security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: updates and enhancements

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-01-02 14:49:45 +01:00
parent 2589ffe6b7
commit a99b5082e1
21 changed files with 793 additions and 447 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml → rules-deprecated/windows/posh_ps_azurehound_commands.yml
+2 -2
View File
@@ -1,13 +1,13 @@
title: AzureHound PowerShell Commands
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
status: experimental
status: deprecated
description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
references:
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Austin Songer (@austinsonger)
date: 2021/10/23
modified: 2022/01/12
modified: 2023/01/02
tags:
- attack.discovery
- attack.t1482
rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml → rules-deprecated/windows/posh_ps_invoke_nightmare.yml
+2 -2
View File
@@ -1,12 +1,12 @@
title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: test
status: deprecated
description: Detects Commandlet name for PrintNightmare exploitation.
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
modified: 2021/10/16
modified: 2023/01/02
tags:
- attack.privilege_escalation
- attack.t1548
rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+114 -113
View File
@@ -1,4 +1,4 @@
title: Malicious PowerShell Commandlet Names
title: Malicious PowerShell Commandlets - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
@@ -21,7 +21,7 @@ references:
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein
date: 2018/04/07
modified: 2022/12/04
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -31,118 +31,71 @@ logsource:
detection:
selection:
TargetFilename|endswith:
- '\Invoke-DllInjection.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Out-Minidump.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Invoke-UserHunter.ps1'
- '\Find-GPOLocation.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Install-ServiceBinary.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-WebConfig.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-Unconstrained.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\Gupt-Backdoor.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Remove-Update.ps1'
- '\Check-VM.ps1'
- '\Get-LSASecret.ps1'
- '\Get-PassHashes.ps1'
- '\Show-TargetScreen.ps1'
- '\Port-Scan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\Check-VM.ps1'
- '\Do-Exfiltration.ps1'
- '\Start-CaptureServer.ps1'
- '\Invoke-ShellCode.ps1'
- '\DomainPasswordSpray.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-RunAs.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\Set-MacAttribute.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-PowerDump.ps1'
- '\Exploit-Jboss.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Set-Wallpaper.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Get-SecurityPackages.ps1'
- '\Install-SSP.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\PowerBreach.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\PowerUp.ps1'
- '\PowerView.ps1'
- '\Get-RickAstley.ps1'
- '\Find-Fruit.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Find-TrustedDocuments.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-WinEnum.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\PowerUpSQL.ps1'
- '\Get-ComputerDetail.ps1'
