mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
121 lines
4.2 KiB
YAML
121 lines
4.2 KiB
YAML
title: Malicious PowerShell Commandlets
|
|
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
|
|
status: experimental
|
|
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
|
|
references:
|
|
- https://adsecurity.org/?p=2921
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
author: Sean Metcalf (source), Florian Roth (rule)
|
|
date: 2017/03/05
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
|
detection:
|
|
keywords:
|
|
Message:
|
|
- "*Invoke-DllInjection*"
|
|
- "*Invoke-Shellcode*"
|
|
- "*Invoke-WmiCommand*"
|
|
- "*Get-GPPPassword*"
|
|
- "*Get-Keystrokes*"
|
|
- "*Get-TimedScreenshot*"
|
|
- "*Get-VaultCredential*"
|
|
- "*Invoke-CredentialInjection*"
|
|
- "*Invoke-Mimikatz*"
|
|
- "*Invoke-NinjaCopy*"
|
|
- "*Invoke-TokenManipulation*"
|
|
- "*Out-Minidump*"
|
|
- "*VolumeShadowCopyTools*"
|
|
- "*Invoke-ReflectivePEInjection*"
|
|
- "*Invoke-UserHunter*"
|
|
- "*Find-GPOLocation*"
|
|
- "*Invoke-ACLScanner*"
|
|
- "*Invoke-DowngradeAccount*"
|
|
- "*Get-ServiceUnquoted*"
|
|
- "*Get-ServiceFilePermission*"
|
|
- "*Get-ServicePermission*"
|
|
- "*Invoke-ServiceAbuse*"
|
|
- "*Install-ServiceBinary*"
|
|
- "*Get-RegAutoLogon*"
|
|
- "*Get-VulnAutoRun*"
|
|
- "*Get-VulnSchTask*"
|
|
- "*Get-UnattendedInstallFile*"
|
|
- "*Get-ApplicationHost*"
|
|
- "*Get-RegAlwaysInstallElevated*"
|
|
- "*Get-Unconstrained*"
|
|
- "*Add-RegBackdoor*"
|
|
- "*Add-ScrnSaveBackdoor*"
|
|
- "*Gupt-Backdoor*"
|
|
- "*Invoke-ADSBackdoor*"
|
|
- "*Enabled-DuplicateToken*"
|
|
- "*Invoke-PsUaCme*"
|
|
- "*Remove-Update*"
|
|
- "*Check-VM*"
|
|
- "*Get-LSASecret*"
|
|
- "*Get-PassHashes*"
|
|
- "*Show-TargetScreen*"
|
|
- "*Port-Scan*"
|
|
- "*Invoke-PoshRatHttp*"
|
|
- "*Invoke-PowerShellTCP*"
|
|
- "*Invoke-PowerShellWMI*"
|
|
- "*Add-Exfiltration*"
|
|
- "*Add-Persistence*"
|
|
- "*Do-Exfiltration*"
|
|
- "*Start-CaptureServer*"
|
|
- "*Get-ChromeDump*"
|
|
- "*Get-ClipboardContents*"
|
|
- "*Get-FoxDump*"
|
|
- "*Get-IndexedItem*"
|
|
- "*Get-Screenshot*"
|
|
- "*Invoke-Inveigh*"
|
|
- "*Invoke-NetRipper*"
|
|
- "*Invoke-EgressCheck*"
|
|
- "*Invoke-PostExfil*"
|
|
- "*Invoke-PSInject*"
|
|
- "*Invoke-RunAs*"
|
|
- "*MailRaider*"
|
|
- "*New-HoneyHash*"
|
|
- "*Set-MacAttribute*"
|
|
- "*Invoke-DCSync*"
|
|
- "*Invoke-PowerDump*"
|
|
- "*Exploit-Jboss*"
|
|
- "*Invoke-ThunderStruck*"
|
|
- "*Invoke-VoiceTroll*"
|
|
- "*Set-Wallpaper*"
|
|
- "*Invoke-InveighRelay*"
|
|
- "*Invoke-PsExec*"
|
|
- "*Invoke-SSHCommand*"
|
|
- "*Get-SecurityPackages*"
|
|
- "*Install-SSP*"
|
|
- "*Invoke-BackdoorLNK*"
|
|
- "*PowerBreach*"
|
|
- "*Get-SiteListPassword*"
|
|
- "*Get-System*"
|
|
- "*Invoke-BypassUAC*"
|
|
- "*Invoke-Tater*"
|
|
- "*Invoke-WScriptBypassUAC*"
|
|
- "*PowerUp*"
|
|
- "*PowerView*"
|
|
- "*Get-RickAstley*"
|
|
- "*Find-Fruit*"
|
|
- "*HTTP-Login*"
|
|
- "*Find-TrustedDocuments*"
|
|
- "*Invoke-Paranoia*"
|
|
- "*Invoke-WinEnum*"
|
|
- "*Invoke-ARPScan*"
|
|
- "*Invoke-PortScan*"
|
|
- "*Invoke-ReverseDNSLookup*"
|
|
- "*Invoke-SMBScanner*"
|
|
- "*Invoke-Mimikittenz*"
|
|
- "*Invoke-AllChecks*"
|
|
false_positives:
|
|
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
|
|
condition: keywords and not false_positives
|
|
falsepositives:
|
|
- Penetration testing
|
|
level: high
|