mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
43 lines
1.7 KiB
YAML
43 lines
1.7 KiB
YAML
title: Bad Opsec Powershell Code Artifacts
|
|
id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
|
|
description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
|
|
status: experimental
|
|
references:
|
|
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
|
|
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
|
|
- https://www.mdeditor.tw/pl/pgRt
|
|
author: 'ok @securonix invrep_de, oscd.community'
|
|
date: 2020/10/09
|
|
modified: 2020/10/09
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 # an old one
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103
|
|
detection:
|
|
selection_4104:
|
|
EventID: 4104
|
|
ScriptBlockText|contains:
|
|
- '$DoIt'
|
|
- 'harmj0y'
|
|
- 'mattifestation'
|
|
- '_RastaMouse'
|
|
- 'tifkin_'
|
|
- '0xdeadbeef'
|
|
selection_4103:
|
|
EventID: 4103
|
|
Payload|contains:
|
|
- '$DoIt'
|
|
- 'harmj0y'
|
|
- 'mattifestation'
|
|
- '_RastaMouse'
|
|
- 'tifkin_'
|
|
- '0xdeadbeef'
|
|
condition: selection_4104 or selection_4103
|
|
falsepositives:
|
|
- 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
|
|
level: critical
|