CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0d4fe82a23f28c7feca726bc96688587111afdd3
hayabusa/rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

127 lines
3.4 KiB
YAML
Raw Blame History

title: Malicious PowerShell Commandlets
ruletype: Sigma
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
oscd.community (update)
date: 2017/03/05
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-DllInjection*'
- '*Invoke-Shellcode*'
- '*Invoke-WmiCommand*'
- '*Get-GPPPassword*'
- '*Get-Keystrokes*'
- '*Get-TimedScreenshot*'
- '*Get-VaultCredential*'
- '*Invoke-CredentialInjection*'
- '*Invoke-Mimikatz*'
- '*Invoke-NinjaCopy*'
- '*Invoke-TokenManipulation*'
- '*Out-Minidump*'
- '*VolumeShadowCopyTools*'
- '*Invoke-ReflectivePEInjection*'
- '*Invoke-UserHunter*'
- '*Find-GPOLocation*'
- '*Invoke-ACLScanner*'
- '*Invoke-DowngradeAccount*'
- '*Get-ServiceUnquoted*'
- '*Get-ServiceFilePermission*'
- '*Get-ServicePermission*'
- '*Invoke-ServiceAbuse*'
- '*Install-ServiceBinary*'
- '*Get-RegAutoLogon*'
- '*Get-VulnAutoRun*'
- '*Get-VulnSchTask*'
- '*Get-UnattendedInstallFile*'
- '*Get-ApplicationHost*'
- '*Get-RegAlwaysInstallElevated*'
- '*Get-Unconstrained*'
- '*Add-RegBackdoor*'
- '*Add-ScrnSaveBackdoor*'
- '*Gupt-Backdoor*'
- '*Invoke-ADSBackdoor*'
- '*Enabled-DuplicateToken*'
- '*Invoke-PsUaCme*'
- '*Remove-Update*'
- '*Check-VM*'
- '*Get-LSASecret*'
- '*Get-PassHashes*'
- '*Show-TargetScreen*'
- '*Port-Scan*'
- '*Invoke-PoshRatHttp*'
- '*Invoke-PowerShellTCP*'
- '*Invoke-PowerShellWMI*'
- '*Add-Exfiltration*'
- '*Add-Persistence*'
- '*Do-Exfiltration*'
- '*Start-CaptureServer*'
- '*Get-ChromeDump*'
- '*Get-ClipboardContents*'
- '*Get-FoxDump*'
- '*Get-IndexedItem*'
- '*Get-Screenshot*'
- '*Invoke-Inveigh*'
- '*Invoke-NetRipper*'
- '*Invoke-EgressCheck*'
- '*Invoke-PostExfil*'
- '*Invoke-PSInject*'
- '*Invoke-RunAs*'
- '*MailRaider*'
- '*New-HoneyHash*'
- '*Set-MacAttribute*'
- '*Invoke-DCSync*'
- '*Invoke-PowerDump*'
- '*Exploit-Jboss*'
- '*Invoke-ThunderStruck*'
- '*Invoke-VoiceTroll*'
- '*Set-Wallpaper*'
- '*Invoke-InveighRelay*'
- '*Invoke-PsExec*'
- '*Invoke-SSHCommand*'
- '*Get-SecurityPackages*'
- '*Install-SSP*'
- '*Invoke-BackdoorLNK*'
- '*PowerBreach*'
- '*Get-SiteListPassword*'
- '*Get-System*'
- '*Invoke-BypassUAC*'
- '*Invoke-Tater*'
- '*Invoke-WScriptBypassUAC*'
- '*PowerUp*'
- '*PowerView*'
- '*Get-RickAstley*'
- '*Find-Fruit*'
- '*HTTP-Login*'
- '*Find-TrustedDocuments*'
- '*Invoke-Paranoia*'
- '*Invoke-WinEnum*'
- '*Invoke-ARPScan*'
- '*Invoke-PortScan*'
- '*Invoke-ReverseDNSLookup*'
- '*Invoke-SMBScanner*'
- '*Invoke-Mimikittenz*'
- '*Invoke-AllChecks*'
SELECTION_2:
ScriptBlockText:
- '*Get-SystemDriveInfo*'
- '*C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration testing
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/11/29
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
Reference in New Issue View Git Blame Copy Permalink