- '\Find-AVSignature.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Invoke-EventViewer.ps1'
- '\WSUSpendu.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\WinPwn.ps1'
- '\Offline_Winpwn.ps1'
- '\PowerSharpPack.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
@@ -152,23 +105,43 @@ detection:
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-SharPersist.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SharpAllowedToAct.ps1'
- '\Invoke-SharpBlock.ps1'
- '\Invoke-SharpBypassUAC.ps1'
@@ -177,54 +150,82 @@ detection:
- '\Invoke-SharpCloud.ps1'
- '\Invoke-SharpDPAPI.ps1'
- '\Invoke-SharpDump.ps1'
- '\Invoke-SharpGPO-RemoteAccessPolicies.ps1'
- '\Invoke-SharPersist.ps1'
- '\Invoke-SharpGPOAbuse.ps1'
- '\Invoke-SharpGPO-RemoteAccessPolicies.ps1'
- '\Invoke-SharpHandler.ps1'
- '\Invoke-SharpHide.ps1'
- '\Invoke-Sharphound2.ps1'
- '\Invoke-Sharphound3.ps1'
- '\Invoke-SharpHound4.ps1'
- '\Invoke-SharpImpersonation.ps1'
- '\Invoke-SharpImpersonationNoSpace.ps1'
- '\Invoke-SharpKatz.ps1'
- '\Invoke-SharpLdapRelayScan.ps1'
- '\Invoke-Sharplocker.ps1'
- '\Invoke-SharpLoginPrompt.ps1'
- '\Invoke-SharpMove.ps1'
- '\Invoke-SharpPrintNightmare.ps1'
- '\Invoke-SharpPrinter.ps1'
- '\Invoke-SharpPrintNightmare.ps1'
- '\Invoke-SharpRDP.ps1'
- '\Invoke-SharpSCCM.ps1'
- '\Invoke-SharpSSDP.ps1'
- '\Invoke-SharpSecDump.ps1'
- '\Invoke-Sharpshares.ps1'
- '\Invoke-SharpSniper.ps1'
- '\Invoke-SharpSploit.ps1'
- '\Invoke-Sharpsploit_nomimi.ps1'
- '\Invoke-SharpSpray.ps1'
- '\Invoke-SharpSSDP.ps1'
- '\Invoke-SharpStay.ps1'
- '\Invoke-SharpUp.ps1'
- '\Invoke-SharpWSUS.ps1'
- '\Invoke-SharpWatson.ps1'
- '\Invoke-Sharphound2.ps1'
- '\Invoke-Sharphound3.ps1'
- '\Invoke-Sharplocker.ps1'
- '\Invoke-Sharpshares.ps1'
- '\Invoke-Sharpsploit_nomimi.ps1'
- '\Invoke-Sharpview.ps1'
- '\Invoke-SharpWatson.ps1'
- '\Invoke-Sharpweb.ps1'
- '\Invoke-SharpWSUS.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Start-WebcamRecorder.ps1'
- '\PSAsyncShell.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\DomainPasswordSpray.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-Minidump.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\Remove-Update.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+124 -106
View File
@@ -1,8 +1,12 @@
title: Malicious PowerShell Commandlets
title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
type: similar
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
type: obsoletes
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
type: obsoletes
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
@@ -14,120 +18,91 @@ references:
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update)
date: 2017/03/05
modified: 2022/12/27
modified: 2023/01/02
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
select_Malicious:
selection:
ScriptBlockText|contains:
- 'Invoke-DllInjection'
- 'Invoke-Shellcode'
- 'Invoke-WmiCommand'
- 'Get-GPPPassword'
- 'Get-Keystrokes'
- 'Get-TimedScreenshot'
- 'Get-VaultCredential'
- 'Invoke-CredentialInjection'
- 'Invoke-Mimikatz'
- 'Invoke-NinjaCopy'
- 'Invoke-TokenManipulation'
- 'Out-Minidump'
- 'VolumeShadowCopyTools'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-UserHunter'
- 'Find-GPOLocation'
- 'Invoke-ACLScanner'
- 'Invoke-DowngradeAccount'
- 'Get-ServiceUnquoted'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Invoke-ServiceAbuse'
- 'Install-ServiceBinary'
- 'Get-RegAutoLogon'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Get-UnattendedInstallFile'
- 'Get-ApplicationHost'
- 'Get-RegAlwaysInstallElevated'
- 'Get-Unconstrained'
- 'Add-RegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Gupt-Backdoor'
- 'Invoke-ADSBackdoor'
- 'Enabled-DuplicateToken'
- 'Invoke-PsUaCme'
- 'Remove-Update'
- 'Check-VM'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Show-TargetScreen'
- 'Port-Scan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'Do-Exfiltration'
- 'Start-CaptureServer'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Invoke-Inveigh'
- 'Invoke-NetRipper'
- 'Invoke-EgressCheck'
- 'Invoke-PostExfil'
- 'Invoke-PSInject'
- 'Invoke-RunAs'
- 'MailRaider'
- 'New-HoneyHash'
- 'Set-MacAttribute'
- 'Invoke-DCSync'
- 'Invoke-PowerDump'
- 'Exploit-Jboss'
- 'Invoke-ThunderStruck'
- 'Invoke-VoiceTroll'
- 'Set-Wallpaper'
- 'Invoke-InveighRelay'
- 'Invoke-PsExec'
- 'Invoke-SSHCommand'
- 'Get-SecurityPackages'
- 'Install-SSP'
- 'Invoke-BackdoorLNK'
- 'PowerBreach'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Invoke-BypassUAC'
- 'Invoke-Tater'
- 'Invoke-WScriptBypassUAC'
- 'PowerUp'
- 'PowerView'
- 'Get-RickAstley'
- 'Find-Fruit'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Find-TrustedDocuments'
- 'Invoke-Paranoia'
- 'Invoke-WinEnum'
- 'Invoke-ARPScan'
- 'Invoke-PortScan'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-SMBScanner'
- 'Invoke-Mimikittenz'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADSBackdoor'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
@@ -136,22 +111,43 @@ detection:
- 'Invoke-Grouper' # cover Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MITM6'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-SCShell'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-SharPersist'
- 'Invoke-SharpAllowedToAct'
- 'Invoke-SharpBlock'
- 'Invoke-SharpBypassUAC'
@@ -160,58 +156,80 @@ detection:
- 'Invoke-SharpCloud'
- 'Invoke-SharpDPAPI'
- 'Invoke-SharpDump'
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharPersist'
- 'Invoke-SharpGPOAbuse'
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharpHandler'
- 'Invoke-SharpHide'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-SharpImpersonation'
- 'Invoke-SharpImpersonationNoSpace'
- 'Invoke-SharpKatz'
- 'Invoke-SharpLdapRelayScan'
- 'Invoke-Sharplocker'
- 'Invoke-SharpLoginPrompt'
- 'Invoke-SharpMove'
- 'Invoke-SharpPrintNightmare'
- 'Invoke-SharpPrinter'
- 'Invoke-SharpPrintNightmare'
- 'Invoke-SharpRDP'
- 'Invoke-SharpSCCM'
- 'Invoke-SharpSSDP'
- 'Invoke-SharpSecDump'
- 'Invoke-Sharpshares'
- 'Invoke-SharpSniper'
- 'Invoke-SharpSploit'
- 'Invoke-SharpSpray'
- 'Invoke-SharpSSDP'
- 'Invoke-SharpStay'
- 'Invoke-SharpUp'
- 'Invoke-SharpWSUS'
- 'Invoke-SharpWatson'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-Sharplocker'
- 'Invoke-Sharpshares'
- 'Invoke-Sharpview'
- 'Invoke-SharpWatson'
- 'Invoke-Sharpweb'
- 'Invoke-SharpWSUS'
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-TotalExec'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WireTap'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'Get-USBKeystrokes'
- 'MailRaider'
- 'New-HoneyHash'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'PowerUp'
- 'PowerView'
- 'Remove-Update'
