2021-08-16 09:10:05 +02:00
|
|
|
title: Malicious ShellIntel PowerShell Commandlets
|
|
|
|
|
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects Commandlet names from ShellIntel exploitation scripts.
|
|
|
|
|
date: 2021/08/09
|
2021-08-21 09:33:52 +02:00
|
|
|
modified: 2021/08/21
|
2021-08-16 09:10:05 +02:00
|
|
|
references:
|
|
|
|
|
- https://github.com/Shellntel/scripts/
|
|
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1059.001
|
|
|
|
|
author: Max Altgelt, Tobias Michalski
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell
|
2021-08-21 09:33:52 +02:00
|
|
|
definition: Script Block Logging must be enable
|
2021-08-16 09:10:05 +02:00
|
|
|
detection:
|
|
|
|
|
selection:
|
|
|
|
|
EventID: 4104
|
2021-08-21 09:33:52 +02:00
|
|
|
ScriptBlockText|contains:
|
2021-08-16 09:10:05 +02:00
|
|
|
- Invoke-SMBAutoBrute
|
|
|
|
|
- Invoke-GPOLinks
|
|
|
|
|
- Out-Minidump
|
|
|
|
|
- Invoke-Potato
|
|
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: high
|
