SigmaHQ/rules/windows/powershell/powershell_malicious_keywords.yml
2019-11-12 23:12:27 +01:00

43 lines
1.4 KiB
YAML

title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
Message:
- "*AdjustTokenPrivileges*"
- "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
- "*Microsoft.Win32.UnsafeNativeMethods*"
- "*ReadProcessMemory.Invoke*"
- "*SE_PRIVILEGE_ENABLED*"
- "*LSA_UNICODE_STRING*"
- "*MiniDumpWriteDump*"
- "*PAGE_EXECUTE_READ*"
- "*SECURITY_DELEGATION*"
- "*TOKEN_ADJUST_PRIVILEGES*"
- "*TOKEN_ALL_ACCESS*"
- "*TOKEN_ASSIGN_PRIMARY*"
- "*TOKEN_DUPLICATE*"
- "*TOKEN_ELEVATION*"
- "*TOKEN_IMPERSONATE*"
- "*TOKEN_INFORMATION_CLASS*"
- "*TOKEN_PRIVILEGES*"
- "*TOKEN_QUERY*"
- "*Metasploit*"
- "*Mimikatz*"
condition: keywords
falsepositives:
- Penetration tests
level: high