mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
16 KiB
16 KiB
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| Description | Detects the creation of known powershell scripts for exploitation |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | high |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | Markus Neis |
Detection Rules
Sigma rule
title: Malicious PowerShell Commandlet Names
status: experimental
description: Detects the creation of known powershell scripts for exploitation
references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
tags:
- attack.execution
- attack.t1086
author: Markus Neis
date: 2018/04/07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename:
- '*\Invoke-DllInjection.ps1'
- '*\Invoke-WmiCommand.ps1'
- '*\Get-GPPPassword.ps1'
- '*\Get-Keystrokes.ps1'
- '*\Get-VaultCredential.ps1'
- '*\Invoke-CredentialInjection.ps1'
- '*\Invoke-Mimikatz.ps1'
- '*\Invoke-NinjaCopy.ps1'
- '*\Invoke-TokenManipulation.ps1'
- '*\Out-Minidump.ps1'
- '*\VolumeShadowCopyTools.ps1'
- '*\Invoke-ReflectivePEInjection.ps1'
- '*\Get-TimedScreenshot.ps1'
- '*\Invoke-UserHunter.ps1'
- '*\Find-GPOLocation.ps1'
- '*\Invoke-ACLScanner.ps1'
- '*\Invoke-DowngradeAccount.ps1'
- '*\Get-ServiceUnquoted.ps1'
- '*\Get-ServiceFilePermission.ps1'
- '*\Get-ServicePermission.ps1'
- '*\Invoke-ServiceAbuse.ps1'
- '*\Install-ServiceBinary.ps1'
- '*\Get-RegAutoLogon.ps1'
- '*\Get-VulnAutoRun.ps1'
- '*\Get-VulnSchTask.ps1'
- '*\Get-UnattendedInstallFile.ps1'
- '*\Get-WebConfig.ps1'
- '*\Get-ApplicationHost.ps1'
- '*\Get-RegAlwaysInstallElevated.ps1'
- '*\Get-Unconstrained.ps1'
- '*\Add-RegBackdoor.ps1'
- '*\Add-ScrnSaveBackdoor.ps1'
- '*\Gupt-Backdoor.ps1'
- '*\Invoke-ADSBackdoor.ps1'
- '*\Enabled-DuplicateToken.ps1'
- '*\Invoke-PsUaCme.ps1'
- '*\Remove-Update.ps1'
- '*\Check-VM.ps1'
- '*\Get-LSASecret.ps1'
- '*\Get-PassHashes.ps1'
- '*\Invoke-Mimikatz.ps1'
- '*\Show-TargetScreen.ps1'
- '*\Port-Scan.ps1'
- '*\Invoke-PoshRatHttp.ps1'
- '*\Invoke-PowerShellTCP.ps1'
- '*\Invoke-PowerShellWMI.ps1'
- '*\Add-Exfiltration.ps1'
- '*\Add-Persistence.ps1'
- '*\Do-Exfiltration.ps1'
- '*\Start-CaptureServer.ps1'
- '*\Invoke-ShellCode.ps1'
- '*\Get-ChromeDump.ps1'
- '*\Get-ClipboardContents.ps1'
- '*\Get-FoxDump.ps1'
- '*\Get-IndexedItem.ps1'
- '*\Get-Screenshot.ps1'
- '*\Invoke-Inveigh.ps1'
- '*\Invoke-NetRipper.ps1'
- '*\Invoke-EgressCheck.ps1'
- '*\Invoke-PostExfil.ps1'
- '*\Invoke-PSInject.ps1'
- '*\Invoke-RunAs.ps1'
- '*\MailRaider.ps1'
- '*\New-HoneyHash.ps1'
- '*\Set-MacAttribute.ps1'
- '*\Invoke-DCSync.ps1'
- '*\Invoke-PowerDump.ps1'
