SigmaHQ/rules/windows/powershell/powershell_malicious_commandlets.yml
2020-01-30 16:07:37 +01:00

121 lines
4.2 KiB
YAML

title: Malicious PowerShell Commandlets
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1086
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
Message:
- "*Invoke-DllInjection*"
- "*Invoke-Shellcode*"
- "*Invoke-WmiCommand*"
- "*Get-GPPPassword*"
- "*Get-Keystrokes*"
- "*Get-TimedScreenshot*"
- "*Get-VaultCredential*"
- "*Invoke-CredentialInjection*"
- "*Invoke-Mimikatz*"
- "*Invoke-NinjaCopy*"
- "*Invoke-TokenManipulation*"
- "*Out-Minidump*"
- "*VolumeShadowCopyTools*"
- "*Invoke-ReflectivePEInjection*"
- "*Invoke-UserHunter*"
- "*Find-GPOLocation*"
- "*Invoke-ACLScanner*"
- "*Invoke-DowngradeAccount*"
- "*Get-ServiceUnquoted*"
- "*Get-ServiceFilePermission*"
- "*Get-ServicePermission*"
- "*Invoke-ServiceAbuse*"
- "*Install-ServiceBinary*"
- "*Get-RegAutoLogon*"
- "*Get-VulnAutoRun*"
- "*Get-VulnSchTask*"
- "*Get-UnattendedInstallFile*"
- "*Get-ApplicationHost*"
- "*Get-RegAlwaysInstallElevated*"
- "*Get-Unconstrained*"
- "*Add-RegBackdoor*"
- "*Add-ScrnSaveBackdoor*"
- "*Gupt-Backdoor*"
- "*Invoke-ADSBackdoor*"
- "*Enabled-DuplicateToken*"
- "*Invoke-PsUaCme*"
- "*Remove-Update*"
- "*Check-VM*"
- "*Get-LSASecret*"
- "*Get-PassHashes*"
- "*Show-TargetScreen*"
- "*Port-Scan*"
- "*Invoke-PoshRatHttp*"
- "*Invoke-PowerShellTCP*"
- "*Invoke-PowerShellWMI*"
- "*Add-Exfiltration*"
- "*Add-Persistence*"
- "*Do-Exfiltration*"
- "*Start-CaptureServer*"
- "*Get-ChromeDump*"
- "*Get-ClipboardContents*"
- "*Get-FoxDump*"
- "*Get-IndexedItem*"
- "*Get-Screenshot*"
- "*Invoke-Inveigh*"
- "*Invoke-NetRipper*"
- "*Invoke-EgressCheck*"
- "*Invoke-PostExfil*"
- "*Invoke-PSInject*"
- "*Invoke-RunAs*"
- "*MailRaider*"
- "*New-HoneyHash*"
- "*Set-MacAttribute*"
- "*Invoke-DCSync*"
- "*Invoke-PowerDump*"
- "*Exploit-Jboss*"
- "*Invoke-ThunderStruck*"
- "*Invoke-VoiceTroll*"
- "*Set-Wallpaper*"
- "*Invoke-InveighRelay*"
- "*Invoke-PsExec*"
- "*Invoke-SSHCommand*"
- "*Get-SecurityPackages*"
- "*Install-SSP*"
- "*Invoke-BackdoorLNK*"
- "*PowerBreach*"
- "*Get-SiteListPassword*"
- "*Get-System*"
- "*Invoke-BypassUAC*"
- "*Invoke-Tater*"
- "*Invoke-WScriptBypassUAC*"
- "*PowerUp*"
- "*PowerView*"
- "*Get-RickAstley*"
- "*Find-Fruit*"
- "*HTTP-Login*"
- "*Find-TrustedDocuments*"
- "*Invoke-Paranoia*"
- "*Invoke-WinEnum*"
- "*Invoke-ARPScan*"
- "*Invoke-PortScan*"
- "*Invoke-ReverseDNSLookup*"
- "*Invoke-SMBScanner*"
- "*Invoke-Mimikittenz*"
- "*Invoke-AllChecks*"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
falsepositives:
- Penetration testing
level: high