CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
480f2d26c05bbc88f5d36775dedede90f10e14ea
hayabusa/rules/Sigma/powershell_powerview_malicious_commandlets.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

296 lines
11 KiB
YAML
Raw Blame History

title: Malicious PowerView PowerShell Commandlets
author: Bhabesh Raj
date: 2021/05/18
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
detection:
SELECTION_1:
ScriptBlockText: '*Export-PowerViewCSV*'
SELECTION_10:
ScriptBlockText: '*Invoke-UserImpersonation*'
SELECTION_100:
ScriptBlockText: '*Invoke-UserHunter*'
SELECTION_101:
ScriptBlockText: '*Find-DomainUserLocation*'
SELECTION_102:
ScriptBlockText: '*Invoke-ProcessHunter*'
SELECTION_103:
ScriptBlockText: '*Find-DomainProcess*'
SELECTION_104:
ScriptBlockText: '*Invoke-EventHunter*'
SELECTION_105:
ScriptBlockText: '*Find-DomainUserEvent*'
SELECTION_106:
ScriptBlockText: '*Invoke-ShareFinder*'
SELECTION_107:
ScriptBlockText: '*Find-DomainShare*'
SELECTION_108:
ScriptBlockText: '*Invoke-FileFinder*'
SELECTION_109:
ScriptBlockText: '*Find-InterestingDomainShareFile*'
SELECTION_11:
ScriptBlockText: '*Invoke-RevertToSelf*'
SELECTION_110:
ScriptBlockText: '*Find-LocalAdminAccess*'
SELECTION_111:
ScriptBlockText: '*Invoke-EnumerateLocalAdmin*'
SELECTION_112:
ScriptBlockText: '*Find-DomainLocalGroupMember*'
SELECTION_113:
ScriptBlockText: '*Get-NetDomainTrust*'
SELECTION_114:
ScriptBlockText: '*Get-DomainTrust*'
SELECTION_115:
ScriptBlockText: '*Get-NetForestTrust*'
SELECTION_116:
ScriptBlockText: '*Get-ForestTrust*'
SELECTION_117:
ScriptBlockText: '*Find-ForeignUser*'
SELECTION_118:
ScriptBlockText: '*Get-DomainForeignUser*'
SELECTION_119:
ScriptBlockText: '*Find-ForeignGroup*'
SELECTION_12:
ScriptBlockText: '*Request-SPNTicket*'
SELECTION_120:
ScriptBlockText: '*Get-DomainForeignGroupMember*'
SELECTION_121:
ScriptBlockText: '*Invoke-MapDomainTrust*'
SELECTION_122:
ScriptBlockText: '*Get-DomainTrustMapping*'
SELECTION_13:
ScriptBlockText: '*Get-DomainSPNTicket*'
SELECTION_14:
ScriptBlockText: '*Invoke-Kerberoast*'
SELECTION_15:
ScriptBlockText: '*Get-PathAcl*'
SELECTION_16:
ScriptBlockText: '*Get-DNSZone*'
SELECTION_17:
ScriptBlockText: '*Get-DomainDNSZone*'
SELECTION_18:
ScriptBlockText: '*Get-DNSRecord*'
SELECTION_19:
ScriptBlockText: '*Get-DomainDNSRecord*'
SELECTION_2:
ScriptBlockText: '*Get-IPAddress*'
SELECTION_20:
ScriptBlockText: '*Get-NetDomain*'
SELECTION_21:
ScriptBlockText: '*Get-Domain*'
SELECTION_22:
ScriptBlockText: '*Get-NetDomainController*'
SELECTION_23:
ScriptBlockText: '*Get-DomainController*'
SELECTION_24:
ScriptBlockText: '*Get-NetForest*'
SELECTION_25:
ScriptBlockText: '*Get-Forest*'
SELECTION_26:
ScriptBlockText: '*Get-NetForestDomain*'
SELECTION_27:
ScriptBlockText: '*Get-ForestDomain*'
SELECTION_28:
ScriptBlockText: '*Get-NetForestCatalog*'
SELECTION_29:
ScriptBlockText: '*Get-ForestGlobalCatalog*'
SELECTION_3:
ScriptBlockText: '*Resolve-IPAddress*'
SELECTION_30:
ScriptBlockText: '*Find-DomainObjectPropertyOutlier*'
SELECTION_31:
ScriptBlockText: '*Get-NetUser*'
SELECTION_32:
ScriptBlockText: '*Get-DomainUser*'
SELECTION_33:
ScriptBlockText: '*New-DomainUser*'
SELECTION_34:
ScriptBlockText: '*Set-DomainUserPassword*'
SELECTION_35:
ScriptBlockText: '*Get-UserEvent*'
SELECTION_36:
ScriptBlockText: '*Get-DomainUserEvent*'
SELECTION_37:
ScriptBlockText: '*Get-NetComputer*'
SELECTION_38:
ScriptBlockText: '*Get-DomainComputer*'
SELECTION_39:
ScriptBlockText: '*Get-ADObject*'
SELECTION_4:
ScriptBlockText: '*Convert-NameToSid*'
SELECTION_40:
ScriptBlockText: '*Get-DomainObject*'
SELECTION_41:
ScriptBlockText: '*Set-ADObject*'
SELECTION_42:
ScriptBlockText: '*Set-DomainObject*'
SELECTION_43:
ScriptBlockText: '*Get-ObjectAcl*'
SELECTION_44:
ScriptBlockText: '*Get-DomainObjectAcl*'
SELECTION_45:
ScriptBlockText: '*Add-ObjectAcl*'
SELECTION_46:
ScriptBlockText: '*Add-DomainObjectAcl*'
SELECTION_47:
ScriptBlockText: '*Invoke-ACLScanner*'
SELECTION_48:
