33 lines
998 B
YAML
33 lines
998 B
YAML
title: Malicious ShellIntel PowerShell Commandlets
|
|
author: Max Altgelt, Tobias Michalski
|
|
date: 2021/08/09
|
|
description: Detects Commandlet names from ShellIntel exploitation scripts.
|
|
detection:
|
|
SELECTION_1:
|
|
ScriptBlockText: '*Invoke-SMBAutoBrute*'
|
|
SELECTION_2:
|
|
ScriptBlockText: '*Invoke-GPOLinks*'
|
|
SELECTION_3:
|
|
ScriptBlockText: '*Out-Minidump*'
|
|
SELECTION_4:
|
|
ScriptBlockText: '*Invoke-Potato*'
|
|
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
|
|
falsepositives:
|
|
- Unknown
|
|
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
|
|
level: high
|
|
logsource:
|
|
category: ps_script
|
|
definition: Script Block Logging must be enable
|
|
product: windows
|
|
modified: 2021/10/16
|
|
references:
|
|
- https://github.com/Shellntel/scripts/
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
yml_filename: powershell_shellintel_malicious_commandlets.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
|
|
|