valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
50379800f2
SigmaHQ/wazuh/rules/sigma_sysmon_powershell_exploit_scripts.yml
joker2013 50379800f2 123
2020-12-03 01:43:30 +03:00

16 lines
2.9 KiB
YAML
Raw Blame History

alert:
- debug
description: Detects the creation of known powershell scripts for exploitation
filter:
- query:
query_string:
query: data.win.eventdata.targetFilename.keyword:(*\\Invoke\-DllInjection.ps1 OR *\\Invoke\-WmiCommand.ps1 OR *\\Get\-GPPPassword.ps1 OR *\\Get\-Keystrokes.ps1 OR *\\Get\-VaultCredential.ps1 OR *\\Invoke\-CredentialInjection.ps1 OR *\\Invoke\-Mimikatz.ps1 OR *\\Invoke\-NinjaCopy.ps1 OR *\\Invoke\-TokenManipulation.ps1 OR *\\Out\-Minidump.ps1 OR *\\VolumeShadowCopyTools.ps1 OR *\\Invoke\-ReflectivePEInjection.ps1 OR *\\Get\-TimedScreenshot.ps1 OR *\\Invoke\-UserHunter.ps1 OR *\\Find\-GPOLocation.ps1 OR *\\Invoke\-ACLScanner.ps1 OR *\\Invoke\-DowngradeAccount.ps1 OR *\\Get\-ServiceUnquoted.ps1 OR *\\Get\-ServiceFilePermission.ps1 OR *\\Get\-ServicePermission.ps1 OR *\\Invoke\-ServiceAbuse.ps1 OR *\\Install\-ServiceBinary.ps1 OR *\\Get\-RegAutoLogon.ps1 OR *\\Get\-VulnAutoRun.ps1 OR *\\Get\-VulnSchTask.ps1 OR *\\Get\-UnattendedInstallFile.ps1 OR *\\Get\-WebConfig.ps1 OR *\\Get\-ApplicationHost.ps1 OR *\\Get\-RegAlwaysInstallElevated.ps1 OR *\\Get\-Unconstrained.ps1 OR *\\Add\-RegBackdoor.ps1 OR *\\Add\-ScrnSaveBackdoor.ps1 OR *\\Gupt\-Backdoor.ps1 OR *\\Invoke\-ADSBackdoor.ps1 OR *\\Enabled\-DuplicateToken.ps1 OR *\\Invoke\-PsUaCme.ps1 OR *\\Remove\-Update.ps1 OR *\\Check\-VM.ps1 OR *\\Get\-LSASecret.ps1 OR *\\Get\-PassHashes.ps1 OR *\\Show\-TargetScreen.ps1 OR *\\Port\-Scan.ps1 OR *\\Invoke\-PoshRatHttp.ps1 OR *\\Invoke\-PowerShellTCP.ps1 OR *\\Invoke\-PowerShellWMI.ps1 OR *\\Add\-Exfiltration.ps1 OR *\\Add\-Persistence.ps1 OR *\\Do\-Exfiltration.ps1 OR *\\Start\-CaptureServer.ps1 OR *\\Invoke\-ShellCode.ps1 OR *\\Get\-ChromeDump.ps1 OR *\\Get\-ClipboardContents.ps1 OR *\\Get\-FoxDump.ps1 OR *\\Get\-IndexedItem.ps1 OR *\\Get\-Screenshot.ps1 OR *\\Invoke\-Inveigh.ps1 OR *\\Invoke\-NetRipper.ps1 OR *\\Invoke\-EgressCheck.ps1 OR *\\Invoke\-PostExfil.ps1 OR *\\Invoke\-PSInject.ps1 OR *\\Invoke\-RunAs.ps1 OR *\\MailRaider.ps1 OR *\\New\-HoneyHash.ps1 OR *\\Set\-MacAttribute.ps1 OR *\\Invoke\-DCSync.ps1 OR *\\Invoke\-PowerDump.ps1 OR *\\Exploit\-Jboss.ps1 OR *\\Invoke\-ThunderStruck.ps1 OR *\\Invoke\-VoiceTroll.ps1 OR *\\Set\-Wallpaper.ps1 OR *\\Invoke\-InveighRelay.ps1 OR *\\Invoke\-PsExec.ps1 OR *\\Invoke\-SSHCommand.ps1 OR *\\Get\-SecurityPackages.ps1 OR *\\Install\-SSP.ps1 OR *\\Invoke\-BackdoorLNK.ps1 OR *\\PowerBreach.ps1 OR *\\Get\-SiteListPassword.ps1 OR *\\Get\-System.ps1 OR *\\Invoke\-BypassUAC.ps1 OR *\\Invoke\-Tater.ps1 OR *\\Invoke\-WScriptBypassUAC.ps1 OR *\\PowerUp.ps1 OR *\\PowerView.ps1 OR *\\Get\-RickAstley.ps1 OR *\\Find\-Fruit.ps1 OR *\\HTTP\-Login.ps1 OR *\\Find\-TrustedDocuments.ps1 OR *\\Invoke\-Paranoia.ps1 OR *\\Invoke\-WinEnum.ps1 OR *\\Invoke\-ARPScan.ps1 OR *\\Invoke\-PortScan.ps1 OR *\\Invoke\-ReverseDNSLookup.ps1 OR *\\Invoke\-SMBScanner.ps1 OR *\\Invoke\-Mimikittenz.ps1)
index: wazuh-alerts-3.x-*
name: f331aa1f-8c53-4fc3-b083-cc159bc971cb_0
priority: 2
realert:
minutes: 0
type: any
Reference in New Issue View Git Blame Copy Permalink