invoke-Shellcode"
|
|
|
|
- "Invoke-WmiCommand"
|
|
|
|
- "Get-GPPPassword"
|
|
|
|
- "Get-Keystrokes"
|
|
|
|
- "Get-TimedScreenshot"
|
|
|
|
- "Get-VaultCredential"
|
|
|
|
- "Invoke-CredentialInjection"
|
|
|
|
- "Invoke-Mimikatz"
|
|
|
|
- "Invoke-NinjaCopy"
|
|
|
|
- "Invoke-TokenManipulation"
|
|
|
|
- "Out-Minidump"
|
|
|
|
- "VolumeShadowCopyTools"
|
|
|
|
- "Invoke-ReflectivePEInjection"
|
|
|
|
- "Invoke-UserHunter"
|
|
|
|
- "Find-GPOLocation"
|
|
|
|
- "Invoke-ACLScanner"
|
|
|
|
- "Invoke-DowngradeAccount"
|
|
|
|
- "Get-ServiceUnquoted"
|
|
|
|
- "Get-ServiceFilePermission"
|
|
|
|
- "Get-ServicePermission"
|
|
|
|
- "Invoke-ServiceAbuse"
|
|
|
|
- "Install-ServiceBinary"
|
|
|
|
- "Get-RegAutoLogon"
|
|
|
|
- "Get-VulnAutoRun"
|
|
|
|
- "Get-VulnSchTask"
|
|
|
|
- "Get-UnattendedInstallFile"
|
|
|
|
- "Get-ApplicationHost"
|
|
|
|
- "Get-RegAlwaysInstallElevated"
|
|
|
|
- "Get-Unconstrained"
|
|
|
|
- "Add-RegBackdoor"
|
|
|
|
- "Add-ScrnSaveBackdoor"
|
|
|
|
- "Gupt-Backdoor"
|
|
|
|
- "Invoke-ADSBackdoor"
|
|
|
|
- "Enabled-DuplicateToken"
|
|
|
|
- "Invoke-PsUaCme"
|
|
|
|
- "Remove-Update"
|
|
|
|
- "Check-VM"
|
|
|
|
- "Get-LSASecret"
|
|
|
|
- "Get-PassHashes"
|
|
|
|
- "Show-TargetScreen"
|
|
|
|
- "Port-Scan"
|
|
|
|
- "Invoke-PoshRatHttp"
|
|
|
|
- "Invoke-PowerShellTCP"
|
|
|
|
- "Invoke-PowerShellWMI"
|
|
|
|
- "Add-Exfiltration"
|
|
|
|
- "Add-Persistence"
|
|
|
|
- "Do-Exfiltration"
|
|
|
|
- "Start-CaptureServer"
|
|
|
|
- "Get-ChromeDump"
|
|
|
|
- "Get-ClipboardContents"
|
|
|
|
- "Get-FoxDump"
|
|
|
|
- "Get-IndexedItem"
|
|
|
|
- "Get-Screenshot"
|
|
|
|
- "Invoke-Inveigh"
|
|
|
|
- "Invoke-NetRipper"
|
|
|
|
- "Invoke-EgressCheck"
|
|
|
|
- "Invoke-PostExfil"
|
|
|
|
- "Invoke-PSInject"
|
|
|
|
- "Invoke-RunAs"
|
|
|
|
- "MailRaider"
|
|
|
|
- "New-HoneyHash"
|
|
|
|
- "Set-MacAttribute"
|
|
|
|
- "Invoke-DCSync"
|
|
|
|
- "Invoke-PowerDump"
|
|
|
|
- "Exploit-Jboss"
|
|
|
|
- "Invoke-ThunderStruck"
|
|
|
|
- "Invoke-VoiceTroll"
|
|
|
|
- "Set-Wallpaper"
|
|
|
|
- "Invoke-InveighRelay"
|
|
|
|
- "Invoke-PsExec"
|
|
|
|
- "Invoke-SSHCommand"
|
|
|
|
- "Get-SecurityPackages"
|
|
|
|
- "Install-SSP"
|
|
|
|
- "Invoke-BackdoorLNK"
|
|
|
|
- "PowerBreach"
|
|
|
|
- "Get-SiteListPassword"
|
|
|
|
- "Get-System"
|
|
|
|
- "Invoke-BypassUAC"
|
|
|
|
- "Invoke-Tater"
|
|
|
|
- "Invoke-WScriptBypassUAC"
|
|
|
|
- "PowerUp"
|
|
|
|
- "PowerView"
|
|
|
|
- "Get-RickAstley"
|
|
|
|
- "Find-Fruit"
|
|
|
|
- "HTTP-Login"
|
|
|
|
- "Find-TrustedDocuments"
|
|
|
|
- "Invoke-Paranoia"
|
|
|
|
- "Invoke-WinEnum"
|
|
|
|
- "Invoke-ARPScan"
|
|
|
|
- "Invoke-PortScan"
|
|
|
|
- "Invoke-ReverseDNSLookup"
|
|
|
|
- "Invoke-SMBScanner"
|
|
|
|
- "Invoke-Mimikittenz"
|
|
|
|
- "Invoke-AllChecks"
|
2019-09-06 07:54:19 +00:00
|
|
|
false_positives:
|
2020-10-15 23:59:27 +00:00
|
|
|
EventID: 4104
|
|
|
|
ScriptBlockText|contains:
|
|
|
|
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
|
2019-09-06 07:54:19 +00:00
|
|
|
condition: keywords and not false_positives
|
2017-03-05 00:47:25 +00:00
|
|
|
falsepositives:
|
|
|
|
- Penetration testing
|
|
|
|
level: high
|