title: Bad Opsec Powershell Code Artifacts
author: ok @securonix invrep_de, oscd.community
date: 2020/10/09
description: Focuses on trivial artifacts observed in variants of prevalent offensive
    ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
    Powersploit, and other attack payloads that often undergo minimal changes by attackers
    due to bad opsec.
detection:
    SELECTION_1:
        Payload: '*$DoIt*'
    SELECTION_2:
        Payload: '*harmj0y*'
    SELECTION_3:
        Payload: '*mattifestation*'
    SELECTION_4:
        Payload: '*_RastaMouse*'
    SELECTION_5:
        Payload: '*tifkin_*'
    SELECTION_6:
        Payload: '*0xdeadbeef*'
    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
        or SELECTION_6)
falsepositives:
- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
    of high specificity, fp appears to be fairly limited in many environments.
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
level: critical
logsource:
    category: ps_module
    definition: PowerShell Module Logging must be enabled
    product: windows
modified: 2021/10/16
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
related:
-   id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
    type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_bad_opsec_artifacts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module