- '*\Exploit-Jboss.ps1'
- '*\Invoke-ThunderStruck.ps1'
- '*\Invoke-VoiceTroll.ps1'
- '*\Set-Wallpaper.ps1'
- '*\Invoke-InveighRelay.ps1'
- '*\Invoke-PsExec.ps1'
- '*\Invoke-SSHCommand.ps1'
- '*\Get-SecurityPackages.ps1'
- '*\Install-SSP.ps1'
- '*\Invoke-BackdoorLNK.ps1'
- '*\PowerBreach.ps1'
- '*\Get-SiteListPassword.ps1'
- '*\Get-System.ps1'
- '*\Invoke-BypassUAC.ps1'
- '*\Invoke-Tater.ps1'
- '*\Invoke-WScriptBypassUAC.ps1'
- '*\PowerUp.ps1'
- '*\PowerView.ps1'
- '*\Get-RickAstley.ps1'
- '*\Find-Fruit.ps1'
- '*\HTTP-Login.ps1'
- '*\Find-TrustedDocuments.ps1'
- '*\Invoke-Paranoia.ps1'
- '*\Invoke-WinEnum.ps1'
- '*\Invoke-ARPScan.ps1'
- '*\Invoke-PortScan.ps1'
- '*\Invoke-ReverseDNSLookup.ps1'
- '*\Invoke-SMBScanner.ps1'
- '*\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests
level: high
Kibana query
(EventID:"11" AND TargetFilename.keyword:(*\\\\Invoke\\-DllInjection.ps1 *\\\\Invoke\\-WmiCommand.ps1 *\\\\Get\\-GPPPassword.ps1 *\\\\Get\\-Keystrokes.ps1 *\\\\Get\\-VaultCredential.ps1 *\\\\Invoke\\-CredentialInjection.ps1 *\\\\Invoke\\-Mimikatz.ps1 *\\\\Invoke\\-NinjaCopy.ps1 *\\\\Invoke\\-TokenManipulation.ps1 *\\\\Out\\-Minidump.ps1 *\\\\VolumeShadowCopyTools.ps1 *\\\\Invoke\\-ReflectivePEInjection.ps1 *\\\\Get\\-TimedScreenshot.ps1 *\\\\Invoke\\-UserHunter.ps1 *\\\\Find\\-GPOLocation.ps1 *\\\\Invoke\\-ACLScanner.ps1 *\\\\Invoke\\-DowngradeAccount.ps1 *\\\\Get\\-ServiceUnquoted.ps1 *\\\\Get\\-ServiceFilePermission.ps1 *\\\\Get\\-ServicePermission.ps1 *\\\\Invoke\\-ServiceAbuse.ps1 *\\\\Install\\-ServiceBinary.ps1 *\\\\Get\\-RegAutoLogon.ps1 *\\\\Get\\-VulnAutoRun.ps1 *\\\\Get\\-VulnSchTask.ps1 *\\\\Get\\-UnattendedInstallFile.ps1 *\\\\Get\\-WebConfig.ps1 *\\\\Get\\-ApplicationHost.ps1 *\\\\Get\\-RegAlwaysInstallElevated.ps1 *\\\\Get\\-Unconstrained.ps1 *\\\\Add\\-RegBackdoor.ps1 *\\\\Add\\-ScrnSaveBackdoor.ps1 *\\\\Gupt\\-Backdoor.ps1 *\\\\Invoke\\-ADSBackdoor.ps1 *\\\\Enabled\\-DuplicateToken.ps1 *\\\\Invoke\\-PsUaCme.ps1 *\\\\Remove\\-Update.ps1 *\\\\Check\\-VM.ps1 *\\\\Get\\-LSASecret.ps1 *\\\\Get\\-PassHashes.ps1 *\\\\Invoke\\-Mimikatz.ps1 *\\\\Show\\-TargetScreen.ps1 *\\\\Port\\-Scan.ps1 *\\\\Invoke\\-PoshRatHttp.ps1 *\\\\Invoke\\-PowerShellTCP.ps1 *\\\\Invoke\\-PowerShellWMI.ps1 *\\\\Add\\-Exfiltration.ps1 *\\\\Add\\-Persistence.ps1 *\\\\Do\\-Exfiltration.ps1 *\\\\Start\\-CaptureServer.ps1 *\\\\Invoke\\-ShellCode.ps1 *\\\\Get\\-ChromeDump.ps1 *\\\\Get\\-ClipboardContents.ps1 *\\\\Get\\-FoxDump.ps1 *\\\\Get\\-IndexedItem.ps1 *\\\\Get\\-Screenshot.ps1 *\\\\Invoke\\-Inveigh.ps1 *\\\\Invoke\\-NetRipper.ps1 *\\\\Invoke\\-EgressCheck.ps1 *\\\\Invoke\\-PostExfil.ps1 *\\\\Invoke\\-PSInject.ps1 *\\\\Invoke\\-RunAs.ps1 *\\\\MailRaider.ps1 *\\\\New\\-HoneyHash.ps1 *\\\\Set\\-MacAttribute.ps1 *\\\\Invoke\\-DCSync.ps1 *\\\\Invoke\\-PowerDump.ps1 *\\\\Exploit\\-Jboss.ps1 *\\\\Invoke\\-ThunderStruck.ps1 *\\\\Invoke\\-VoiceTroll.ps1 *\\\\Set\\-Wallpaper.ps1 *\\\\Invoke\\-InveighRelay.ps1 *\\\\Invoke\\-PsExec.ps1 *\\\\Invoke\\-SSHCommand.ps1 *\\\\Get\\-SecurityPackages.ps1 *\\\\Install\\-SSP.ps1 *\\\\Invoke\\-BackdoorLNK.ps1 *\\\\PowerBreach.ps1 *\\\\Get\\-SiteListPassword.ps1 *\\\\Get\\-System.ps1 *\\\\Invoke\\-BypassUAC.ps1 *\\\\Invoke\\-Tater.ps1 *\\\\Invoke\\-WScriptBypassUAC.ps1 *\\\\PowerUp.ps1 *\\\\PowerView.ps1 *\\\\Get\\-RickAstley.ps1 *\\\\Find\\-Fruit.ps1 *\\\\HTTP\\-Login.ps1 *\\\\Find\\-TrustedDocuments.ps1 *\\\\Invoke\\-Paranoia.ps1 *\\\\Invoke\\-WinEnum.ps1 *\\\\Invoke\\-ARPScan.ps1 *\\\\Invoke\\-PortScan.ps1 *\\\\Invoke\\-ReverseDNSLookup.ps1 *\\\\Invoke\\-SMBScanner.ps1 *\\\\Invoke\\-Mimikittenz.ps1))
X-Pack Watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malicious-PowerShell-Commandlet-Names <<EOF\n{\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "query_string": {\n "query": "(EventID:\\"11\\" AND TargetFilename.keyword:(*\\\\\\\\Invoke\\\\-DllInjection.ps1 *\\\\\\\\Invoke\\\\-WmiCommand.ps1 *\\\\\\\\Get\\\\-GPPPassword.ps1 *\\\\\\\\Get\\\\-Keystrokes.ps1 *\\\\\\\\Get\\\\-VaultCredential.ps1 *\\\\\\\\Invoke\\\\-CredentialInjection.ps1 *\\\\\\\\Invoke\\\\-Mimikatz.ps1 *\\\\\\\\Invoke\\\\-NinjaCopy.ps1 *\\\\\\\\Invoke\\\\-TokenManipulation.ps1 *\\\\\\\\Out\\\\-Minidump.ps1 *\\\\\\\\VolumeShadowCopyTools.ps1 *\\\\\\\\Invoke\\\\-ReflectivePEInjection.ps1 *\\\\\\\\Get\\\\-TimedScreenshot.ps1 *\\\\\\\\Invoke\\\\-UserHunter.ps1 *\\\\\\\\Find\\\\-GPOLocation.ps1 *\\\\\\\\Invoke\\\\-ACLScanner.ps1 *\\\\\\\\Invoke\\\\-DowngradeAccount.ps1 *\\\\\\\\Get\\\\-ServiceUnquoted.ps1 *\\\\\\\\Get\\\\-ServiceFilePermission.ps1 *\\\\\\\\Get\\\\-ServicePermission.ps1 *\\\\\\\\Invoke\\\\-ServiceAbuse.ps1 *\\\\\\\\Install\\\\-ServiceBinary.ps1 *\\\\\\\\Get\\\\-RegAutoLogon.ps1 *\\\\\\\\Get\\\\-VulnAutoRun.ps1 *\\\\\\\\Get\\\\-VulnSchTask.ps1 *\\\\\\\\Get\\\\-UnattendedInstallFile.ps1 *\\\\\\\\Get\\\\-WebConfig.ps1 *\\\\\\\\Get\\\\-ApplicationHost.ps1 *\\\\\\\\Get\\\\-RegAlwaysInstallElevated.ps1 *\\\\\\\\Get\\\\-Unconstrained.ps1 *\\\\\\\\Add\\\\-RegBackdoor.ps1 *\\\\\\\\Add\\\\-ScrnSaveBackdoor.ps1 *\\\\\\\\Gupt\\\\-Backdoor.ps1 *\\\\\\\\Invoke\\\\-ADSBackdoor.ps1 *\\\\\\\\Enabled\\\\-DuplicateToken.ps1 *\\\\\\\\Invoke\\\\-PsUaCme.ps1 *\\\\\\\\Remove\\\\-Update.ps1 *\\\\\\\\Check\\\\-VM.ps1 *\\\\\\\\Get\\\\-LSASecret.ps1 *\\\\\\\\Get\\\\-PassHashes.ps1 *\\\\\\\\Invoke\\\\-Mimikatz.ps1 *\\\\\\\\Show\\\\-TargetScreen.ps1 *\\\\\\\\Port\\\\-Scan.ps1 *\\\\\\\\Invoke\\\\-PoshRatHttp.ps1 *\\\\\\\\Invoke\\\\-PowerShellTCP.ps1 *\\\\\\\\Invoke\\\\-PowerShellWMI.ps1 *\\\\\\\\Add\\\\-Exfiltration.ps1 *\\\\\\\\Add\\\\-Persistence.ps1 *\\\\\\\\Do\\\\-Exfiltration.ps1 *\\\\\\\\Start\\\\-CaptureServer.ps1 *\\\\\\\\Invoke\\\\-ShellCode.ps1 *\\\\\\\\Get\\\\-ChromeDump.ps1 *\\\\\\\\Get\\\\-ClipboardContents.ps1 *\\\\\\\\Get\\\\-FoxDump.ps1 *\\\\\\\\Get\\\\-IndexedItem.ps1 *\\\\\\\\Get\\\\-Screenshot.ps1 *\\\\\\\\Invoke\\\\-Inveigh.ps1 *\\\\\\\\Invoke\\\\-NetRipper.ps1 *\\\\\\\\Invoke\\\\-EgressCheck.ps1 *\\\\\\\\Invoke\\\\-PostExfil.ps1 *\\\\\\\\Invoke\\\\-PSInject.ps1 *\\\\\\\\Invoke\\\\-RunAs.ps1 *\\\\\\\\MailRaider.ps1 *\\\\\\\\New\\\\-HoneyHash.ps1 *\\\\\\\\Set\\\\-MacAttribute.ps1 *\\\\\\\\Invoke\\\\-DCSync.ps1 *\\\\\\\\Invoke\\\\-PowerDump.ps1 *\\\\\\\\Exploit\\\\-Jboss.ps1 *\\\\\\\\Invoke\\\\-ThunderStruck.ps1 *\\\\\\\\Invoke\\\\-VoiceTroll.ps1 *\\\\\\\\Set\\\\-Wallpaper.ps1 *\\\\\\\\Invoke\\\\-InveighRelay.ps1 *\\\\\\\\Invoke\\\\-PsExec.ps1 *\\\\\\\\Invoke\\\\-SSHCommand.ps1 *\\\\\\\\Get\\\\-SecurityPackages.ps1 *\\\\\\\\Install\\\\-SSP.ps1 *\\\\\\\\Invoke\\\\-BackdoorLNK.ps1 *\\\\\\\\PowerBreach.ps1 *\\\\\\\\Get\\\\-SiteListPassword.ps1 *\\\\\\\\Get\\\\-System.ps1 *\\\\\\\\Invoke\\\\-BypassUAC.ps1 *\\\\\\\\Invoke\\\\-Tater.ps1 *\\\\\\\\Invoke\\\\-WScriptBypassUAC.ps1 *\\\\\\\\PowerUp.ps1 *\\\\\\\\PowerView.ps1 *\\\\\\\\Get\\\\-RickAstley.ps1 *\\\\\\\\Find\\\\-Fruit.ps1 *\\\\\\\\HTTP\\\\-Login.ps1 *\\\\\\\\Find\\\\-TrustedDocuments.ps1 *\\\\\\\\Invoke\\\\-Paranoia.ps1 *\\\\\\\\Invoke\\\\-WinEnum.ps1 *\\\\\\\\Invoke\\\\-ARPScan.ps1 *\\\\\\\\Invoke\\\\-PortScan.ps1 *\\\\\\\\Invoke\\\\-ReverseDNSLookup.ps1 *\\\\\\\\Invoke\\\\-SMBScanner.ps1 *\\\\\\\\Invoke\\\\-Mimikittenz.ps1))",\n "analyze_wildcard": true\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": null,\n "subject": "Sigma Rule \'Malicious PowerShell Commandlet Names\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
Graylog
