mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
115 lines
3.1 KiB
YAML
115 lines
3.1 KiB
YAML
title: Malicious PowerShell Commandlets
|
|
status: experimental
|
|
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
|
|
modified: 2019/01/22
|
|
references:
|
|
- https://adsecurity.org/?p=2921
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1086
|
|
author: Sean Metcalf (source), Florian Roth (rule)
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
|
detection:
|
|
keywords:
|
|
- Invoke-DllInjection
|
|
- Invoke-Shellcode
|
|
- Invoke-WmiCommand
|
|
- Get-GPPPassword
|
|
- Get-Keystrokes
|
|
- Get-TimedScreenshot
|
|
- Get-VaultCredential
|
|
- Invoke-CredentialInjection
|
|
- Invoke-Mimikatz
|
|
- Invoke-NinjaCopy
|
|
- Invoke-TokenManipulation
|
|
- Out-Minidump
|
|
- VolumeShadowCopyTools
|
|
- Invoke-ReflectivePEInjection
|
|
- Invoke-UserHunter
|
|
- Find-GPOLocation
|
|
- Invoke-ACLScanner
|
|
- Invoke-DowngradeAccount
|
|
- Get-ServiceUnquoted
|
|
- Get-ServiceFilePermission
|
|
- Get-ServicePermission
|
|
- Invoke-ServiceAbuse
|
|
- Install-ServiceBinary
|
|
- Get-RegAutoLogon
|
|
- Get-VulnAutoRun
|
|
- Get-VulnSchTask
|
|
- Get-UnattendedInstallFile
|
|
- Get-ApplicationHost
|
|
- Get-RegAlwaysInstallElevated
|
|
- Get-Unconstrained
|
|
- Add-RegBackdoor
|
|
- Add-ScrnSaveBackdoor
|
|
- Gupt-Backdoor
|
|
- Invoke-ADSBackdoor
|
|
- Enabled-DuplicateToken
|
|
- Invoke-PsUaCme
|
|
- Remove-Update
|
|
- Check-VM
|
|
- Get-LSASecret
|
|
- Get-PassHashes
|
|
- Show-TargetScreen
|
|
- Port-Scan
|
|
- Invoke-PoshRatHttp
|
|
- Invoke-PowerShellTCP
|
|
- Invoke-PowerShellWMI
|
|
- Add-Exfiltration
|
|
- Add-Persistence
|
|
- Do-Exfiltration
|
|
- Start-CaptureServer
|
|
- Get-ChromeDump
|
|
- Get-ClipboardContents
|
|
- Get-FoxDump
|
|
- Get-IndexedItem
|
|
- Get-Screenshot
|
|
- Invoke-Inveigh
|
|
- Invoke-NetRipper
|
|
- Invoke-EgressCheck
|
|
- Invoke-PostExfil
|
|
- Invoke-PSInject
|
|
- Invoke-RunAs
|
|
- MailRaider
|
|
- New-HoneyHash
|
|
- Set-MacAttribute
|
|
- Invoke-DCSync
|
|
- Invoke-PowerDump
|
|
- Exploit-Jboss
|
|
- Invoke-ThunderStruck
|
|
- Invoke-VoiceTroll
|
|
- Set-Wallpaper
|
|
- Invoke-InveighRelay
|
|
- Invoke-PsExec
|
|
- Invoke-SSHCommand
|
|
- Get-SecurityPackages
|
|
- Install-SSP
|
|
- Invoke-BackdoorLNK
|
|
- PowerBreach
|
|
- Get-SiteListPassword
|
|
- Get-System
|
|
- Invoke-BypassUAC
|
|
- Invoke-Tater
|
|
- Invoke-WScriptBypassUAC
|
|
- PowerUp
|
|
- PowerView
|
|
- Get-RickAstley
|
|
- Find-Fruit
|
|
- HTTP-Login
|
|
- Find-TrustedDocuments
|
|
- Invoke-Paranoia
|
|
- Invoke-WinEnum
|
|
- Invoke-ARPScan
|
|
- Invoke-PortScan
|
|
- Invoke-ReverseDNSLookup
|
|
- Invoke-SMBScanner
|
|
- Invoke-Mimikittenz
|
|
condition: keywords
|
|
falsepositives:
|
|
- Penetration testing
|
|
level: high
|