SigmaHQ/rules/windows/powershell/powershell_malicious_commandlets.yml
2020-10-15 17:11:20 -03:00

121 lines
4.0 KiB
YAML

title: Malicious PowerShell Commandlets
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
Message|contains:
- "Invoke-DllInjection"
- "Invoke-Shellcode"
- "Invoke-WmiCommand"
- "Get-GPPPassword"
- "Get-Keystrokes"
- "Get-TimedScreenshot"
- "Get-VaultCredential"
- "Invoke-CredentialInjection"
- "Invoke-Mimikatz"
- "Invoke-NinjaCopy"
- "Invoke-TokenManipulation"
- "Out-Minidump"
- "VolumeShadowCopyTools"
- "Invoke-ReflectivePEInjection"
- "Invoke-UserHunter"
- "Find-GPOLocation"
- "Invoke-ACLScanner"
- "Invoke-DowngradeAccount"
- "Get-ServiceUnquoted"
- "Get-ServiceFilePermission"
- "Get-ServicePermission"
- "Invoke-ServiceAbuse"
- "Install-ServiceBinary"
- "Get-RegAutoLogon"
- "Get-VulnAutoRun"
- "Get-VulnSchTask"
- "Get-UnattendedInstallFile"
- "Get-ApplicationHost"
- "Get-RegAlwaysInstallElevated"
- "Get-Unconstrained"
- "Add-RegBackdoor"
- "Add-ScrnSaveBackdoor"
- "Gupt-Backdoor"
- "Invoke-ADSBackdoor"
- "Enabled-DuplicateToken"
- "Invoke-PsUaCme"
- "Remove-Update"
- "Check-VM"
- "Get-LSASecret"
- "Get-PassHashes"
- "Show-TargetScreen"
- "Port-Scan"
- "Invoke-PoshRatHttp"
- "Invoke-PowerShellTCP"
- "Invoke-PowerShellWMI"
- "Add-Exfiltration"
- "Add-Persistence"
- "Do-Exfiltration"
- "Start-CaptureServer"
- "Get-ChromeDump"
- "Get-ClipboardContents"
- "Get-FoxDump"
- "Get-IndexedItem"
- "Get-Screenshot"
- "Invoke-Inveigh"
- "Invoke-NetRipper"
- "Invoke-EgressCheck"
- "Invoke-PostExfil"
- "Invoke-PSInject"
- "Invoke-RunAs"
- "MailRaider"
- "New-HoneyHash"
- "Set-MacAttribute"
- "Invoke-DCSync"
- "Invoke-PowerDump"
- "Exploit-Jboss"
- "Invoke-ThunderStruck"
- "Invoke-VoiceTroll"
- "Set-Wallpaper"
- "Invoke-InveighRelay"
- "Invoke-PsExec"
- "Invoke-SSHCommand"
- "Get-SecurityPackages"
- "Install-SSP"
- "Invoke-BackdoorLNK"
- "PowerBreach"
- "Get-SiteListPassword"
- "Get-System"
- "Invoke-BypassUAC"
- "Invoke-Tater"
- "Invoke-WScriptBypassUAC"
- "PowerUp"
- "PowerView"
- "Get-RickAstley"
- "Find-Fruit"
- "HTTP-Login"
- "Find-TrustedDocuments"
- "Invoke-Paranoia"
- "Invoke-WinEnum"
- "Invoke-ARPScan"
- "Invoke-PortScan"
- "Invoke-ReverseDNSLookup"
- "Invoke-SMBScanner"
- "Invoke-Mimikittenz"
- "Invoke-AllChecks"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
falsepositives:
- Penetration testing
level: high