- 'Set-MacAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'Invoke-OfficeScrape'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-SpraySinglePassword'
false_positive1:
- 'VolumeShadowCopyTools'
filter_1:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
false_positive2:
filter_2:
ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved'
condition: select_Malicious and not 1 of false_positive*
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+72 -72
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/samratashok/nishang
author: Alec Costello
date: 2019/05/16
modified: 2022/08/29
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -17,77 +17,77 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- Add-ConstrainedDelegationBackdoor
- Set-DCShadowPermissions
- DNS_TXT_Pwnage
- Execute-OnTime
- HTTP-Backdoor
- Set-RemotePSRemoting
- Set-RemoteWMI
- Invoke-AmsiBypass
- Out-CHM
- Out-HTA
- Out-SCF
- Out-SCT
- Out-Shortcut
- Out-WebQuery
- Out-Word
- Enable-Duplication
- Remove-Update
- Download-Execute-PS
- Download_Execute
- Execute-Command-MSSQL
- Execute-DNSTXT-Code
- Out-RundllCommand
- Copy-VSS
- FireBuster
- FireListener
- Get-Information
- Get-PassHints
- Get-WLAN-Keys
- Get-Web-Credentials
- Invoke-CredentialsPhish
- Invoke-MimikatzWDigestDowngrade
- Invoke-SSIDExfil
- Invoke-SessionGopher
- Keylogger
- Invoke-Interceptor
- Create-MultipleSessions
- Invoke-NetworkRelay
- Run-EXEonRemote
- Invoke-Prasadhak
- Invoke-BruteForce
- Password-List
- Invoke-JSRatRegsvr
- Invoke-JSRatRundll
- Invoke-PoshRatHttps
- Invoke-PowerShellIcmp
- Invoke-PowerShellUdp
- Invoke-PSGcat
- Invoke-PsGcatAgent
- Remove-PoshRat
- Add-Persistence
- ExetoText
- Invoke-Decode
- Invoke-Encode
- Parse_Keys
- Remove-Persistence
- StringtoBase64
- TexttoExe
- Powerpreter
- Nishang
- DataToEncode
- LoggedKeys
- OUT-DNSTXT
# - Jitter # Prone to FPs
- ExfilOption
- DumpCerts
- DumpCreds
- Shellcode32
- Shellcode64
- NotAllNameSpaces
- exfill
- FakeDC
- 'Add-ConstrainedDelegationBackdoor'
- 'Add-Persistence'
- 'Copy-VSS'
- 'Create-MultipleSessions'
- 'DataToEncode'
- 'DNS_TXT_Pwnage'
- 'Download_Execute'
- 'Download-Execute-PS'
- 'DumpCerts'
- 'DumpCreds'
- 'Enable-Duplication'
- 'Execute-Command-MSSQL'
- 'Execute-DNSTXT-Code'
- 'Execute-OnTime'
- 'ExetoText'
- 'exfill'
- 'ExfilOption'
- 'FakeDC'
- 'FireBuster'
- 'FireListener'
- 'Get-Information'
- 'Get-PassHints'
- 'Get-Web-Credentials'
- 'Get-WLAN-Keys'
- 'HTTP-Backdoor'
- 'Invoke-AmsiBypass'
- 'Invoke-BruteForce'
- 'Invoke-CredentialsPhish'
- 'Invoke-Decode'
- 'Invoke-Encode'
- 'Invoke-Interceptor'
- 'Invoke-JSRatRegsvr'
- 'Invoke-JSRatRundll'
- 'Invoke-MimikatzWDigestDowngrade'
- 'Invoke-NetworkRelay'
- 'Invoke-PoshRatHttps'
- 'Invoke-PowerShellIcmp'
- 'Invoke-PowerShellUdp'
- 'Invoke-Prasadhak'
- 'Invoke-PSGcat'
- 'Invoke-PsGcatAgent'
- 'Invoke-SessionGopher'
- 'Invoke-SSIDExfil'
#- Jitter # Prone to FPs
- 'Keylogger'
- 'LoggedKeys'
- 'Nishang'
- 'NotAllNameSpaces'
- 'Out-CHM'
- 'OUT-DNSTXT'
- 'Out-HTA'
- 'Out-RundllCommand'
- 'Out-SCF'
- 'Out-SCT'
- 'Out-Shortcut'
- 'Out-WebQuery'
- 'Out-Word'
- 'Parse_Keys'
- 'Password-List'
- 'Powerpreter'
- 'Remove-Persistence'
- 'Remove-PoshRat'
- 'Remove-Update'
- 'Run-EXEonRemote'
- 'Set-DCShadowPermissions'
- 'Set-RemotePSRemoting'
- 'Set-RemoteWMI'
- 'Shellcode32'
- 'Shellcode64'
- 'StringtoBase64'
- 'TexttoExe'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
