valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update powershell_malicious_commandlets.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 17:11:20 -03:00 committed by GitHub
parent 4a3607d50b
commit ec10d5a61f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 96 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
rules/windows/powershell/powershell_malicious_commandlets.yml
View File

@ -16,102 +16,102 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection: detection:
keywords: keywords:
Message: Message|contains:
- "*Invoke-DllInjection*" - "Invoke-DllInjection"
- "*Invoke-Shellcode*" - "Invoke-Shellcode"
- "*Invoke-WmiCommand*" - "Invoke-WmiCommand"
- "*Get-GPPPassword*" - "Get-GPPPassword"
- "*Get-Keystrokes*" - "Get-Keystrokes"
- "*Get-TimedScreenshot*" - "Get-TimedScreenshot"
- "*Get-VaultCredential*" - "Get-VaultCredential"
- "*Invoke-CredentialInjection*" - "Invoke-CredentialInjection"
- "*Invoke-Mimikatz*" - "Invoke-Mimikatz"
- "*Invoke-NinjaCopy*" - "Invoke-NinjaCopy"
- "*Invoke-TokenManipulation*" - "Invoke-TokenManipulation"
- "*Out-Minidump*" - "Out-Minidump"
- "*VolumeShadowCopyTools*" - "VolumeShadowCopyTools"
- "*Invoke-ReflectivePEInjection*" - "Invoke-ReflectivePEInjection"
- "*Invoke-UserHunter*" - "Invoke-UserHunter"
- "*Find-GPOLocation*" - "Find-GPOLocation"
- "*Invoke-ACLScanner*" - "Invoke-ACLScanner"
- "*Invoke-DowngradeAccount*" - "Invoke-DowngradeAccount"
- "*Get-ServiceUnquoted*" - "Get-ServiceUnquoted"
- "*Get-ServiceFilePermission*" - "Get-ServiceFilePermission"
- "*Get-ServicePermission*" - "Get-ServicePermission"
- "*Invoke-ServiceAbuse*" - "Invoke-ServiceAbuse"
- "*Install-ServiceBinary*" - "Install-ServiceBinary"
- "*Get-RegAutoLogon*" - "Get-RegAutoLogon"
- "*Get-VulnAutoRun*" - "Get-VulnAutoRun"
- "*Get-VulnSchTask*" - "Get-VulnSchTask"
- "*Get-UnattendedInstallFile*" - "Get-UnattendedInstallFile"
- "*Get-ApplicationHost*" - "Get-ApplicationHost"
- "*Get-RegAlwaysInstallElevated*" - "Get-RegAlwaysInstallElevated"
- "*Get-Unconstrained*" - "Get-Unconstrained"
- "*Add-RegBackdoor*" - "Add-RegBackdoor"
- "*Add-ScrnSaveBackdoor*" - "Add-ScrnSaveBackdoor"
- "*Gupt-Backdoor*" - "Gupt-Backdoor"
- "*Invoke-ADSBackdoor*" - "Invoke-ADSBackdoor"
- "*Enabled-DuplicateToken*" - "Enabled-DuplicateToken"
- "*Invoke-PsUaCme*" - "Invoke-PsUaCme"
- "*Remove-Update*" - "Remove-Update"
- "*Check-VM*" - "Check-VM"
- "*Get-LSASecret*" - "Get-LSASecret"
- "*Get-PassHashes*" - "Get-PassHashes"
- "*Show-TargetScreen*" - "Show-TargetScreen"
- "*Port-Scan*" - "Port-Scan"
- "*Invoke-PoshRatHttp*" - "Invoke-PoshRatHttp"
- "*Invoke-PowerShellTCP*" - "Invoke-PowerShellTCP"
- "*Invoke-PowerShellWMI*" - "Invoke-PowerShellWMI"
- "*Add-Exfiltration*" - "Add-Exfiltration"
- "*Add-Persistence*" - "Add-Persistence"
- "*Do-Exfiltration*" - "Do-Exfiltration"
- "*Start-CaptureServer*" - "Start-CaptureServer"
- "*Get-ChromeDump*" - "Get-ChromeDump"
- "*Get-ClipboardContents*" - "Get-ClipboardContents"
- "*Get-FoxDump*" - "Get-FoxDump"
- "*Get-IndexedItem*" - "Get-IndexedItem"
- "*Get-Screenshot*" - "Get-Screenshot"
- "*Invoke-Inveigh*" - "Invoke-Inveigh"
- "*Invoke-NetRipper*" - "Invoke-NetRipper"
- "*Invoke-EgressCheck*" - "Invoke-EgressCheck"
- "*Invoke-PostExfil*" - "Invoke-PostExfil"
- "*Invoke-PSInject*" - "Invoke-PSInject"
- "*Invoke-RunAs*" - "Invoke-RunAs"
- "*MailRaider*" - "MailRaider"
- "*New-HoneyHash*" - "New-HoneyHash"
- "*Set-MacAttribute*" - "Set-MacAttribute"
- "*Invoke-DCSync*" - "Invoke-DCSync"
- "*Invoke-PowerDump*" - "Invoke-PowerDump"
- "*Exploit-Jboss*" - "Exploit-Jboss"
- "*Invoke-ThunderStruck*" - "Invoke-ThunderStruck"
- "*Invoke-VoiceTroll*" - "Invoke-VoiceTroll"
- "*Set-Wallpaper*" - "Set-Wallpaper"
- "*Invoke-InveighRelay*" - "Invoke-InveighRelay"
- "*Invoke-PsExec*" - "Invoke-PsExec"
- "*Invoke-SSHCommand*" - "Invoke-SSHCommand"
- "*Get-SecurityPackages*" - "Get-SecurityPackages"
- "*Install-SSP*" - "Install-SSP"
- "*Invoke-BackdoorLNK*" - "Invoke-BackdoorLNK"
- "*PowerBreach*" - "PowerBreach"
- "*Get-SiteListPassword*" - "Get-SiteListPassword"
- "*Get-System*" - "Get-System"
- "*Invoke-BypassUAC*" - "Invoke-BypassUAC"
- "*Invoke-Tater*" - "Invoke-Tater"
- "*Invoke-WScriptBypassUAC*" - "Invoke-WScriptBypassUAC"
- "*PowerUp*" - "PowerUp"
- "*PowerView*" - "PowerView"
- "*Get-RickAstley*" - "Get-RickAstley"
- "*Find-Fruit*" - "Find-Fruit"
- "*HTTP-Login*" - "HTTP-Login"
- "*Find-TrustedDocuments*" - "Find-TrustedDocuments"
- "*Invoke-Paranoia*" - "Invoke-Paranoia"
- "*Invoke-WinEnum*" - "Invoke-WinEnum"
- "*Invoke-ARPScan*" - "Invoke-ARPScan"
- "*Invoke-PortScan*" - "Invoke-PortScan"
- "*Invoke-ReverseDNSLookup*" - "Invoke-ReverseDNSLookup"
- "*Invoke-SMBScanner*" - "Invoke-SMBScanner"
- "*Invoke-Mimikittenz*" - "Invoke-Mimikittenz"
- "*Invoke-AllChecks*" - "Invoke-AllChecks"
false_positives: false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives condition: keywords and not false_positives