mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
Update powershell_malicious_commandlets.yml
This commit is contained in:
parent
4a3607d50b
commit
ec10d5a61f
@ -16,102 +16,102 @@ logsource:
|
|||||||
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
||||||
detection:
|
detection:
|
||||||
keywords:
|
keywords:
|
||||||
Message:
|
Message|contains:
|
||||||
- "*Invoke-DllInjection*"
|
- "Invoke-DllInjection"
|
||||||
- "*Invoke-Shellcode*"
|
- "Invoke-Shellcode"
|
||||||
- "*Invoke-WmiCommand*"
|
- "Invoke-WmiCommand"
|
||||||
- "*Get-GPPPassword*"
|
- "Get-GPPPassword"
|
||||||
- "*Get-Keystrokes*"
|
- "Get-Keystrokes"
|
||||||
- "*Get-TimedScreenshot*"
|
- "Get-TimedScreenshot"
|
||||||
- "*Get-VaultCredential*"
|
- "Get-VaultCredential"
|
||||||
- "*Invoke-CredentialInjection*"
|
- "Invoke-CredentialInjection"
|
||||||
- "*Invoke-Mimikatz*"
|
- "Invoke-Mimikatz"
|
||||||
- "*Invoke-NinjaCopy*"
|
- "Invoke-NinjaCopy"
|
||||||
- "*Invoke-TokenManipulation*"
|
- "Invoke-TokenManipulation"
|
||||||
- "*Out-Minidump*"
|
- "Out-Minidump"
|
||||||
- "*VolumeShadowCopyTools*"
|
- "VolumeShadowCopyTools"
|
||||||
- "*Invoke-ReflectivePEInjection*"
|
- "Invoke-ReflectivePEInjection"
|
||||||
- "*Invoke-UserHunter*"
|
- "Invoke-UserHunter"
|
||||||
- "*Find-GPOLocation*"
|
- "Find-GPOLocation"
|
||||||
- "*Invoke-ACLScanner*"
|
- "Invoke-ACLScanner"
|
||||||
- "*Invoke-DowngradeAccount*"
|
- "Invoke-DowngradeAccount"
|
||||||
- "*Get-ServiceUnquoted*"
|
- "Get-ServiceUnquoted"
|
||||||
- "*Get-ServiceFilePermission*"
|
- "Get-ServiceFilePermission"
|
||||||
- "*Get-ServicePermission*"
|
- "Get-ServicePermission"
|
||||||
- "*Invoke-ServiceAbuse*"
|
- "Invoke-ServiceAbuse"
|
||||||
- "*Install-ServiceBinary*"
|
- "Install-ServiceBinary"
|
||||||
- "*Get-RegAutoLogon*"
|
- "Get-RegAutoLogon"
|
||||||
- "*Get-VulnAutoRun*"
|
- "Get-VulnAutoRun"
|
||||||
- "*Get-VulnSchTask*"
|
- "Get-VulnSchTask"
|
||||||
- "*Get-UnattendedInstallFile*"
|
- "Get-UnattendedInstallFile"
|
||||||
- "*Get-ApplicationHost*"
|
- "Get-ApplicationHost"
|
||||||
- "*Get-RegAlwaysInstallElevated*"
|
- "Get-RegAlwaysInstallElevated"
|
||||||
- "*Get-Unconstrained*"
|
- "Get-Unconstrained"
|
||||||
- "*Add-RegBackdoor*"
|
- "Add-RegBackdoor"
|
||||||
- "*Add-ScrnSaveBackdoor*"
|
- "Add-ScrnSaveBackdoor"
|
||||||
- "*Gupt-Backdoor*"
|
- "Gupt-Backdoor"
|
||||||
- "*Invoke-ADSBackdoor*"
|
- "Invoke-ADSBackdoor"
|
||||||
- "*Enabled-DuplicateToken*"
|
- "Enabled-DuplicateToken"
|
||||||
- "*Invoke-PsUaCme*"
|
- "Invoke-PsUaCme"
|
||||||
- "*Remove-Update*"
|
- "Remove-Update"
|
||||||
- "*Check-VM*"
|
- "Check-VM"
|
||||||
- "*Get-LSASecret*"
|
- "Get-LSASecret"
|
||||||
- "*Get-PassHashes*"
|
- "Get-PassHashes"
|
||||||
- "*Show-TargetScreen*"
|
- "Show-TargetScreen"
|
||||||
- "*Port-Scan*"
|
- "Port-Scan"
|
||||||
- "*Invoke-PoshRatHttp*"
|
- "Invoke-PoshRatHttp"
|
||||||
- "*Invoke-PowerShellTCP*"
|
- "Invoke-PowerShellTCP"
|
||||||
- "*Invoke-PowerShellWMI*"
|
