48 lines
1.7 KiB
YAML
48 lines
1.7 KiB
YAML
title: Bad Opsec Powershell Code Artifacts
|
|
author: ok @securonix invrep_de, oscd.community
|
|
date: 2020/10/09
|
|
description: Focuses on trivial artifacts observed in variants of prevalent offensive
|
|
ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
|
|
Powersploit, and other attack payloads that often undergo minimal changes by attackers
|
|
due to bad opsec.
|
|
detection:
|
|
SELECTION_1:
|
|
Payload: '*$DoIt*'
|
|
SELECTION_2:
|
|
Payload: '*harmj0y*'
|
|
SELECTION_3:
|
|
Payload: '*mattifestation*'
|
|
SELECTION_4:
|
|
Payload: '*_RastaMouse*'
|
|
SELECTION_5:
|
|
Payload: '*tifkin_*'
|
|
SELECTION_6:
|
|
Payload: '*0xdeadbeef*'
|
|
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
|
|
or SELECTION_6)
|
|
falsepositives:
|
|
- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
|
|
of high specificity, fp appears to be fairly limited in many environments.
|
|
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
|
|
level: critical
|
|
logsource:
|
|
category: ps_module
|
|
definition: PowerShell Module Logging must be enabled
|
|
product: windows
|
|
modified: 2021/10/16
|
|
references:
|
|
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
|
|
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
|
|
- https://www.mdeditor.tw/pl/pgRt
|
|
related:
|
|
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
|
|
type: derived
|
|
status: experimental
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086
|
|
yml_filename: powershell_bad_opsec_artifacts.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
|
|
|