security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rule Dev

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-11-18 11:15:28 +01:00
committed by GitHub
parent 0f496be1e5
commit 20b0a6bad8
11 changed files with 102 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml
+34
View File
@@ -0,0 +1,34 @@
title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
- id: 435e10e4-992a-4281-96f3-38b11106adde
type: similar
status: experimental
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali
date: 2022/11/17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
ScriptBlockText|contains:
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml → rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Suspicious Enumerate Active Directory Computers with Get-AdComputer
title: Active Directory Computers Enumeration with Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: experimental
description: utilize Get-AdComputer to enumerate Computers within Active Directory.
description: Detects usage of the "Get-AdComputer" to enumerate Computers within Active Directory.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: frack113
date: 2022/03/17
modified: 2022/11/18
tags:
- attack.discovery
- attack.t1018
rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml → rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: Suspicious Enumerate Active Directory Groups with Get-AdComputer
title: Active Directory Group Enumeration With Get-AdGroup
id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
status: experimental
description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory
description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: frack113
date: 2022/03/17
modified: 2022/11/17
tags:
- attack.discovery
- attack.t1069.002
rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml
+34
View File
@@ -0,0 +1,34 @@
title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
- id: 1114e048-b69c-4f41-bc20-657245ae6e3f
type: similar
status: experimental
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali
date: 2022/11/17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
ScriptBlockText|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
+1
View File
@@ -17,6 +17,7 @@ tags:
logsource:
category: ps_script
product: windows
definition: Script block logging must be enabled
detection:
selection_args_exc:
ScriptBlockText|contains: