CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/powershell_malicious_keywords.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

70 lines
2.4 KiB
YAML
Raw Blame History

title: Malicious PowerShell Keywords
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects keywords from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText: '*AdjustTokenPrivileges*'
SELECTION_10:
ScriptBlockText: '*TOKEN_ADJUST_PRIVILEGES*'
SELECTION_11:
ScriptBlockText: '*TOKEN_ALL_ACCESS*'
SELECTION_12:
ScriptBlockText: '*TOKEN_ASSIGN_PRIMARY*'
SELECTION_13:
ScriptBlockText: '*TOKEN_DUPLICATE*'
SELECTION_14:
ScriptBlockText: '*TOKEN_ELEVATION*'
SELECTION_15:
ScriptBlockText: '*TOKEN_IMPERSONATE*'
SELECTION_16:
ScriptBlockText: '*TOKEN_INFORMATION_CLASS*'
SELECTION_17:
ScriptBlockText: '*TOKEN_PRIVILEGES*'
SELECTION_18:
ScriptBlockText: '*TOKEN_QUERY*'
SELECTION_19:
ScriptBlockText: '*Metasploit*'
SELECTION_2:
ScriptBlockText: '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
SELECTION_20:
ScriptBlockText: '*Mimikatz*'
SELECTION_3:
ScriptBlockText: '*Microsoft.Win32.UnsafeNativeMethods*'
SELECTION_4:
ScriptBlockText: '*ReadProcessMemory.Invoke*'
SELECTION_5:
ScriptBlockText: '*SE_PRIVILEGE_ENABLED*'
SELECTION_6:
ScriptBlockText: '*LSA_UNICODE_STRING*'
SELECTION_7:
ScriptBlockText: '*MiniDumpWriteDump*'
SELECTION_8:
ScriptBlockText: '*PAGE_EXECUTE_READ*'
SELECTION_9:
ScriptBlockText: '*SECURITY_DELEGATION*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20)
falsepositives:
- Penetration tests
id: f62176f3-8128-4faa-bf6c-83261322e5eb
level: high
logsource:
category: ps_script
definition: It is recommended to use the new "Script Block Logging" of PowerShell
v5 https://adsecurity.org/?p=2277
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
yml_filename: powershell_malicious_keywords.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
Reference in New Issue View Git Blame Copy Permalink