(EventID:"11" AND TargetFilename:("*\\\\Invoke\\-DllInjection.ps1" "*\\\\Invoke\\-WmiCommand.ps1" "*\\\\Get\\-GPPPassword.ps1" "*\\\\Get\\-Keystrokes.ps1" "*\\\\Get\\-VaultCredential.ps1" "*\\\\Invoke\\-CredentialInjection.ps1" "*\\\\Invoke\\-Mimikatz.ps1" "*\\\\Invoke\\-NinjaCopy.ps1" "*\\\\Invoke\\-TokenManipulation.ps1" "*\\\\Out\\-Minidump.ps1" "*\\\\VolumeShadowCopyTools.ps1" "*\\\\Invoke\\-ReflectivePEInjection.ps1" "*\\\\Get\\-TimedScreenshot.ps1" "*\\\\Invoke\\-UserHunter.ps1" "*\\\\Find\\-GPOLocation.ps1" "*\\\\Invoke\\-ACLScanner.ps1" "*\\\\Invoke\\-DowngradeAccount.ps1" "*\\\\Get\\-ServiceUnquoted.ps1" "*\\\\Get\\-ServiceFilePermission.ps1" "*\\\\Get\\-ServicePermission.ps1" "*\\\\Invoke\\-ServiceAbuse.ps1" "*\\\\Install\\-ServiceBinary.ps1" "*\\\\Get\\-RegAutoLogon.ps1" "*\\\\Get\\-VulnAutoRun.ps1" "*\\\\Get\\-VulnSchTask.ps1" "*\\\\Get\\-UnattendedInstallFile.ps1" "*\\\\Get\\-WebConfig.ps1" "*\\\\Get\\-ApplicationHost.ps1" "*\\\\Get\\-RegAlwaysInstallElevated.ps1" "*\\\\Get\\-Unconstrained.ps1" "*\\\\Add\\-RegBackdoor.ps1" "*\\\\Add\\-ScrnSaveBackdoor.ps1" "*\\\\Gupt\\-Backdoor.ps1" "*\\\\Invoke\\-ADSBackdoor.ps1" "*\\\\Enabled\\-DuplicateToken.ps1" "*\\\\Invoke\\-PsUaCme.ps1" "*\\\\Remove\\-Update.ps1" "*\\\\Check\\-VM.ps1" "*\\\\Get\\-LSASecret.ps1" "*\\\\Get\\-PassHashes.ps1" "*\\\\Invoke\\-Mimikatz.ps1" "*\\\\Show\\-TargetScreen.ps1" "*\\\\Port\\-Scan.ps1" "*\\\\Invoke\\-PoshRatHttp.ps1" "*\\\\Invoke\\-PowerShellTCP.ps1" "*\\\\Invoke\\-PowerShellWMI.ps1" "*\\\\Add\\-Exfiltration.ps1" "*\\\\Add\\-Persistence.ps1" "*\\\\Do\\-Exfiltration.ps1" "*\\\\Start\\-CaptureServer.ps1" "*\\\\Invoke\\-ShellCode.ps1" "*\\\\Get\\-ChromeDump.ps1" "*\\\\Get\\-ClipboardContents.ps1" "*\\\\Get\\-FoxDump.ps1" "*\\\\Get\\-IndexedItem.ps1" "*\\\\Get\\-Screenshot.ps1" "*\\\\Invoke\\-Inveigh.ps1" "*\\\\Invoke\\-NetRipper.ps1" "*\\\\Invoke\\-EgressCheck.ps1" "*\\\\Invoke\\-PostExfil.ps1" "*\\\\Invoke\\-PSInject.ps1" "*\\\\Invoke\\-RunAs.ps1" "*\\\\MailRaider.ps1" "*\\\\New\\-HoneyHash.ps1" "*\\\\Set\\-MacAttribute.ps1" "*\\\\Invoke\\-DCSync.ps1" "*\\\\Invoke\\-PowerDump.ps1" "*\\\\Exploit\\-Jboss.ps1" "*\\\\Invoke\\-ThunderStruck.ps1" "*\\\\Invoke\\-VoiceTroll.ps1" "*\\\\Set\\-Wallpaper.ps1" "*\\\\Invoke\\-InveighRelay.ps1" "*\\\\Invoke\\-PsExec.ps1" "*\\\\Invoke\\-SSHCommand.ps1" "*\\\\Get\\-SecurityPackages.ps1" "*\\\\Install\\-SSP.ps1" "*\\\\Invoke\\-BackdoorLNK.ps1" "*\\\\PowerBreach.ps1" "*\\\\Get\\-SiteListPassword.ps1" "*\\\\Get\\-System.ps1" "*\\\\Invoke\\-BypassUAC.ps1" "*\\\\Invoke\\-Tater.ps1" "*\\\\Invoke\\-WScriptBypassUAC.ps1" "*\\\\PowerUp.ps1" "*\\\\PowerView.ps1" "*\\\\Get\\-RickAstley.ps1" "*\\\\Find\\-Fruit.ps1" "*\\\\HTTP\\-Login.ps1" "*\\\\Find\\-TrustedDocuments.ps1" "*\\\\Invoke\\-Paranoia.ps1" "*\\\\Invoke\\-WinEnum.ps1" "*\\\\Invoke\\-ARPScan.ps1" "*\\\\Invoke\\-PortScan.ps1" "*\\\\Invoke\\-ReverseDNSLookup.ps1" "*\\\\Invoke\\-SMBScanner.ps1" "*\\\\Invoke\\-Mimikittenz.ps1"))