CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bad4429ad0367f9e00841faaf490cdba7c28ae9c
hayabusa/rules/alert-rules/sigma/powershell_malicious_commandlets.yml
Tanaka Zakku 771c86edbf change rules dir structure. addlogon timeline.
2021-11-18 08:43:13 +09:00

238 lines
8.4 KiB
YAML
Raw Blame History

title: Malicious PowerShell Commandlets
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
oscd.community (update)
date: 2017/03/05
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText: '*Invoke-DllInjection*'
SELECTION_10:
ScriptBlockText: '*Invoke-NinjaCopy*'
SELECTION_11:
ScriptBlockText: '*Invoke-TokenManipulation*'
SELECTION_12:
ScriptBlockText: '*Out-Minidump*'
SELECTION_13:
ScriptBlockText: '*VolumeShadowCopyTools*'
SELECTION_14:
ScriptBlockText: '*Invoke-ReflectivePEInjection*'
SELECTION_15:
ScriptBlockText: '*Invoke-UserHunter*'
SELECTION_16:
ScriptBlockText: '*Find-GPOLocation*'
SELECTION_17:
ScriptBlockText: '*Invoke-ACLScanner*'
SELECTION_18:
ScriptBlockText: '*Invoke-DowngradeAccount*'
SELECTION_19:
ScriptBlockText: '*Get-ServiceUnquoted*'
SELECTION_2:
ScriptBlockText: '*Invoke-Shellcode*'
SELECTION_20:
ScriptBlockText: '*Get-ServiceFilePermission*'
SELECTION_21:
ScriptBlockText: '*Get-ServicePermission*'
SELECTION_22:
ScriptBlockText: '*Invoke-ServiceAbuse*'
SELECTION_23:
ScriptBlockText: '*Install-ServiceBinary*'
SELECTION_24:
ScriptBlockText: '*Get-RegAutoLogon*'
SELECTION_25:
ScriptBlockText: '*Get-VulnAutoRun*'
SELECTION_26:
ScriptBlockText: '*Get-VulnSchTask*'
SELECTION_27:
ScriptBlockText: '*Get-UnattendedInstallFile*'
SELECTION_28:
ScriptBlockText: '*Get-ApplicationHost*'
SELECTION_29:
ScriptBlockText: '*Get-RegAlwaysInstallElevated*'
SELECTION_3:
ScriptBlockText: '*Invoke-WmiCommand*'
SELECTION_30:
ScriptBlockText: '*Get-Unconstrained*'
SELECTION_31:
ScriptBlockText: '*Add-RegBackdoor*'
SELECTION_32:
ScriptBlockText: '*Add-ScrnSaveBackdoor*'
SELECTION_33:
ScriptBlockText: '*Gupt-Backdoor*'
SELECTION_34:
ScriptBlockText: '*Invoke-ADSBackdoor*'
SELECTION_35:
ScriptBlockText: '*Enabled-DuplicateToken*'
SELECTION_36:
ScriptBlockText: '*Invoke-PsUaCme*'
SELECTION_37:
ScriptBlockText: '*Remove-Update*'
SELECTION_38:
ScriptBlockText: '*Check-VM*'
SELECTION_39:
ScriptBlockText: '*Get-LSASecret*'
SELECTION_4:
ScriptBlockText: '*Get-GPPPassword*'
SELECTION_40:
ScriptBlockText: '*Get-PassHashes*'
SELECTION_41:
ScriptBlockText: '*Show-TargetScreen*'
SELECTION_42:
ScriptBlockText: '*Port-Scan*'
SELECTION_43:
ScriptBlockText: '*Invoke-PoshRatHttp*'
SELECTION_44:
ScriptBlockText: '*Invoke-PowerShellTCP*'
SELECTION_45:
ScriptBlockText: '*Invoke-PowerShellWMI*'
SELECTION_46:
ScriptBlockText: '*Add-Exfiltration*'
SELECTION_47:
ScriptBlockText: '*Add-Persistence*'
SELECTION_48:
ScriptBlockText: '*Do-Exfiltration*'
SELECTION_49:
ScriptBlockText: '*Start-CaptureServer*'
SELECTION_5:
ScriptBlockText: '*Get-Keystrokes*'
SELECTION_50:
