CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bad4429ad0367f9e00841faaf490cdba7c28ae9c
hayabusa/rules/alert-rules/sigma/sysmon_powershell_exploit_scripts.yml
Tanaka Zakku 771c86edbf change rules dir structure. addlogon timeline.
2021-11-18 08:43:13 +09:00

235 lines
8.6 KiB
YAML
Raw Blame History

title: Malicious PowerShell Commandlet Names
author: Markus Neis
date: 2018/04/07
description: Detects the creation of known powershell scripts for exploitation
detection:
SELECTION_1:
EventID: 11
SELECTION_10:
TargetFilename: '*\Invoke-TokenManipulation.ps1'
SELECTION_11:
TargetFilename: '*\Out-Minidump.ps1'
SELECTION_12:
TargetFilename: '*\VolumeShadowCopyTools.ps1'
SELECTION_13:
TargetFilename: '*\Invoke-ReflectivePEInjection.ps1'
SELECTION_14:
TargetFilename: '*\Get-TimedScreenshot.ps1'
SELECTION_15:
TargetFilename: '*\Invoke-UserHunter.ps1'
SELECTION_16:
TargetFilename: '*\Find-GPOLocation.ps1'
SELECTION_17:
TargetFilename: '*\Invoke-ACLScanner.ps1'
SELECTION_18:
TargetFilename: '*\Invoke-DowngradeAccount.ps1'
SELECTION_19:
TargetFilename: '*\Get-ServiceUnquoted.ps1'
SELECTION_2:
TargetFilename: '*\Invoke-DllInjection.ps1'
SELECTION_20:
TargetFilename: '*\Get-ServiceFilePermission.ps1'
SELECTION_21:
TargetFilename: '*\Get-ServicePermission.ps1'
SELECTION_22:
TargetFilename: '*\Invoke-ServiceAbuse.ps1'
SELECTION_23:
TargetFilename: '*\Install-ServiceBinary.ps1'
SELECTION_24:
TargetFilename: '*\Get-RegAutoLogon.ps1'
SELECTION_25:
TargetFilename: '*\Get-VulnAutoRun.ps1'
SELECTION_26:
TargetFilename: '*\Get-VulnSchTask.ps1'
SELECTION_27:
TargetFilename: '*\Get-UnattendedInstallFile.ps1'
SELECTION_28:
TargetFilename: '*\Get-WebConfig.ps1'
SELECTION_29:
TargetFilename: '*\Get-ApplicationHost.ps1'
SELECTION_3:
TargetFilename: '*\Invoke-WmiCommand.ps1'
SELECTION_30:
TargetFilename: '*\Get-RegAlwaysInstallElevated.ps1'
SELECTION_31:
TargetFilename: '*\Get-Unconstrained.ps1'
SELECTION_32:
TargetFilename: '*\Add-RegBackdoor.ps1'
SELECTION_33:
TargetFilename: '*\Add-ScrnSaveBackdoor.ps1'
SELECTION_34:
TargetFilename: '*\Gupt-Backdoor.ps1'
SELECTION_35:
TargetFilename: '*\Invoke-ADSBackdoor.ps1'
SELECTION_36:
TargetFilename: '*\Enabled-DuplicateToken.ps1'
SELECTION_37:
TargetFilename: '*\Invoke-PsUaCme.ps1'
SELECTION_38:
TargetFilename: '*\Remove-Update.ps1'
SELECTION_39:
TargetFilename: '*\Check-VM.ps1'
SELECTION_4:
TargetFilename: '*\Get-GPPPassword.ps1'
SELECTION_40:
TargetFilename: '*\Get-LSASecret.ps1'
SELECTION_41:
TargetFilename: '*\Get-PassHashes.ps1'
SELECTION_42:
TargetFilename: '*\Show-TargetScreen.ps1'
SELECTION_43:
TargetFilename: '*\Port-Scan.ps1'
SELECTION_44:
TargetFilename: '*\Invoke-PoshRatHttp.ps1'
SELECTION_45:
TargetFilename: '*\Invoke-PowerShellTCP.ps1'
SELECTION_46:
TargetFilename: '*\Invoke-PowerShellWMI.ps1'
SELECTION_47:
TargetFilename: '*\Add-Exfiltration.ps1'
SELECTION_48:
TargetFilename: '*\Add-Persistence.ps1'
SELECTION_49:
TargetFilename: '*\Do-Exfiltration.ps1'
SELECTION_5:
TargetFilename: '*\Get-Keystrokes.ps1'
SELECTION_50:
TargetFilename: '*\Start-CaptureServer.ps1'
SELECTION_51:
TargetFilename: '*\Invoke-ShellCode.ps1'
SELECTION_52:
TargetFilename: '*\Get-ChromeDump.ps1'
SELECTION_53:
TargetFilename: '*\Get-ClipboardContents.ps1'
SELECTION_54:
TargetFilename: '*\Get-FoxDump.ps1'
SELECTION_55:
TargetFilename: '*\Get-IndexedItem.ps1'
SELECTION_56:
TargetFilename: '*\Get-Screenshot.ps1'
SELECTION_57:
TargetFilename: '*\Invoke-Inveigh.ps1'
SELECTION_58:
TargetFilename: '*\Invoke-NetRipper.ps1'
SELECTION_59:
