valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update powershell_malicious_commandlets.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-10-15 17:11:20 -03:00 committed by GitHub
parent 4a3607d50b
commit ec10d5a61f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 96 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
rules/windows/powershell/powershell_malicious_commandlets.yml
View File

@ -16,102 +16,102 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
Message:
- "*Invoke-DllInjection*"
- "*Invoke-Shellcode*"
- "*Invoke-WmiCommand*"
- "*Get-GPPPassword*"
- "*Get-Keystrokes*"
- "*Get-TimedScreenshot*"
- "*Get-VaultCredential*"
- "*Invoke-CredentialInjection*"
- "*Invoke-Mimikatz*"
- "*Invoke-NinjaCopy*"
- "*Invoke-TokenManipulation*"
- "*Out-Minidump*"
- "*VolumeShadowCopyTools*"
- "*Invoke-ReflectivePEInjection*"
- "*Invoke-UserHunter*"
- "*Find-GPOLocation*"
- "*Invoke-ACLScanner*"
- "*Invoke-DowngradeAccount*"
- "*Get-ServiceUnquoted*"
- "*Get-ServiceFilePermission*"
- "*Get-ServicePermission*"
- "*Invoke-ServiceAbuse*"
- "*Install-ServiceBinary*"
- "*Get-RegAutoLogon*"
- "*Get-VulnAutoRun*"
- "*Get-VulnSchTask*"
- "*Get-UnattendedInstallFile*"
- "*Get-ApplicationHost*"
- "*Get-RegAlwaysInstallElevated*"
- "*Get-Unconstrained*"
- "*Add-RegBackdoor*"
- "*Add-ScrnSaveBackdoor*"
- "*Gupt-Backdoor*"
- "*Invoke-ADSBackdoor*"
- "*Enabled-DuplicateToken*"
- "*Invoke-PsUaCme*"
- "*Remove-Update*"
- "*Check-VM*"
- "*Get-LSASecret*"
- "*Get-PassHashes*"
- "*Show-TargetScreen*"
- "*Port-Scan*"
- "*Invoke-PoshRatHttp*"
- "*Invoke-PowerShellTCP*"
- "*Invoke-PowerShellWMI*"
- "*Add-Exfiltration*"
- "*Add-Persistence*"
- "*Do-Exfiltration*"
- "*Start-CaptureServer*"
- "*Get-ChromeDump*"
- "*Get-ClipboardContents*"
- "*Get-FoxDump*"
- "*Get-IndexedItem*"
- "*Get-Screenshot*"
- "*Invoke-Inveigh*"
- "*Invoke-NetRipper*"
- "*Invoke-EgressCheck*"
- "*Invoke-PostExfil*"
- "*Invoke-PSInject*"
- "*Invoke-RunAs*"
- "*MailRaider*"
- "*New-HoneyHash*"
- "*Set-MacAttribute*"
- "*Invoke-DCSync*"
- "*Invoke-PowerDump*"
- "*Exploit-Jboss*"
- "*Invoke-ThunderStruck*"
- "*Invoke-VoiceTroll*"
- "*Set-Wallpaper*"
- "*Invoke-InveighRelay*"
- "*Invoke-PsExec*"
- "*Invoke-SSHCommand*"
- "*Get-SecurityPackages*"
- "*Install-SSP*"
- "*Invoke-BackdoorLNK*"
- "*PowerBreach*"
- "*Get-SiteListPassword*"
- "*Get-System*"
- "*Invoke-BypassUAC*"
- "*Invoke-Tater*"
- "*Invoke-WScriptBypassUAC*"
- "*PowerUp*"
- "*PowerView*"
- "*Get-RickAstley*"
- "*Find-Fruit*"
- "*HTTP-Login*"
- "*Find-TrustedDocuments*"
- "*Invoke-Paranoia*"
- "*Invoke-WinEnum*"
- "*Invoke-ARPScan*"
- "*Invoke-PortScan*"
- "*Invoke-ReverseDNSLookup*"
- "*Invoke-SMBScanner*"
- "*Invoke-Mimikittenz*"
- "*Invoke-AllChecks*"
Message|contains:
- "Invoke-DllInjection"
- "Invoke-Shellcode"
- "Invoke-WmiCommand"
- "Get-GPPPassword"
- "Get-Keystrokes"
- "Get-TimedScreenshot"
- "Get-VaultCredential"
- "Invoke-CredentialInjection"
- "Invoke-Mimikatz"
- "Invoke-NinjaCopy"
- "Invoke-TokenManipulation"
- "Out-Minidump"
- "VolumeShadowCopyTools"
- "Invoke-ReflectivePEInjection"
- "Invoke-UserHunter"
- "Find-GPOLocation"
- "Invoke-ACLScanner"
- "Invoke-DowngradeAccount"
- "Get-ServiceUnquoted"
- "Get-ServiceFilePermission"
- "Get-ServicePermission"
- "Invoke-ServiceAbuse"
- "Install-ServiceBinary"
- "Get-RegAutoLogon"
- "Get-VulnAutoRun"
- "Get-VulnSchTask"
- "Get-UnattendedInstallFile"
- "Get-ApplicationHost"
- "Get-RegAlwaysInstallElevated"
- "Get-Unconstrained"
- "Add-RegBackdoor"
- "Add-ScrnSaveBackdoor"
- "Gupt-Backdoor"
- "Invoke-ADSBackdoor"
- "Enabled-DuplicateToken"
- "Invoke-PsUaCme"
- "Remove-Update"
- "Check-VM"
- "Get-LSASecret"
- "Get-PassHashes"
- "Show-TargetScreen"
- "Port-Scan"
- "Invoke-PoshRatHttp"
- "Invoke-PowerShellTCP"
- "Invoke-PowerShellWMI"
- "Add-Exfiltration"
- "Add-Persistence"
- "Do-Exfiltration"
- "Start-CaptureServer"
- "Get-ChromeDump"
- "Get-ClipboardContents"
- "Get-FoxDump"
- "Get-IndexedItem"
- "Get-Screenshot"
- "Invoke-Inveigh"
- "Invoke-NetRipper"
- "Invoke-EgressCheck"
- "Invoke-PostExfil"
- "Invoke-PSInject"
- "Invoke-RunAs"
- "MailRaider"
- "New-HoneyHash"
- "Set-MacAttribute"
- "Invoke-DCSync"
- "Invoke-PowerDump"
- "Exploit-Jboss"
- "Invoke-ThunderStruck"
- "Invoke-VoiceTroll"
- "Set-Wallpaper"
- "Invoke-InveighRelay"
- "Invoke-PsExec"
- "Invoke-SSHCommand"
- "Get-SecurityPackages"
- "Install-SSP"
- "Invoke-BackdoorLNK"
- "PowerBreach"
- "Get-SiteListPassword"
- "Get-System"
- "Invoke-BypassUAC"
- "Invoke-Tater"
- "Invoke-WScriptBypassUAC"
- "PowerUp"
- "PowerView"
- "Get-RickAstley"
- "Find-Fruit"
- "HTTP-Login"
- "Find-TrustedDocuments"
- "Invoke-Paranoia"
- "Invoke-WinEnum"
- "Invoke-ARPScan"
- "Invoke-PortScan"
- "Invoke-ReverseDNSLookup"
- "Invoke-SMBScanner"
- "Invoke-Mimikittenz"
- "Invoke-AllChecks"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives