valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update powershell_malicious_keywords.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 17:12:08 -03:00 committed by GitHub
parent ec10d5a61f
commit 8cf2596068
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
rules/windows/powershell/powershell_malicious_keywords.yml
View File

@ -16,27 +16,27 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
Message:
- "*AdjustTokenPrivileges*"
- "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
- "*Microsoft.Win32.UnsafeNativeMethods*"
- "*ReadProcessMemory.Invoke*"
- "*SE_PRIVILEGE_ENABLED*"
- "*LSA_UNICODE_STRING*"
- "*MiniDumpWriteDump*"
- "*PAGE_EXECUTE_READ*"
- "*SECURITY_DELEGATION*"
- "*TOKEN_ADJUST_PRIVILEGES*"
- "*TOKEN_ALL_ACCESS*"
- "*TOKEN_ASSIGN_PRIMARY*"
- "*TOKEN_DUPLICATE*"
- "*TOKEN_ELEVATION*"
- "*TOKEN_IMPERSONATE*"
- "*TOKEN_INFORMATION_CLASS*"
- "*TOKEN_PRIVILEGES*"
- "*TOKEN_QUERY*"
- "*Metasploit*"
- "*Mimikatz*"
Message|contains:
- "AdjustTokenPrivileges"
- "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
- "Microsoft.Win32.UnsafeNativeMethods"
- "ReadProcessMemory.Invoke"
- "SE_PRIVILEGE_ENABLED"
- "LSA_UNICODE_STRING"
- "MiniDumpWriteDump"
- "PAGE_EXECUTE_READ"
- "SECURITY_DELEGATION"
- "TOKEN_ADJUST_PRIVILEGES"
- "TOKEN_ALL_ACCESS"
- "TOKEN_ASSIGN_PRIMARY"
- "TOKEN_DUPLICATE"
- "TOKEN_ELEVATION"
- "TOKEN_IMPERSONATE"
- "TOKEN_INFORMATION_CLASS"
- "TOKEN_PRIVILEGES"
- "TOKEN_QUERY"
- "Metasploit"
- "Mimikatz"
condition: keywords
falsepositives:
- Penetration tests