ScriptBlockText: '*Get-ChromeDump*'
SELECTION_51:
ScriptBlockText: '*Get-ClipboardContents*'
SELECTION_52:
ScriptBlockText: '*Get-FoxDump*'
SELECTION_53:
ScriptBlockText: '*Get-IndexedItem*'
SELECTION_54:
ScriptBlockText: '*Get-Screenshot*'
SELECTION_55:
ScriptBlockText: '*Invoke-Inveigh*'
SELECTION_56:
ScriptBlockText: '*Invoke-NetRipper*'
SELECTION_57:
ScriptBlockText: '*Invoke-EgressCheck*'
SELECTION_58:
ScriptBlockText: '*Invoke-PostExfil*'
SELECTION_59:
ScriptBlockText: '*Invoke-PSInject*'
SELECTION_6:
ScriptBlockText: '*Get-TimedScreenshot*'
SELECTION_60:
ScriptBlockText: '*Invoke-RunAs*'
SELECTION_61:
ScriptBlockText: '*MailRaider*'
SELECTION_62:
ScriptBlockText: '*New-HoneyHash*'
SELECTION_63:
ScriptBlockText: '*Set-MacAttribute*'
SELECTION_64:
ScriptBlockText: '*Invoke-DCSync*'
SELECTION_65:
ScriptBlockText: '*Invoke-PowerDump*'
SELECTION_66:
ScriptBlockText: '*Exploit-Jboss*'
SELECTION_67:
ScriptBlockText: '*Invoke-ThunderStruck*'
SELECTION_68:
ScriptBlockText: '*Invoke-VoiceTroll*'
SELECTION_69:
ScriptBlockText: '*Set-Wallpaper*'
SELECTION_7:
ScriptBlockText: '*Get-VaultCredential*'
SELECTION_70:
ScriptBlockText: '*Invoke-InveighRelay*'
SELECTION_71:
ScriptBlockText: '*Invoke-PsExec*'
SELECTION_72:
ScriptBlockText: '*Invoke-SSHCommand*'
SELECTION_73:
ScriptBlockText: '*Get-SecurityPackages*'
SELECTION_74:
ScriptBlockText: '*Install-SSP*'
SELECTION_75:
ScriptBlockText: '*Invoke-BackdoorLNK*'
SELECTION_76:
ScriptBlockText: '*PowerBreach*'
SELECTION_77:
ScriptBlockText: '*Get-SiteListPassword*'
SELECTION_78:
ScriptBlockText: '*Get-System*'
SELECTION_79:
ScriptBlockText: '*Invoke-BypassUAC*'
SELECTION_8:
ScriptBlockText: '*Invoke-CredentialInjection*'
SELECTION_80:
ScriptBlockText: '*Invoke-Tater*'
SELECTION_81:
ScriptBlockText: '*Invoke-WScriptBypassUAC*'
SELECTION_82:
ScriptBlockText: '*PowerUp*'
SELECTION_83:
ScriptBlockText: '*PowerView*'
SELECTION_84:
ScriptBlockText: '*Get-RickAstley*'
SELECTION_85:
ScriptBlockText: '*Find-Fruit*'
SELECTION_86:
ScriptBlockText: '*HTTP-Login*'
SELECTION_87:
ScriptBlockText: '*Find-TrustedDocuments*'
SELECTION_88:
ScriptBlockText: '*Invoke-Paranoia*'
SELECTION_89:
ScriptBlockText: '*Invoke-WinEnum*'
SELECTION_9:
ScriptBlockText: '*Invoke-Mimikatz*'
SELECTION_90:
ScriptBlockText: '*Invoke-ARPScan*'
SELECTION_91:
ScriptBlockText: '*Invoke-PortScan*'
SELECTION_92:
ScriptBlockText: '*Invoke-ReverseDNSLookup*'
SELECTION_93:
ScriptBlockText: '*Invoke-SMBScanner*'
SELECTION_94:
ScriptBlockText: '*Invoke-Mimikittenz*'
SELECTION_95:
ScriptBlockText: '*Invoke-AllChecks*'
SELECTION_96:
ScriptBlockText: '*Get-SystemDriveInfo*'
condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95)
and not (SELECTION_96))
falsepositives:
- Penetration testing
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_malicious_commandlets.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
Reference in New Issue View Git Blame Copy Permalink