mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
73 lines
2.1 KiB
YAML
73 lines
2.1 KiB
YAML
title: Accessing WinAPI in PowerShell
|
|
id: 03d83090-8cba-44a0-b02f-0b756a050306
|
|
status: experimental
|
|
description: Detecting use WinAPI Functions in PowerShell
|
|
author: Nikita Nazarov, oscd.community
|
|
date: 2020/10/06
|
|
modified: 2021/08/04
|
|
references:
|
|
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1106
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: Script block logging must be enabled
|
|
detection:
|
|
selection:
|
|
EventID: 4104
|
|
ScriptBlockText|contains:
|
|
- 'WaitForSingleObject'
|
|
- 'QueueUserApc'
|
|
- 'RtlCreateUserThread'
|
|
- 'OpenProcess'
|
|
- 'VirtualAlloc'
|
|
- 'VirtualFree'
|
|
- 'WriteProcessMemory'
|
|
- 'CreateUserThread'
|
|
- 'CloseHandle'
|
|
- 'GetDelegateForFunctionPointer'
|
|
- 'CreateThread'
|
|
- 'memcpy'
|
|
- 'LoadLibrary'
|
|
- 'GetModuleHandle'
|
|
- 'GetProcAddress'
|
|
- 'VirtualProtect'
|
|
- 'FreeLibrary'
|
|
- 'ReadProcessMemory'
|
|
- 'CreateRemoteThread'
|
|
- 'AdjustTokenPrivileges'
|
|
- 'WriteByte'
|
|
- 'WriteInt32'
|
|
- 'OpenThreadToken'
|
|
- 'PtrToString'
|
|
- 'FreeHGlobal'
|
|
- 'ZeroFreeGlobalAllocUnicode'
|
|
- 'OpenProcessToken'
|
|
- 'GetTokenInformation'
|
|
- 'SetThreadToken'
|
|
- 'ImpersonateLoggedOnUser'
|
|
- 'RevertToSelf'
|
|
- 'GetLogonSessionData'
|
|
- 'CreateProcessWithToken'
|
|
- 'DuplicateTokenEx'
|
|
- 'OpenWindowStation'
|
|
- 'OpenDesktop'
|
|
- 'MiniDumpWriteDump'
|
|
- 'AddSecurityPackage'
|
|
- 'EnumerateSecurityPackages'
|
|
- 'GetProcessHandle'
|
|
- 'DangerousGetHandle'
|
|
- 'kernel32'
|
|
- 'Advapi32'
|
|
- 'msvcrt'
|
|
- 'ntdll'
|
|
- 'user32'
|
|
- 'secur32'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|