diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml new file mode 100644 index 000000000..1592ab611 --- /dev/null +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -0,0 +1,101 @@ +title: Malicious Nishang PowerShell Commandlets +id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 +status: experimental +description: Detects Commandlet names and arguments from the Nishang exploitation framework +date: 2019/05/16 +references: + - https://github.com/samratashok/nishang +tags: + - attack.execution + - attack.t1086 +author: Alec Costello +logsource: + product: windows + service: powershell + definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 +detection: + keywords: + - Add-ConstrainedDelegationBackdoor + - Set-DCShadowPermissions + - DNS_TXT_Pwnage + - Execute-OnTime + - HTTP-Backdoor + - Set-RemotePSRemoting + - Set-RemoteWMI + - Invoke-AmsiBypass + - Out-CHM + - Out-Excel + - Out-HTA + - Out-JS + - Out-Java + - Out-SCF + - Out-SCT + - Out-Shortcut + - Out-WebQuery + - Out-Word + - Enable-Duplication + - Remove-Update + - Download-Execute-PS + - Download_Execute + - Execute-Command-MSSQL + - Execute-DNSTXT-Code + - Out-RundllCommand + - Copy-VSS + - FireBuster + - FireListener + - Get-Information + - Get-PassHints + - Get-WLAN-Keys + - Get-Web-Credentials + - Invoke-CredentialsPhish + - Invoke-MimikatzWDigestDowngrade + - Invoke-SSIDExfil + - Invoke-SessionGopher + - Keylogger + - Invoke-Interceptor + - Create-MultipleSessions + - Invoke-NetworkRelay + - Run-EXEonRemote + - Invoke-Prasadhak + - Invoke-BruteForce + - Password-List + - Invoke-JSRatRegsvr + - Invoke-JSRatRundll + - Invoke-PoshRatHttps + - Invoke-PowerShellIcmp + - Invoke-PowerShellUdp + - Invoke-PSGcat + - Invoke-PsGcatAgent + - Remove-PoshRat + - Add-Persistance + - ExetoText + - Invoke-Decode + - Invoke-Encode + - Parse_Keys + - Remove-Persistence + - StringtoBase64 + - TexttoExe + - Powerpreter + - Nishang + - EncodedData + - DataToEncode + - LoggedKeys + - OUT-DNSTXT + - Jitter + - ExfilOption + - Tamper + - DumpCerts + - DumpCreds + - Shellcode32 + - Shellcode64 + - JDKPath + - HHCPath + - NotAllNameSpaces + - exfill + - FakeDC + - Payload + - Exploit + condition: keywords +falsepositives: + - Penetration testing +level: high diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index 03bbaaf51..92bbd9ef1 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -30,6 +30,10 @@ detection: - vssadmin create shadow /for=C:* - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* - copy \\?\GLOBALROOT\Device\\*\config\SAM* + - copy \\?\GLOBALROOT\Device\\*\config\SYSTEM* + - type \\?\GLOBALROOT\Device\\*\config\SAM* + - type \\?\GLOBALROOT\Device\\*\config\SYSTEM* + - type \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* - reg SAVE HKLM\SYSTEM * - reg SAVE HKLM\SAM * - '* sekurlsa:*' @@ -49,6 +53,7 @@ detection: - '*\certutil.exe -ping *' - icacls * /grant Everyone:F /T /C /Q - '* wmic shadowcopy delete *' + - '* wmic shadowcopy call create Volume=*' - '* wbadmin.exe delete catalog -quiet*' - '*\wscript.exe *.jse' - '*\wscript.exe *.js' diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index 1cb98e715..06aca1699 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -26,6 +26,8 @@ detection: - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' - esentutl.exe /y /vss *\ntds.dit* + - esentutl.exe /y /vss *\SAM + - esentutl.exe /y /vss *\SYSTEM condition: selection fields: - CommandLine