2023-01-02 14:49:45 +01:00
|
|
|
title: Malicious PowerShell Commandlets - ScriptBlock
|
2019-11-12 23:12:27 +01:00
|
|
|
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
|
2022-12-27 21:05:16 +01:00
|
|
|
related:
|
2023-01-20 17:07:23 +01:00
|
|
|
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
|
2022-12-27 21:05:16 +01:00
|
|
|
type: similar
|
2023-01-17 01:00:44 +01:00
|
|
|
- id: 02030f2f-6199-49ec-b258-ea71b07e03dc
|
|
|
|
|
type: similar
|
2023-01-02 14:49:45 +01:00
|
|
|
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
|
2024-08-12 12:02:50 +02:00
|
|
|
type: obsolete
|
2023-01-02 14:49:45 +01:00
|
|
|
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
|
2024-08-12 12:02:50 +02:00
|
|
|
type: obsolete
|
2022-12-27 21:05:16 +01:00
|
|
|
status: test
|
2017-03-05 01:47:25 +01:00
|
|
|
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
|
2018-01-28 02:24:16 +03:00
|
|
|
references:
|
|
|
|
|
- https://adsecurity.org/?p=2921
|
2022-05-24 22:02:08 +01:00
|
|
|
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
|
2022-07-11 14:11:53 +01:00
|
|
|
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
|
|
|
|
|
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
|
2022-10-25 01:14:27 +02:00
|
|
|
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
|
2022-10-29 10:36:40 +03:00
|
|
|
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
|
2022-12-05 10:39:58 +01:00
|
|
|
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
|
|
|
|
|
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
|
2023-01-02 14:49:45 +01:00
|
|
|
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
|
|
|
|
|
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
|
|
|
|
|
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
|
2023-01-06 16:35:34 +01:00
|
|
|
- https://github.com/HarmJ0y/DAMP
|
2023-01-10 00:13:37 +01:00
|
|
|
- https://github.com/samratashok/nishang
|
2023-01-17 01:00:44 +01:00
|
|
|
- https://github.com/DarkCoderSc/PowerRunAsSystem/
|
2023-01-20 17:07:23 +01:00
|
|
|
- https://github.com/besimorhino/powercat
|
2023-04-17 12:08:30 +02:00
|
|
|
- https://github.com/Kevin-Robertson/Powermad
|
|
|
|
|
- https://github.com/adrecon/ADRecon
|
|
|
|
|
- https://github.com/adrecon/AzureADRecon
|
2023-01-09 09:47:26 +01:00
|
|
|
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2017-03-05
|
|
|
|
|
modified: 2024-01-25
|
2022-10-26 09:43:39 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
2023-01-02 14:49:45 +01:00
|
|
|
- attack.discovery
|
|
|
|
|
- attack.t1482
|
|
|
|
|
- attack.t1087
|
|
|
|
|
- attack.t1087.001
|
|
|
|
|
- attack.t1087.002
|
|
|
|
|
- attack.t1069.001
|
|
|
|
|
- attack.t1069.002
|
|
|
|
|
- attack.t1069
|
2022-10-26 09:43:39 +02:00
|
|
|
- attack.t1059.001
|
2017-03-05 01:47:25 +01:00
|
|
|
logsource:
|
2017-03-21 10:22:13 +01:00
|
|
|
product: windows
|
2021-10-16 08:18:49 +02:00
|
|
|
category: ps_script
|
2023-01-04 17:49:32 +01:00
|
|
|
definition: 'Requirements: Script Block Logging must be enabled'
|
2017-03-05 01:47:25 +01:00
|
|
|
detection:
|
2023-01-02 14:49:45 +01:00
|
|
|
selection:
|
2020-10-11 19:11:54 +02:00
|
|
|
ScriptBlockText|contains:
|
2023-04-21 11:14:55 +02:00
|
|
|
# Note: Please ensure alphabetical order when adding new entries
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Add-Exfiltration'
|
|
|
|
|
- 'Add-Persistence'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Add-RegBackdoor'
|
2023-01-04 17:49:32 +01:00
|
|
|
- 'Add-RemoteRegBackdoor'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Add-ScrnSaveBackdoor'
|
2023-01-06 16:35:34 +01:00
|
|
|
- 'ConvertTo-Rc4ByteStream'
|
|
|
|
|
- 'Decrypt-Hash'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Disable-ADIDNSNode'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Do-Exfiltration'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Enable-ADIDNSNode'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Enabled-DuplicateToken'
|
|
|
|
|
- 'Exploit-Jboss'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Export-ADRCSV'
|
|
|
|
|
- 'Export-ADRExcel'
|
|
|
|
|
- 'Export-ADRHTML'
|
|
|
|
|
- 'Export-ADRJSON'
|
|
|
|
|
- 'Export-ADRXML'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Find-Fruit'
|
|
|
|
|
- 'Find-GPOLocation'
|
|
|
|
|
- 'Find-TrustedDocuments'
|
2023-12-21 21:04:18 +01:00
|
|
|
- 'Get-ADIDNSNodeAttribute'
|
|
|
|
|
- 'Get-ADIDNSNodeOwner'
|
|
|
|
|
- 'Get-ADIDNSNodeTombstoned'
|
|
|
|
|
- 'Get-ADIDNSPermission'
|
|
|
|
|
- 'Get-ADIDNSZone'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Get-ChromeDump'
|
|
|
|
|
- 'Get-ClipboardContents'
|
|
|
|
|
- 'Get-FoxDump'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Get-GPPPassword'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Get-IndexedItem'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Get-KerberosAESKey'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Get-Keystrokes'
|
|
|
|
|
- 'Get-LSASecret'
|
|
|
|
|
- 'Get-PassHashes'
|
|
|
|
|
- 'Get-RegAlwaysInstallElevated'
|
|
|
|
|
- 'Get-RegAutoLogon'
|
2023-01-06 16:35:34 +01:00
|
|
|
- 'Get-RemoteBootKey'
|
2023-01-04 17:49:32 +01:00
|
|
|
- 'Get-RemoteCachedCredential'
|
|
|
|
|
- 'Get-RemoteLocalAccountHash'
|
2023-01-06 16:35:34 +01:00
|
|
|
- 'Get-RemoteLSAKey'
|
2023-01-04 17:49:32 +01:00
|
|
|
- 'Get-RemoteMachineAccountHash'
|
2023-01-06 16:35:34 +01:00
|
|
|
- 'Get-RemoteNLKMKey'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Get-RickAstley'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Get-SecurityPackages'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Get-ServiceFilePermission'
|
|
|
|
|
- 'Get-ServicePermission'
|
|
|
|
|
- 'Get-ServiceUnquoted'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Get-SiteListPassword'
|
|
|
|
|
- 'Get-System'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Get-TimedScreenshot'
|
|
|
|
|
- 'Get-UnattendedInstallFile'
|
|
|
|
|
- 'Get-Unconstrained'
|
|
|
|
|
- 'Get-USBKeystrokes'
|
|
|
|
|
- 'Get-VaultCredential'
|
|
|
|
|
- 'Get-VulnAutoRun'
|
|
|
|
|
- 'Get-VulnSchTask'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Grant-ADIDNSPermission'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Gupt-Backdoor'
|
|
|
|
|
- 'Invoke-ACLScanner'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Invoke-ADRecon'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-ADSBackdoor'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Invoke-AgentSmith'
|
2022-01-06 14:02:35 +01:00
|
|
|
- 'Invoke-AllChecks'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-ARPScan'
|
|
|
|
|
- 'Invoke-AzureHound'
|
|
|
|
|
- 'Invoke-BackdoorLNK'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-BadPotato'
|
|
|
|
|
- 'Invoke-BetterSafetyKatz'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-BypassUAC'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Carbuncle'
|
|
|
|
|
- 'Invoke-Certify'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-ConPtyShell'
|
|
|
|
|
- 'Invoke-CredentialInjection'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-DAFT'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-DCSync'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-DinvokeKatz'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-DllInjection'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Invoke-DNSUpdate'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-DomainPasswordSpray'
|
|
|
|
|
- 'Invoke-DowngradeAccount'
|
|
|
|
|
- 'Invoke-EgressCheck'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Eyewitness'
|
|
|
|
|
- 'Invoke-FakeLogonScreen'
|
|
|
|
|
- 'Invoke-Farmer'
|
|
|
|
|
- 'Invoke-Get-RBCD-Threaded'
|
|
|
|
|
- 'Invoke-Gopher'
|
2023-01-10 00:13:37 +01:00
|
|
|
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-HandleKatz'
|
2023-01-17 01:00:44 +01:00
|
|
|
- 'Invoke-ImpersonatedProcess'
|
|
|
|
|
- 'Invoke-ImpersonateSystem'
|
|
|
|
|
- 'Invoke-InteractiveSystemPowerShell'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Internalmonologue'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-Inveigh'
|
|
|
|
|
- 'Invoke-InveighRelay'
|
2022-12-05 10:39:58 +01:00
|
|
|
- 'Invoke-KrbRelay'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-LdapSignCheck'
|
|
|
|
|
- 'Invoke-Lockless'
|
2022-12-05 10:39:58 +01:00
|
|
|
- 'Invoke-MalSCCM'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-Mimikatz'
|
|
|
|
|
- 'Invoke-Mimikittenz'
|
|
|
|
|
- 'Invoke-MITM6'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-NanoDump'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-NetRipper'
|
|
|
|
|
- 'Invoke-Nightmare'
|
|
|
|
|
- 'Invoke-NinjaCopy'
|
|
|
|
|
- 'Invoke-OfficeScrape'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-OxidResolver'
|
|
|
|
|
- 'Invoke-P0wnedshell'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-Paranoia'
|
|
|
|
|
- 'Invoke-PortScan'
|
2023-01-10 00:13:37 +01:00
|
|
|
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-PostExfil'
|
|
|
|
|
- 'Invoke-PowerDump'
|
|
|
|
|
- 'Invoke-PowerShellTCP'
|
|
|
|
|
- 'Invoke-PowerShellWMI'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-PPLDump'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-PsExec'
|
|
|
|
|
- 'Invoke-PSInject'
|
|
|
|
|
- 'Invoke-PsUaCme'
|
|
|
|
|
- 'Invoke-ReflectivePEInjection'
|
|
|
|
|
- 'Invoke-ReverseDNSLookup'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Rubeus'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-RunAs'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-SafetyKatz'
|
|
|
|
|
- 'Invoke-SauronEye'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-SCShell'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Seatbelt'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-ServiceAbuse'
|
2022-12-05 10:39:58 +01:00
|
|
|
- 'Invoke-ShadowSpray'
|
2023-01-21 12:28:08 +01:00
|
|
|
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-Shellcode'
|
|
|
|
|
- 'Invoke-SMBScanner'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Snaffler'
|
|
|
|
|
- 'Invoke-Spoolsample'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-SpraySinglePassword'
|
|
|
|
|
- 'Invoke-SSHCommand'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-StandIn'
|
|
|
|
|
- 'Invoke-StickyNotesExtract'
|
2023-01-17 01:00:44 +01:00
|
|
|
- 'Invoke-SystemCommand'
|
2023-01-24 16:51:37 +01:00
|
|
|
- 'Invoke-Tasksbackdoor'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-Tater'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Thunderfox'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-ThunderStruck'
|
|
|
|
|
- 'Invoke-TokenManipulation'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Tokenvator'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-TotalExec'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-UrbanBishop'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-UserHunter'
|
|
|
|
|
- 'Invoke-VoiceTroll'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-Whisker'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-WinEnum'
|
2022-05-24 22:02:08 +01:00
|
|
|
- 'Invoke-winPEAS'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-WireTap'
|
|
|
|
|
- 'Invoke-WmiCommand'
|
2023-03-07 14:13:57 +01:00
|
|
|
- 'Invoke-WMIExec'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Invoke-WScriptBypassUAC'
|
2022-06-28 22:18:44 +01:00
|
|
|
- 'Invoke-Zerologon'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'MailRaider'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'New-ADIDNSNode'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'New-HoneyHash'
|
2023-01-06 16:35:34 +01:00
|
|
|
- 'New-InMemoryModule'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'New-SOASerialNumberArray'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Out-Minidump'
|
|
|
|
|
- 'PowerBreach'
|
2023-01-21 18:15:37 +01:00
|
|
|
- 'powercat '
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'PowerUp'
|
|
|
|
|
- 'PowerView'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Remove-ADIDNSNode'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Remove-Update'
|
2023-04-21 11:14:55 +02:00
|
|
|
- 'Rename-ADIDNSNode'
|
|
|
|
|
- 'Revoke-ADIDNSPermission'
|
|
|
|
|
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'Show-TargetScreen'
|
|
|
|
|
- 'Start-CaptureServer'
|
2024-01-29 13:37:20 +01:00
|
|
|
- 'Start-Dnscat2'
|
2022-06-28 22:18:44 +01:00
|
|
|
- 'Start-WebcamRecorder'
|
2023-01-02 14:49:45 +01:00
|
|
|
- 'VolumeShadowCopyTools'
|
2023-12-21 21:04:18 +01:00
|
|
|
# - 'Check-VM'
|
|
|
|
|
# - 'Disable-MachineAccount'
|
|
|
|
|
# - 'Enable-MachineAccount'
|
|
|
|
|
# - 'Get-ApplicationHost'
|
|
|
|
|
# - 'Get-MachineAccountAttribute'
|
|
|
|
|
# - 'Get-MachineAccountCreator'
|
|
|
|
|
# - 'Get-Screenshot'
|
|
|
|
|
# - 'HTTP-Login'
|
|
|
|
|
# - 'Install-ServiceBinary'
|
|
|
|
|
# - 'Install-SSP'
|
|
|
|
|
# - 'New-DNSRecordArray'
|
|
|
|
|
# - 'New-MachineAccount'
|
|
|
|
|
# - 'Port-Scan'
|
|
|
|
|
# - 'Remove-MachineAccount'
|
|
|
|
|
# - 'Set-MacAttribute'
|
|
|
|
|
# - 'Set-MachineAccountAttribute'
|
|
|
|
|
# - 'Set-Wallpaper'
|
2023-04-21 11:14:55 +02:00
|
|
|
filter_optional_amazon_ec2:
|
2021-12-01 23:14:57 +00:00
|
|
|
ScriptBlockText|contains:
|
2021-12-01 21:27:31 +00:00
|
|
|
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
|
2022-06-08 19:00:12 +00:00
|
|
|
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
|
2023-04-21 11:14:55 +02:00
|
|
|
condition: selection and not 1 of filter_optional_*
|
2017-03-05 01:47:25 +01:00
|
|
|
falsepositives:
|
2022-03-16 13:51:26 +01:00
|
|
|
- Unknown
|
2017-03-05 01:47:25 +01:00
|
|
|
level: high
|