- "Invoke-PowerShellWMI"
|
||||||
- "*Add-Exfiltration*"
|
- "Add-Exfiltration"
|
||||||
- "*Add-Persistence*"
|
- "Add-Persistence"
|
||||||
- "*Do-Exfiltration*"
|
- "Do-Exfiltration"
|
||||||
- "*Start-CaptureServer*"
|
- "Start-CaptureServer"
|
||||||
- "*Get-ChromeDump*"
|
- "Get-ChromeDump"
|
||||||
- "*Get-ClipboardContents*"
|
- "Get-ClipboardContents"
|
||||||
- "*Get-FoxDump*"
|
- "Get-FoxDump"
|
||||||
- "*Get-IndexedItem*"
|
- "Get-IndexedItem"
|
||||||
- "*Get-Screenshot*"
|
- "Get-Screenshot"
|
||||||
- "*Invoke-Inveigh*"
|
- "Invoke-Inveigh"
|
||||||
- "*Invoke-NetRipper*"
|
- "Invoke-NetRipper"
|
||||||
- "*Invoke-EgressCheck*"
|
- "Invoke-EgressCheck"
|
||||||
- "*Invoke-PostExfil*"
|
- "Invoke-PostExfil"
|
||||||
- "*Invoke-PSInject*"
|
- "Invoke-PSInject"
|
||||||
- "*Invoke-RunAs*"
|
- "Invoke-RunAs"
|
||||||
- "*MailRaider*"
|
- "MailRaider"
|
||||||
- "*New-HoneyHash*"
|
- "New-HoneyHash"
|
||||||
- "*Set-MacAttribute*"
|
- "Set-MacAttribute"
|
||||||
- "*Invoke-DCSync*"
|
- "Invoke-DCSync"
|
||||||
- "*Invoke-PowerDump*"
|
- "Invoke-PowerDump"
|
||||||
- "*Exploit-Jboss*"
|
- "Exploit-Jboss"
|
||||||
- "*Invoke-ThunderStruck*"
|
- "Invoke-ThunderStruck"
|
||||||
- "*Invoke-VoiceTroll*"
|
- "Invoke-VoiceTroll"
|
||||||
- "*Set-Wallpaper*"
|
- "Set-Wallpaper"
|
||||||
- "*Invoke-InveighRelay*"
|
- "Invoke-InveighRelay"
|
||||||
- "*Invoke-PsExec*"
|
- "Invoke-PsExec"
|
||||||
- "*Invoke-SSHCommand*"
|
- "Invoke-SSHCommand"
|
||||||
- "*Get-SecurityPackages*"
|
- "Get-SecurityPackages"
|
||||||
- "*Install-SSP*"
|
- "Install-SSP"
|
||||||
- "*Invoke-BackdoorLNK*"
|
- "Invoke-BackdoorLNK"
|
||||||
- "*PowerBreach*"
|
- "PowerBreach"
|
||||||
- "*Get-SiteListPassword*"
|
- "Get-SiteListPassword"
|
||||||
- "*Get-System*"
|
- "Get-System"
|
||||||
- "*Invoke-BypassUAC*"
|
- "Invoke-BypassUAC"
|
||||||
- "*Invoke-Tater*"
|
- "Invoke-Tater"
|
||||||
- "*Invoke-WScriptBypassUAC*"
|
- "Invoke-WScriptBypassUAC"
|
||||||
- "*PowerUp*"
|
- "PowerUp"
|
||||||
- "*PowerView*"
|
- "PowerView"
|
||||||
- "*Get-RickAstley*"
|
- "Get-RickAstley"
|
||||||
- "*Find-Fruit*"
|
- "Find-Fruit"
|
||||||
- "*HTTP-Login*"
|
- "HTTP-Login"
|
||||||
- "*Find-TrustedDocuments*"
|
- "Find-TrustedDocuments"
|
||||||
- "*Invoke-Paranoia*"
|
- "Invoke-Paranoia"
|
||||||
- "*Invoke-WinEnum*"
|
- "Invoke-WinEnum"
|
||||||
- "*Invoke-ARPScan*"
|
- "Invoke-ARPScan"
|
||||||
- "*Invoke-PortScan*"
|
- "Invoke-PortScan"
|
||||||
- "*Invoke-ReverseDNSLookup*"
|
- "Invoke-ReverseDNSLookup"
|
||||||
- "*Invoke-SMBScanner*"
|
- "Invoke-SMBScanner"
|
||||||
- "*Invoke-Mimikittenz*"
|
- "Invoke-Mimikittenz"
|
||||||
- "*Invoke-AllChecks*"
|
- "Invoke-AllChecks"
|
||||||
false_positives:
|
false_positives:
|
||||||
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
|
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
|
||||||
condition: keywords and not false_positives
|
condition: keywords and not false_positives
|
||||||
|
Loading…
Reference in New Issue
Block a user