+80 -123
View File
@@ -9,7 +9,7 @@ references:
- https://adsecurity.org/?p=2277
author: Bhabesh Raj
date: 2021/05/18
modified: 2022/12/25
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -20,128 +20,85 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- Export-PowerViewCSV
- Get-IPAddress
- Resolve-IPAddress
- Convert-NameToSid
- ConvertTo-SID
- Convert-ADName
- ConvertFrom-UACValue
- Add-RemoteConnection
- Remove-RemoteConnection
- Invoke-UserImpersonation
- Invoke-RevertToSelf
- Request-SPNTicket
- Get-DomainSPNTicket
- Invoke-Kerberoast
- Get-PathAcl
- Get-DNSZone
- Get-DomainDNSZone
- Get-DNSRecord
- Get-DomainDNSRecord
- Get-NetDomain
- Get-Domain
- Get-NetDomainController
- Get-DomainController
- Get-NetForest
- Get-Forest
- Get-NetForestDomain
- Get-ForestDomain
- Get-NetForestCatalog
- Get-ForestGlobalCatalog
- Find-DomainObjectPropertyOutlier
- Get-NetUser
- Get-DomainUser
- New-DomainUser
- Set-DomainUserPassword
- Get-UserEvent
- Get-DomainUserEvent
- Get-NetComputer
- Get-DomainComputer
- Get-ADObject
- Get-DomainObject
- Set-ADObject
- Set-DomainObject
- Get-ObjectAcl
- Get-DomainObjectAcl
- Add-ObjectAcl
- Add-DomainObjectAcl
- Invoke-ACLScanner
- Find-InterestingDomainAcl
- Get-NetOU
- Get-DomainOU
- Get-NetSite
- Get-DomainSite
- Get-NetSubnet
- Get-DomainSubnet
- Get-DomainSID
- Get-NetGroup
- Get-DomainGroup
- New-DomainGroup
- Find-ManagedSecurityGroups
- Get-DomainManagedSecurityGroup
- Get-NetGroupMember
- Get-DomainGroupMember
- Add-DomainGroupMember
- Get-NetFileServer
- Get-DomainFileServer
- Get-DFSshare
- Get-DomainDFSShare
- Get-NetGPO
- Get-DomainGPO
- Get-NetGPOGroup
- Get-DomainGPOLocalGroup
- Find-GPOLocation
- Get-DomainGPOUserLocalGroupMapping
- Find-GPOComputerAdmin
- Get-DomainGPOComputerLocalGroupMapping
- Get-DomainPolicy
- Get-NetLocalGroup
- Get-NetLocalGroupMember
- Get-NetShare
- Get-NetLoggedon
- Get-NetSession
- Get-LoggedOnLocal
- Get-RegLoggedOn
- Get-NetRDPSession
- Invoke-CheckLocalAdminAccess
- Test-AdminAccess
- Get-SiteName
- Get-NetComputerSiteName
- Get-Proxy
- Get-WMIRegProxy
- Get-LastLoggedOn
- Get-WMIRegLastLoggedOn
- Get-CachedRDPConnection
- Get-WMIRegCachedRDPConnection
- Get-RegistryMountedDrive
- Get-WMIRegMountedDrive
- Get-NetProcess
- Get-WMIProcess
- Find-InterestingFile
- Invoke-UserHunter
- Find-DomainUserLocation
- Invoke-ProcessHunter
- Find-DomainProcess
- Invoke-EventHunter
- Find-DomainUserEvent
- Invoke-ShareFinder
- Find-DomainShare
- Invoke-FileFinder
- Find-InterestingDomainShareFile
- Find-LocalAdminAccess
- Invoke-EnumerateLocalAdmin
- Find-DomainLocalGroupMember
- Get-NetDomainTrust
- Get-DomainTrust
- Get-NetForestTrust
- Get-ForestTrust
- Find-ForeignUser
- Get-DomainForeignUser
- Find-ForeignGroup
- Get-DomainForeignGroupMember
- Invoke-MapDomainTrust
- Get-DomainTrustMapping
- 'Add-DomainGroupMember'
- 'Add-DomainObjectAcl'
- 'Add-ObjectAcl'
- 'Add-RemoteConnection'
- 'Convert-ADName'
- 'ConvertFrom-UACValue'
- 'Convert-NameToSid'
- 'ConvertTo-SID'
- 'Export-PowerViewCSV'
- 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile
- 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
- 'Get-ADObject'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
- 'Get-DNSRecord'
- 'Get-DNSZone'
- 'Get-Domain' # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO...etc.
