Merge pull request #340 from virtuallaik/master
Create powershell_nishang_malicious_commandlets.yml + edits
This commit is contained in:
Florian Roth
@@ -0,0 +1,101 @@
|
||||
title: Malicious Nishang PowerShell Commandlets
|
||||
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
|
||||
status: experimental
|
||||
description: Detects Commandlet names and arguments from the Nishang exploitation framework
|
||||
date: 2019/05/16
|
||||
references:
|
||||
- https://github.com/samratashok/nishang
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1086
|
||||
author: Alec Costello
|
||||
logsource:
|
||||
product: windows
|
||||
service: powershell
|
||||
definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
|
||||
detection:
|
||||
keywords:
|
||||
- Add-ConstrainedDelegationBackdoor
|
||||
- Set-DCShadowPermissions
|
||||
- DNS_TXT_Pwnage
|
||||
- Execute-OnTime
|
||||
- HTTP-Backdoor
|
||||
- Set-RemotePSRemoting
|
||||
- Set-RemoteWMI
|
||||
- Invoke-AmsiBypass
|
||||
- Out-CHM
|
||||
- Out-Excel
|
||||
- Out-HTA
|
||||
- Out-JS
|
||||
- Out-Java
|
||||
- Out-SCF
|
||||
- Out-SCT
|
||||
- Out-Shortcut
|
||||
- Out-WebQuery
|
||||
- Out-Word
|
||||
- Enable-Duplication
|
||||
- Remove-Update
|
||||
- Download-Execute-PS
|
||||
- Download_Execute
|
||||
- Execute-Command-MSSQL
|
||||
- Execute-DNSTXT-Code
|
||||
- Out-RundllCommand
|
||||
- Copy-VSS
|
||||
- FireBuster
|
||||
- FireListener
|
||||
- Get-Information
|
||||
- Get-PassHints
|
||||
- Get-WLAN-Keys
|
||||
- Get-Web-Credentials
|
||||
- Invoke-CredentialsPhish
|
||||
- Invoke-MimikatzWDigestDowngrade
|
||||
- Invoke-SSIDExfil
|
||||
- Invoke-SessionGopher
|
||||
- Keylogger
|
||||
- Invoke-Interceptor
|
||||
- Create-MultipleSessions
|
||||
- Invoke-NetworkRelay
|
||||
- Run-EXEonRemote
|
||||
- Invoke-Prasadhak
|
||||
- Invoke-BruteForce
|
||||
- Password-List
|
||||
- Invoke-JSRatRegsvr
|
||||
- Invoke-JSRatRundll
|
||||
- Invoke-PoshRatHttps
|
||||
- Invoke-PowerShellIcmp
|
||||
- Invoke-PowerShellUdp
|
||||
- Invoke-PSGcat
|
||||
- Invoke-PsGcatAgent
|
||||
- Remove-PoshRat
|
||||
- Add-Persistance
|
||||
- ExetoText
|
||||
- Invoke-Decode
|
||||
- Invoke-Encode
|
||||
- Parse_Keys
|
||||
- Remove-Persistence
|
||||
- StringtoBase64
|
||||
- TexttoExe
|
||||
- Powerpreter
|
||||
- Nishang
|
||||
- EncodedData
|
||||
- DataToEncode
|
||||
- LoggedKeys
|
||||
- OUT-DNSTXT
|
||||
- Jitter
|
||||
- ExfilOption
|
||||
- Tamper
|
||||
- DumpCerts
|
||||
- DumpCreds
|
||||
- Shellcode32
|
||||
- Shellcode64
|
||||
- JDKPath
|
||||
- HHCPath
|
||||
- NotAllNameSpaces
|
||||
- exfill
|
||||
- FakeDC
|
||||
- Payload
|
||||
- Exploit
|
||||
condition: keywords
|
||||
falsepositives:
|
||||
- Penetration testing
|
||||
level: high
|
||||
@@ -30,6 +30,10 @@ detection:
|
||||
- vssadmin create shadow /for=C:*
|
||||
- copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*
|
||||
- copy \\?\GLOBALROOT\Device\\*\config\SAM*
|
||||
- copy \\?\GLOBALROOT\Device\\*\config\SYSTEM*
|
||||
- type \\?\GLOBALROOT\Device\\*\config\SAM*
|
||||
- type \\?\GLOBALROOT\Device\\*\config\SYSTEM*
|
||||
- type \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*
|
||||
- reg SAVE HKLM\SYSTEM *
|
||||
- reg SAVE HKLM\SAM *
|
||||
- '* sekurlsa:*'
|
||||
@@ -49,6 +53,7 @@ detection:
|
||||
- '*\certutil.exe -ping *'
|
||||
- icacls * /grant Everyone:F /T /C /Q
|
||||
- '* wmic shadowcopy delete *'
|
||||
- '* wmic shadowcopy call create Volume=*'
|
||||
- '* wbadmin.exe delete catalog -quiet*'
|
||||
- '*\wscript.exe *.jse'
|
||||
- '*\wscript.exe *.js'
|
||||
|
||||
@@ -26,6 +26,8 @@ detection:
|
||||
- 'vssadmin delete shadows /for=C:'
|
||||
- 'reg SAVE HKLM\SYSTEM '
|
||||
- esentutl.exe /y /vss *\ntds.dit*
|
||||
- esentutl.exe /y /vss *\SAM
|
||||
- esentutl.exe /y /vss *\SYSTEM
|
||||
condition: selection
|
||||
fields:
|
||||
- CommandLine
|
||||
|
||||
Reference in New Issue
Block a user