ScriptBlockText: '*Find-InterestingDomainAcl*'
SELECTION_49:
ScriptBlockText: '*Get-NetOU*'
SELECTION_5:
ScriptBlockText: '*ConvertTo-SID*'
SELECTION_50:
ScriptBlockText: '*Get-DomainOU*'
SELECTION_51:
ScriptBlockText: '*Get-NetSite*'
SELECTION_52:
ScriptBlockText: '*Get-DomainSite*'
SELECTION_53:
ScriptBlockText: '*Get-NetSubnet*'
SELECTION_54:
ScriptBlockText: '*Get-DomainSubnet*'
SELECTION_55:
ScriptBlockText: '*Get-DomainSID*'
SELECTION_56:
ScriptBlockText: '*Get-NetGroup*'
SELECTION_57:
ScriptBlockText: '*Get-DomainGroup*'
SELECTION_58:
ScriptBlockText: '*New-DomainGroup*'
SELECTION_59:
ScriptBlockText: '*Find-ManagedSecurityGroups*'
SELECTION_6:
ScriptBlockText: '*Convert-ADName*'
SELECTION_60:
ScriptBlockText: '*Get-DomainManagedSecurityGroup*'
SELECTION_61:
ScriptBlockText: '*Get-NetGroupMember*'
SELECTION_62:
ScriptBlockText: '*Get-DomainGroupMember*'
SELECTION_63:
ScriptBlockText: '*Add-DomainGroupMember*'
SELECTION_64:
ScriptBlockText: '*Get-NetFileServer*'
SELECTION_65:
ScriptBlockText: '*Get-DomainFileServer*'
SELECTION_66:
ScriptBlockText: '*Get-DFSshare*'
SELECTION_67:
ScriptBlockText: '*Get-DomainDFSShare*'
SELECTION_68:
ScriptBlockText: '*Get-NetGPO*'
SELECTION_69:
ScriptBlockText: '*Get-DomainGPO*'
SELECTION_7:
ScriptBlockText: '*ConvertFrom-UACValue*'
SELECTION_70:
ScriptBlockText: '*Get-NetGPOGroup*'
SELECTION_71:
ScriptBlockText: '*Get-DomainGPOLocalGroup*'
SELECTION_72:
ScriptBlockText: '*Find-GPOLocation*'
SELECTION_73:
ScriptBlockText: '*Get-DomainGPOUserLocalGroupMapping*'
SELECTION_74:
ScriptBlockText: '*Find-GPOComputerAdmin*'
SELECTION_75:
ScriptBlockText: '*Get-DomainGPOComputerLocalGroupMapping*'
SELECTION_76:
ScriptBlockText: '*Get-DomainPolicy*'
SELECTION_77:
ScriptBlockText: '*Get-NetLocalGroup*'
SELECTION_78:
ScriptBlockText: '*Get-NetLocalGroupMember*'
SELECTION_79:
ScriptBlockText: '*Get-NetShare*'
SELECTION_8:
ScriptBlockText: '*Add-RemoteConnection*'
SELECTION_80:
ScriptBlockText: '*Get-NetLoggedon*'
SELECTION_81:
ScriptBlockText: '*Get-NetSession*'
SELECTION_82:
ScriptBlockText: '*Get-LoggedOnLocal*'
SELECTION_83:
ScriptBlockText: '*Get-RegLoggedOn*'
SELECTION_84:
ScriptBlockText: '*Get-NetRDPSession*'
SELECTION_85:
ScriptBlockText: '*Invoke-CheckLocalAdminAccess*'
SELECTION_86:
ScriptBlockText: '*Test-AdminAccess*'
SELECTION_87:
ScriptBlockText: '*Get-SiteName*'
SELECTION_88:
ScriptBlockText: '*Get-NetComputerSiteName*'
SELECTION_89:
ScriptBlockText: '*Get-Proxy*'
SELECTION_9:
ScriptBlockText: '*Remove-RemoteConnection*'
SELECTION_90:
ScriptBlockText: '*Get-WMIRegProxy*'
SELECTION_91:
ScriptBlockText: '*Get-LastLoggedOn*'
SELECTION_92:
ScriptBlockText: '*Get-WMIRegLastLoggedOn*'
SELECTION_93:
ScriptBlockText: '*Get-CachedRDPConnection*'
SELECTION_94:
ScriptBlockText: '*Get-WMIRegCachedRDPConnection*'
SELECTION_95:
ScriptBlockText: '*Get-RegistryMountedDrive*'
SELECTION_96:
ScriptBlockText: '*Get-WMIRegMountedDrive*'
SELECTION_97:
ScriptBlockText: '*Get-NetProcess*'
SELECTION_98:
ScriptBlockText: '*Get-WMIProcess*'
SELECTION_99:
ScriptBlockText: '*Find-InterestingFile*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95
or SELECTION_96 or SELECTION_97 or SELECTION_98 or SELECTION_99 or SELECTION_100
or SELECTION_101 or SELECTION_102 or SELECTION_103 or SELECTION_104 or SELECTION_105
or SELECTION_106 or SELECTION_107 or SELECTION_108 or SELECTION_109 or SELECTION_110
or SELECTION_111 or SELECTION_112 or SELECTION_113 or SELECTION_114 or SELECTION_115
or SELECTION_116 or SELECTION_117 or SELECTION_118 or SELECTION_119 or SELECTION_120
or SELECTION_121 or SELECTION_122)
falsepositives:
- Should not be any as administrators do not use this tool
id: dcd74b95-3f36-4ed9-9598-0490951643aa
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
status: experimental
tags:
- attack.execution
- attack.t1059.001
yml_filename: powershell_powerview_malicious_commandlets.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
Reference in New Issue View Git Blame Copy Permalink