- 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
- 'Get-IPAddress'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetComputer' # Covers: Get-NetComputerSiteName
- 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
- 'Get-NetFileServer'
- 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
- 'Get-NetGPO' # Covers: Get-NetGPOGroup
- 'Get-NetGroup' # Covers: Get-NetGroupMember
- 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
- 'Get-NetLoggedon'
- 'Get-NetOU'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-NetSession'
- 'Get-NetShare'
- 'Get-NetSite'
- 'Get-NetSubnet'
- 'Get-NetUser'
- 'Get-ObjectAcl'
- 'Get-PathAcl'
- 'Get-Proxy'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
- 'Get-SiteName'
- 'Get-UserEvent'
- 'Get-WMIProcess'
- 'Get-WMIReg' # Covers: Get-WMIRegCachedRDPConnection, Get-WMIRegLastLoggedOn, Get-WMIRegMountedDrive, WMIRegProxy
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-EnumerateLocalAdmin'
- 'Invoke-EventHunter'
- 'Invoke-FileFinder'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-ProcessHunter'
- 'Invoke-RevertToSelf'
- 'Invoke-ShareFinder'
- 'Invoke-UserHunter'
- 'Invoke-UserImpersonation'
- 'New-DomainGroup'
- 'New-DomainUser'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
- 'Resolve-IPAddress'
- 'Set-ADObject'
- 'Set-DomainObject'
- 'Set-DomainUserPassword'
- 'Test-AdminAccess'
condition: selection
falsepositives:
- Should not be any as administrators do not use this tool
rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
+2 -1
View File
@@ -9,6 +9,7 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
author: frack113
date: 2022/01/06
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -19,7 +20,7 @@ logsource:
detection:
selection:
ScriptBlockText|contains|all:
- New-PSSession
- 'New-PSSession'
- '-ComputerName '
condition: selection
falsepositives:
rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
+5 -5
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Shellntel/scripts/
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
modified: 2022/12/25
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -17,10 +17,10 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- Invoke-SMBAutoBrute
- Invoke-GPOLinks
- Out-Minidump
- Invoke-Potato
- 'Invoke-SMBAutoBrute'
- 'Invoke-GPOLinks'
#- 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-Potato'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
+2 -1
View File
@@ -8,6 +8,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022/01/23
modified: 2023/01/02
tags:
- attack.command_and_control
- attack.t1071.001
@@ -18,7 +19,7 @@ logsource:
detection:
selection:
ScriptBlockText|contains|all:
- Invoke-WebRequest
- 'Invoke-WebRequest'
- '-UserAgent '
condition: selection
falsepositives:
rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
+3 -3
View File
@@ -9,7 +9,7 @@ references:
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth, Perez Diego (@darkquassar)
date: 2019/02/11
modified: 2022/12/25
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -29,8 +29,8 @@ detection:
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
- 'Invoke-WMIMethod'
- 'http://127.0.0.1'
#- 'Invoke-WMIMethod' # Prone to FP
#- 'http://127.0.0.1' # Prone to FP
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_upload.yml
+5 -3
View File
@@ -8,6 +8,7 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
author: frack113
date: 2022/01/07
modified: 2023/01/02
tags:
- attack.exfiltration
- attack.t1020
@@ -20,11 +21,12 @@ detection:
ScriptBlockText|contains:
- 'Invoke-WebRequest'
- 'iwr '
selection_method:
selection_flag:
ScriptBlockText|contains: '-Method '
selection_verb:
- ' Put '
- ' Post '
ScriptBlockText|contains:
- ' Put '
