mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
118 lines
4.3 KiB
YAML
Executable File
118 lines
4.3 KiB
YAML
Executable File
title: Malicious PowerShell Commandlet Names
|
|
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
|
|
status: experimental
|
|
description: Detects the creation of known powershell scripts for exploitation
|
|
references:
|
|
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1086 # an old one
|
|
- attack.t1059.001
|
|
author: Markus Neis
|
|
date: 2018/04/07
|
|
logsource:
|
|
category: file_event
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
TargetFilename:
|
|
- '*\Invoke-DllInjection.ps1'
|
|
- '*\Invoke-WmiCommand.ps1'
|
|
- '*\Get-GPPPassword.ps1'
|
|
- '*\Get-Keystrokes.ps1'
|
|
- '*\Get-VaultCredential.ps1'
|
|
- '*\Invoke-CredentialInjection.ps1'
|
|
- '*\Invoke-Mimikatz.ps1'
|
|
- '*\Invoke-NinjaCopy.ps1'
|
|
- '*\Invoke-TokenManipulation.ps1'
|
|
- '*\Out-Minidump.ps1'
|
|
- '*\VolumeShadowCopyTools.ps1'
|
|
- '*\Invoke-ReflectivePEInjection.ps1'
|
|
- '*\Get-TimedScreenshot.ps1'
|
|
- '*\Invoke-UserHunter.ps1'
|
|
- '*\Find-GPOLocation.ps1'
|
|
- '*\Invoke-ACLScanner.ps1'
|
|
- '*\Invoke-DowngradeAccount.ps1'
|
|
- '*\Get-ServiceUnquoted.ps1'
|
|
- '*\Get-ServiceFilePermission.ps1'
|
|
- '*\Get-ServicePermission.ps1'
|
|
- '*\Invoke-ServiceAbuse.ps1'
|
|
- '*\Install-ServiceBinary.ps1'
|
|
- '*\Get-RegAutoLogon.ps1'
|
|
- '*\Get-VulnAutoRun.ps1'
|
|
- '*\Get-VulnSchTask.ps1'
|
|
- '*\Get-UnattendedInstallFile.ps1'
|
|
- '*\Get-WebConfig.ps1'
|
|
- '*\Get-ApplicationHost.ps1'
|
|
- '*\Get-RegAlwaysInstallElevated.ps1'
|
|
- '*\Get-Unconstrained.ps1'
|
|
- '*\Add-RegBackdoor.ps1'
|
|
- '*\Add-ScrnSaveBackdoor.ps1'
|
|
- '*\Gupt-Backdoor.ps1'
|
|
- '*\Invoke-ADSBackdoor.ps1'
|
|
- '*\Enabled-DuplicateToken.ps1'
|
|
- '*\Invoke-PsUaCme.ps1'
|
|
- '*\Remove-Update.ps1'
|
|
- '*\Check-VM.ps1'
|
|
- '*\Get-LSASecret.ps1'
|
|
- '*\Get-PassHashes.ps1'
|
|
- '*\Show-TargetScreen.ps1'
|
|
- '*\Port-Scan.ps1'
|
|
- '*\Invoke-PoshRatHttp.ps1'
|
|
- '*\Invoke-PowerShellTCP.ps1'
|
|
- '*\Invoke-PowerShellWMI.ps1'
|
|
- '*\Add-Exfiltration.ps1'
|
|
- '*\Add-Persistence.ps1'
|
|
- '*\Do-Exfiltration.ps1'
|
|
- '*\Start-CaptureServer.ps1'
|
|
- '*\Invoke-ShellCode.ps1'
|
|
- '*\Get-ChromeDump.ps1'
|
|
- '*\Get-ClipboardContents.ps1'
|
|
- '*\Get-FoxDump.ps1'
|
|
- '*\Get-IndexedItem.ps1'
|
|
- '*\Get-Screenshot.ps1'
|
|
- '*\Invoke-Inveigh.ps1'
|
|
- '*\Invoke-NetRipper.ps1'
|
|
- '*\Invoke-EgressCheck.ps1'
|
|
- '*\Invoke-PostExfil.ps1'
|
|
- '*\Invoke-PSInject.ps1'
|
|
- '*\Invoke-RunAs.ps1'
|
|
- '*\MailRaider.ps1'
|
|
- '*\New-HoneyHash.ps1'
|
|
- '*\Set-MacAttribute.ps1'
|
|
- '*\Invoke-DCSync.ps1'
|
|
- '*\Invoke-PowerDump.ps1'
|
|
- '*\Exploit-Jboss.ps1'
|
|
- '*\Invoke-ThunderStruck.ps1'
|
|
- '*\Invoke-VoiceTroll.ps1'
|
|
- '*\Set-Wallpaper.ps1'
|
|
- '*\Invoke-InveighRelay.ps1'
|
|
- '*\Invoke-PsExec.ps1'
|
|
- '*\Invoke-SSHCommand.ps1'
|
|
- '*\Get-SecurityPackages.ps1'
|
|
- '*\Install-SSP.ps1'
|
|
- '*\Invoke-BackdoorLNK.ps1'
|
|
- '*\PowerBreach.ps1'
|
|
- '*\Get-SiteListPassword.ps1'
|
|
- '*\Get-System.ps1'
|
|
- '*\Invoke-BypassUAC.ps1'
|
|
- '*\Invoke-Tater.ps1'
|
|
- '*\Invoke-WScriptBypassUAC.ps1'
|
|
- '*\PowerUp.ps1'
|
|
- '*\PowerView.ps1'
|
|
- '*\Get-RickAstley.ps1'
|
|
- '*\Find-Fruit.ps1'
|
|
- '*\HTTP-Login.ps1'
|
|
- '*\Find-TrustedDocuments.ps1'
|
|
- '*\Invoke-Paranoia.ps1'
|
|
- '*\Invoke-WinEnum.ps1'
|
|
- '*\Invoke-ARPScan.ps1'
|
|
- '*\Invoke-PortScan.ps1'
|
|
- '*\Invoke-ReverseDNSLookup.ps1'
|
|
- '*\Invoke-SMBScanner.ps1'
|
|
- '*\Invoke-Mimikittenz.ps1'
|
|
condition: selection
|
|
falsepositives:
|
|
- Penetration Tests
|
|
level: high
|