TargetFilename: '*\Invoke-EgressCheck.ps1'
SELECTION_6:
TargetFilename: '*\Get-VaultCredential.ps1'
SELECTION_60:
TargetFilename: '*\Invoke-PostExfil.ps1'
SELECTION_61:
TargetFilename: '*\Invoke-PSInject.ps1'
SELECTION_62:
TargetFilename: '*\Invoke-RunAs.ps1'
SELECTION_63:
TargetFilename: '*\MailRaider.ps1'
SELECTION_64:
TargetFilename: '*\New-HoneyHash.ps1'
SELECTION_65:
TargetFilename: '*\Set-MacAttribute.ps1'
SELECTION_66:
TargetFilename: '*\Invoke-DCSync.ps1'
SELECTION_67:
TargetFilename: '*\Invoke-PowerDump.ps1'
SELECTION_68:
TargetFilename: '*\Exploit-Jboss.ps1'
SELECTION_69:
TargetFilename: '*\Invoke-ThunderStruck.ps1'
SELECTION_7:
TargetFilename: '*\Invoke-CredentialInjection.ps1'
SELECTION_70:
TargetFilename: '*\Invoke-VoiceTroll.ps1'
SELECTION_71:
TargetFilename: '*\Set-Wallpaper.ps1'
SELECTION_72:
TargetFilename: '*\Invoke-InveighRelay.ps1'
SELECTION_73:
TargetFilename: '*\Invoke-PsExec.ps1'
SELECTION_74:
TargetFilename: '*\Invoke-SSHCommand.ps1'
SELECTION_75:
TargetFilename: '*\Get-SecurityPackages.ps1'
SELECTION_76:
TargetFilename: '*\Install-SSP.ps1'
SELECTION_77:
TargetFilename: '*\Invoke-BackdoorLNK.ps1'
SELECTION_78:
TargetFilename: '*\PowerBreach.ps1'
SELECTION_79:
TargetFilename: '*\Get-SiteListPassword.ps1'
SELECTION_8:
TargetFilename: '*\Invoke-Mimikatz.ps1'
SELECTION_80:
TargetFilename: '*\Get-System.ps1'
SELECTION_81:
TargetFilename: '*\Invoke-BypassUAC.ps1'
SELECTION_82:
TargetFilename: '*\Invoke-Tater.ps1'
SELECTION_83:
TargetFilename: '*\Invoke-WScriptBypassUAC.ps1'
SELECTION_84:
TargetFilename: '*\PowerUp.ps1'
SELECTION_85:
TargetFilename: '*\PowerView.ps1'
SELECTION_86:
TargetFilename: '*\Get-RickAstley.ps1'
SELECTION_87:
TargetFilename: '*\Find-Fruit.ps1'
SELECTION_88:
TargetFilename: '*\HTTP-Login.ps1'
SELECTION_89:
TargetFilename: '*\Find-TrustedDocuments.ps1'
SELECTION_9:
TargetFilename: '*\Invoke-NinjaCopy.ps1'
SELECTION_90:
TargetFilename: '*\Invoke-Paranoia.ps1'
SELECTION_91:
TargetFilename: '*\Invoke-WinEnum.ps1'
SELECTION_92:
TargetFilename: '*\Invoke-ARPScan.ps1'
SELECTION_93:
TargetFilename: '*\Invoke-PortScan.ps1'
SELECTION_94:
TargetFilename: '*\Invoke-ReverseDNSLookup.ps1'
SELECTION_95:
TargetFilename: '*\Invoke-SMBScanner.ps1'
SELECTION_96:
TargetFilename: '*\Invoke-Mimikittenz.ps1'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
or SELECTION_51 or SELECTION_52 or SELECTION_53 or SELECTION_54 or SELECTION_55
or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59 or SELECTION_60
or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64 or SELECTION_65
or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69 or SELECTION_70
or SELECTION_71 or SELECTION_72 or SELECTION_73 or SELECTION_74 or SELECTION_75
or SELECTION_76 or SELECTION_77 or SELECTION_78 or SELECTION_79 or SELECTION_80
or SELECTION_81 or SELECTION_82 or SELECTION_83 or SELECTION_84 or SELECTION_85
or SELECTION_86 or SELECTION_87 or SELECTION_88 or SELECTION_89 or SELECTION_90
or SELECTION_91 or SELECTION_92 or SELECTION_93 or SELECTION_94 or SELECTION_95
or SELECTION_96))
falsepositives:
- Penetration Tests
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
level: high
logsource:
category: file_event
product: windows
references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
status: experimental
tags:
- attack.execution
- attack.t1086
- attack.t1059.001
yml_filename: sysmon_powershell_exploit_scripts.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/file_event
Reference in New Issue View Git Blame Copy Permalink