security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f6d433c2d69e233bbd198cfcbc7fb3dfc5e3374
blue-team-tools/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml
T

39 lines
1.4 KiB
YAML
Raw Normal View History

Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
title: Suspicious PowerShell Keywords
Added UUIDs to rules
2019-11-12 23:12:27 +01:00
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
status: experimental
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
date: 2019/02/11
change to category: ps_script
2021-10-16 08:18:49 +02:00
modified: 2021/10/16
adding some more suspicious PS keywords
2019-10-28 22:14:14 -07:00
author: Florian Roth, Perez Diego (@darkquassar)
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
adding some more suspicious PS keywords
2019-10-28 22:14:14 -07:00
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
more PowerShell suspicious keywords
2021-06-10 09:41:55 +02:00
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
tags:
- attack.execution
Initial round of subtechnique updates
2020-06-16 14:46:08 -06:00
- attack.t1059.001
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future.
2020-08-24 00:01:50 +00:00
- attack.t1086 #an old one
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
logsource:
product: windows
change to category: ps_script
2021-10-16 08:18:49 +02:00
category: ps_script
Fix some errors
2021-08-30 19:49:44 +02:00
definition: Script block logging must be enabled for 4104
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
detection:
Fix some errors
2021-08-30 19:49:44 +02:00
framework:
ScriptBlockText|contains:
Change double quote to quote
2022-01-06 14:02:35 +01:00
- 'System.Reflection.Assembly.Load($'
- '[System.Reflection.Assembly]::Load($'
- '[Reflection.Assembly]::Load($'
- 'System.Reflection.AssemblyName'
- 'Reflection.Emit.AssemblyBuilderAccess'
- 'Runtime.InteropServices.DllImportAttribute'
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
- 'Invoke-WMIMethod'
- 'http://127.0.0.1'
Fix some errors
2021-08-30 19:49:44 +02:00
condition: framework
Rule: Suspicious PowerShell keywords
2019-02-11 13:02:33 +01:00
falsepositives:
- Penetration tests
level: high
Reference in New Issue Copy Permalink