valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update sysmon_powershell_exploit_scripts.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 16:00:20 -03:00 committed by GitHub
parent b6b34b37d9
commit d2d49c445a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 96 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
rules/windows/file_event/sysmon_powershell_exploit_scripts.yml
View File

@ -15,102 +15,102 @@ logsource:
product: windows
detection:
selection:
TargetFilename:
- '*\Invoke-DllInjection.ps1'
- '*\Invoke-WmiCommand.ps1'
- '*\Get-GPPPassword.ps1'
- '*\Get-Keystrokes.ps1'
- '*\Get-VaultCredential.ps1'
- '*\Invoke-CredentialInjection.ps1'
- '*\Invoke-Mimikatz.ps1'
- '*\Invoke-NinjaCopy.ps1'
- '*\Invoke-TokenManipulation.ps1'
- '*\Out-Minidump.ps1'
- '*\VolumeShadowCopyTools.ps1'
- '*\Invoke-ReflectivePEInjection.ps1'
- '*\Get-TimedScreenshot.ps1'
- '*\Invoke-UserHunter.ps1'
- '*\Find-GPOLocation.ps1'
- '*\Invoke-ACLScanner.ps1'
- '*\Invoke-DowngradeAccount.ps1'
- '*\Get-ServiceUnquoted.ps1'
- '*\Get-ServiceFilePermission.ps1'
- '*\Get-ServicePermission.ps1'
- '*\Invoke-ServiceAbuse.ps1'
- '*\Install-ServiceBinary.ps1'
- '*\Get-RegAutoLogon.ps1'
- '*\Get-VulnAutoRun.ps1'
- '*\Get-VulnSchTask.ps1'
- '*\Get-UnattendedInstallFile.ps1'
- '*\Get-WebConfig.ps1'
- '*\Get-ApplicationHost.ps1'
- '*\Get-RegAlwaysInstallElevated.ps1'
- '*\Get-Unconstrained.ps1'
- '*\Add-RegBackdoor.ps1'
- '*\Add-ScrnSaveBackdoor.ps1'
- '*\Gupt-Backdoor.ps1'
- '*\Invoke-ADSBackdoor.ps1'
- '*\Enabled-DuplicateToken.ps1'
- '*\Invoke-PsUaCme.ps1'
- '*\Remove-Update.ps1'
- '*\Check-VM.ps1'
- '*\Get-LSASecret.ps1'
- '*\Get-PassHashes.ps1'
- '*\Show-TargetScreen.ps1'
- '*\Port-Scan.ps1'
- '*\Invoke-PoshRatHttp.ps1'
- '*\Invoke-PowerShellTCP.ps1'
- '*\Invoke-PowerShellWMI.ps1'
- '*\Add-Exfiltration.ps1'
- '*\Add-Persistence.ps1'
- '*\Do-Exfiltration.ps1'
- '*\Start-CaptureServer.ps1'
- '*\Invoke-ShellCode.ps1'
- '*\Get-ChromeDump.ps1'
- '*\Get-ClipboardContents.ps1'
- '*\Get-FoxDump.ps1'
- '*\Get-IndexedItem.ps1'
- '*\Get-Screenshot.ps1'
- '*\Invoke-Inveigh.ps1'
- '*\Invoke-NetRipper.ps1'
- '*\Invoke-EgressCheck.ps1'
- '*\Invoke-PostExfil.ps1'
- '*\Invoke-PSInject.ps1'
- '*\Invoke-RunAs.ps1'
- '*\MailRaider.ps1'
- '*\New-HoneyHash.ps1'
- '*\Set-MacAttribute.ps1'
- '*\Invoke-DCSync.ps1'
- '*\Invoke-PowerDump.ps1'
- '*\Exploit-Jboss.ps1'
- '*\Invoke-ThunderStruck.ps1'
- '*\Invoke-VoiceTroll.ps1'
- '*\Set-Wallpaper.ps1'
- '*\Invoke-InveighRelay.ps1'
- '*\Invoke-PsExec.ps1'
- '*\Invoke-SSHCommand.ps1'
- '*\Get-SecurityPackages.ps1'
- '*\Install-SSP.ps1'
- '*\Invoke-BackdoorLNK.ps1'
- '*\PowerBreach.ps1'
- '*\Get-SiteListPassword.ps1'
- '*\Get-System.ps1'
- '*\Invoke-BypassUAC.ps1'
- '*\Invoke-Tater.ps1'
- '*\Invoke-WScriptBypassUAC.ps1'
- '*\PowerUp.ps1'
- '*\PowerView.ps1'
- '*\Get-RickAstley.ps1'
- '*\Find-Fruit.ps1'
- '*\HTTP-Login.ps1'
- '*\Find-TrustedDocuments.ps1'
- '*\Invoke-Paranoia.ps1'
- '*\Invoke-WinEnum.ps1'
- '*\Invoke-ARPScan.ps1'
- '*\Invoke-PortScan.ps1'
- '*\Invoke-ReverseDNSLookup.ps1'
- '*\Invoke-SMBScanner.ps1'
- '*\Invoke-Mimikittenz.ps1'
TargetFilename|endswith:
- '\Invoke-DllInjection.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Out-Minidump.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Invoke-UserHunter.ps1'
- '\Find-GPOLocation.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Install-ServiceBinary.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-WebConfig.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-Unconstrained.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\Gupt-Backdoor.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Remove-Update.ps1'
- '\Check-VM.ps1'
- '\Get-LSASecret.ps1'
- '\Get-PassHashes.ps1'
- '\Show-TargetScreen.ps1'
- '\Port-Scan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Do-Exfiltration.ps1'
- '\Start-CaptureServer.ps1'
- '\Invoke-ShellCode.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-FoxDump.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Screenshot.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-RunAs.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\Set-MacAttribute.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-PowerDump.ps1'
- '\Exploit-Jboss.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Set-Wallpaper.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Get-SecurityPackages.ps1'
- '\Install-SSP.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\PowerBreach.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\PowerUp.ps1'
- '\PowerView.ps1'
- '\Get-RickAstley.ps1'
- '\Find-Fruit.ps1'
- '\HTTP-Login.ps1'
- '\Find-TrustedDocuments.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests