mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
118 lines
4.2 KiB
YAML
Executable File
118 lines
4.2 KiB
YAML
Executable File
title: Malicious PowerShell Commandlet Names
|
|
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
|
|
status: experimental
|
|
description: Detects the creation of known powershell scripts for exploitation
|
|
references:
|
|
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1086 # an old one
|
|
- attack.t1059.001
|
|
author: Markus Neis
|
|
date: 2018/04/07
|
|
logsource:
|
|
category: file_event
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
TargetFilename|endswith:
|
|
- '\Invoke-DllInjection.ps1'
|
|
- '\Invoke-WmiCommand.ps1'
|
|
- '\Get-GPPPassword.ps1'
|
|
- '\Get-Keystrokes.ps1'
|
|
- '\Get-VaultCredential.ps1'
|
|
- '\Invoke-CredentialInjection.ps1'
|
|
- '\Invoke-Mimikatz.ps1'
|
|
- '\Invoke-NinjaCopy.ps1'
|
|
- '\Invoke-TokenManipulation.ps1'
|
|
- '\Out-Minidump.ps1'
|
|
- '\VolumeShadowCopyTools.ps1'
|
|
- '\Invoke-ReflectivePEInjection.ps1'
|
|
- '\Get-TimedScreenshot.ps1'
|
|
- '\Invoke-UserHunter.ps1'
|
|
- '\Find-GPOLocation.ps1'
|
|
- '\Invoke-ACLScanner.ps1'
|
|
- '\Invoke-DowngradeAccount.ps1'
|
|
- '\Get-ServiceUnquoted.ps1'
|
|
- '\Get-ServiceFilePermission.ps1'
|
|
- '\Get-ServicePermission.ps1'
|
|
- '\Invoke-ServiceAbuse.ps1'
|
|
- '\Install-ServiceBinary.ps1'
|
|
- '\Get-RegAutoLogon.ps1'
|
|
- '\Get-VulnAutoRun.ps1'
|
|
- '\Get-VulnSchTask.ps1'
|
|
- '\Get-UnattendedInstallFile.ps1'
|
|
- '\Get-WebConfig.ps1'
|
|
- '\Get-ApplicationHost.ps1'
|
|
- '\Get-RegAlwaysInstallElevated.ps1'
|
|
- '\Get-Unconstrained.ps1'
|
|
- '\Add-RegBackdoor.ps1'
|
|
- '\Add-ScrnSaveBackdoor.ps1'
|
|
- '\Gupt-Backdoor.ps1'
|
|
- '\Invoke-ADSBackdoor.ps1'
|
|
- '\Enabled-DuplicateToken.ps1'
|
|
- '\Invoke-PsUaCme.ps1'
|
|
- '\Remove-Update.ps1'
|
|
- '\Check-VM.ps1'
|
|
- '\Get-LSASecret.ps1'
|
|
- '\Get-PassHashes.ps1'
|
|
- '\Show-TargetScreen.ps1'
|
|
- '\Port-Scan.ps1'
|
|
- '\Invoke-PoshRatHttp.ps1'
|
|
- '\Invoke-PowerShellTCP.ps1'
|
|
- '\Invoke-PowerShellWMI.ps1'
|
|
- '\Add-Exfiltration.ps1'
|
|
- '\Add-Persistence.ps1'
|
|
- '\Do-Exfiltration.ps1'
|
|
- '\Start-CaptureServer.ps1'
|
|
- '\Invoke-ShellCode.ps1'
|
|
- '\Get-ChromeDump.ps1'
|
|
- '\Get-ClipboardContents.ps1'
|
|
- '\Get-FoxDump.ps1'
|
|
- '\Get-IndexedItem.ps1'
|
|
- '\Get-Screenshot.ps1'
|
|
- '\Invoke-Inveigh.ps1'
|
|
- '\Invoke-NetRipper.ps1'
|
|
- '\Invoke-EgressCheck.ps1'
|
|
- '\Invoke-PostExfil.ps1'
|
|
- '\Invoke-PSInject.ps1'
|
|
- '\Invoke-RunAs.ps1'
|
|
- '\MailRaider.ps1'
|
|
- '\New-HoneyHash.ps1'
|
|
- '\Set-MacAttribute.ps1'
|
|
- '\Invoke-DCSync.ps1'
|
|
- '\Invoke-PowerDump.ps1'
|
|
- '\Exploit-Jboss.ps1'
|
|
- '\Invoke-ThunderStruck.ps1'
|
|
- '\Invoke-VoiceTroll.ps1'
|
|
- '\Set-Wallpaper.ps1'
|
|
- '\Invoke-InveighRelay.ps1'
|
|
- '\Invoke-PsExec.ps1'
|
|
- '\Invoke-SSHCommand.ps1'
|
|
- '\Get-SecurityPackages.ps1'
|
|
- '\Install-SSP.ps1'
|
|
- '\Invoke-BackdoorLNK.ps1'
|
|
- '\PowerBreach.ps1'
|
|
- '\Get-SiteListPassword.ps1'
|
|
- '\Get-System.ps1'
|
|
- '\Invoke-BypassUAC.ps1'
|
|
- '\Invoke-Tater.ps1'
|
|
- '\Invoke-WScriptBypassUAC.ps1'
|
|
- '\PowerUp.ps1'
|
|
- '\PowerView.ps1'
|
|
- '\Get-RickAstley.ps1'
|
|
- '\Find-Fruit.ps1'
|
|
- '\HTTP-Login.ps1'
|
|
- '\Find-TrustedDocuments.ps1'
|
|
- '\Invoke-Paranoia.ps1'
|
|
- '\Invoke-WinEnum.ps1'
|
|
- '\Invoke-ARPScan.ps1'
|
|
- '\Invoke-PortScan.ps1'
|
|
- '\Invoke-ReverseDNSLookup.ps1'
|
|
- '\Invoke-SMBScanner.ps1'
|
|
- '\Invoke-Mimikittenz.ps1'
|
|
condition: selection
|
|
falsepositives:
|
|
- Penetration Tests
|
|
level: high
|