mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
97 lines
2.5 KiB
YAML
97 lines
2.5 KiB
YAML
title: Malicious Nishang PowerShell Commandlets
|
|
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
|
|
status: experimental
|
|
description: Detects Commandlet names and arguments from the Nishang exploitation framework
|
|
date: 2019/05/16
|
|
references:
|
|
- https://github.com/samratashok/nishang
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
author: Alec Costello
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
|
|
detection:
|
|
keywords:
|
|
- Add-ConstrainedDelegationBackdoor
|
|
- Set-DCShadowPermissions
|
|
- DNS_TXT_Pwnage
|
|
- Execute-OnTime
|
|
- HTTP-Backdoor
|
|
- Set-RemotePSRemoting
|
|
- Set-RemoteWMI
|
|
- Invoke-AmsiBypass
|
|
- Out-CHM
|
|
- Out-HTA
|
|
- Out-SCF
|
|
- Out-SCT
|
|
- Out-Shortcut
|
|
- Out-WebQuery
|
|
- Out-Word
|
|
- Enable-Duplication
|
|
- Remove-Update
|
|
- Download-Execute-PS
|
|
- Download_Execute
|
|
- Execute-Command-MSSQL
|
|
- Execute-DNSTXT-Code
|
|
- Out-RundllCommand
|
|
- Copy-VSS
|
|
- FireBuster
|
|
- FireListener
|
|
- Get-Information
|
|
- Get-PassHints
|
|
- Get-WLAN-Keys
|
|
- Get-Web-Credentials
|
|
- Invoke-CredentialsPhish
|
|
- Invoke-MimikatzWDigestDowngrade
|
|
- Invoke-SSIDExfil
|
|
- Invoke-SessionGopher
|
|
- Keylogger
|
|
- Invoke-Interceptor
|
|
- Create-MultipleSessions
|
|
- Invoke-NetworkRelay
|
|
- Run-EXEonRemote
|
|
- Invoke-Prasadhak
|
|
- Invoke-BruteForce
|
|
- Password-List
|
|
- Invoke-JSRatRegsvr
|
|
- Invoke-JSRatRundll
|
|
- Invoke-PoshRatHttps
|
|
- Invoke-PowerShellIcmp
|
|
- Invoke-PowerShellUdp
|
|
- Invoke-PSGcat
|
|
- Invoke-PsGcatAgent
|
|
- Remove-PoshRat
|
|
- Add-Persistance
|
|
- ExetoText
|
|
- Invoke-Decode
|
|
- Invoke-Encode
|
|
- Parse_Keys
|
|
- Remove-Persistence
|
|
- StringtoBase64
|
|
- TexttoExe
|
|
- Powerpreter
|
|
- Nishang
|
|
- EncodedData
|
|
- DataToEncode
|
|
- LoggedKeys
|
|
- OUT-DNSTXT
|
|
- Jitter
|
|
- ExfilOption
|
|
- Tamper
|
|
- DumpCerts
|
|
- DumpCreds
|
|
- Shellcode32
|
|
- Shellcode64
|
|
- NotAllNameSpaces
|
|
- exfill
|
|
- FakeDC
|
|
- Exploit
|
|
condition: keywords
|
|
falsepositives:
|
|
- Penetration testing
|
|
level: high
|