- ' Post '
condition: all of selection_*
falsepositives:
- Legitimate script
rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
+7 -5
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022/01/19
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -19,12 +20,13 @@ logsource:
detection:
selection_xml:
ScriptBlockText|contains|all:
- New-Object
- System.Xml.XmlDocument
- .Load
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
- IEX
- Invoke-Expression
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
condition: all of selection_*
falsepositives:
- Legitimate administrative script
rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml
+223
View File
@@ -0,0 +1,223 @@
title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: derived
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Nasreddine Bencherchali
modified: 2023/01/02
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'Do-Exfiltration'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADSBackdoor'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # cover Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-SharpAllowedToAct'
- 'Invoke-SharpBlock'
- 'Invoke-SharpBypassUAC'
- 'Invoke-SharpChromium'
- 'Invoke-SharpClipboard'
- 'Invoke-SharpCloud'
- 'Invoke-SharpDPAPI'
- 'Invoke-SharpDump'
- 'Invoke-SharPersist'
- 'Invoke-SharpGPOAbuse'
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharpHandler'
- 'Invoke-SharpHide'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-SharpImpersonation'
- 'Invoke-SharpImpersonationNoSpace'
- 'Invoke-SharpKatz'
- 'Invoke-SharpLdapRelayScan'
- 'Invoke-Sharplocker'
- 'Invoke-SharpLoginPrompt'
- 'Invoke-SharpMove'
- 'Invoke-SharpPrinter'
- 'Invoke-SharpPrintNightmare'
- 'Invoke-SharpRDP'
- 'Invoke-SharpSCCM'
- 'Invoke-SharpSecDump'
- 'Invoke-Sharpshares'
- 'Invoke-SharpSniper'
- 'Invoke-SharpSploit'
- 'Invoke-SharpSpray'
- 'Invoke-SharpSSDP'
- 'Invoke-SharpStay'
- 'Invoke-SharpUp'
- 'Invoke-Sharpview'
- 'Invoke-SharpWatson'
- 'Invoke-Sharpweb'
- 'Invoke-SharpWSUS'
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-HoneyHash'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'PowerUp'
- 'PowerView'
- 'Remove-Update'
- 'Set-MacAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_netcat_execution.yml
+9 -4
View File
@@ -1,13 +1,14 @@
title: Ncat Execution
title: Netcat Suspicious Execution
id: e31033fc-33f0-4020-9a16-faf9b31cbf08
status: experimental
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
- https://www.revshells.com/
author: frack113, Florian Roth
date: 2021/07/21
modified: 2022/07/11
modified: 2023/01/02
tags:
- attack.command_and_control
- attack.t1095
@@ -18,6 +19,7 @@ detection:
selection_img:
# can not use OriginalFileName as is empty
Image|endswith:
- '\nc.exe'
- '\ncat.exe'
- '\netcat.exe'
selection_cmdline:
@@ -28,8 +30,11 @@ detection:
- ' -l -v -p '
- ' -lv -p '
- ' -l --proxy-type http '
- ' --exec cmd.exe '
#- ' --exec cmd.exe ' # Not specific enough for netcat
- ' -vnl --exec '
- ' -vnl -e '
- ' --lua-exec '
- ' --sh-exec '
condition: 1 of selection_*
falsepositives:
- Legitimate ncat use
rules/windows/process_creation/proc_creation_win_susp_nmap.yml → rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml
+9 -4
View File
@@ -1,13 +1,13 @@
title: Suspicious Nmap Execution
title: Nmap/Zenmap Execution
id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
status: test
description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
references:
- https://nmap.org/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
author: frack113
date: 2021/12/10
modified: 2022/12/25
modified: 2022/12/30
tags:
- attack.discovery
- attack.t1046
@@ -16,7 +16,12 @@ logsource:
product: windows
detection:
selection:
OriginalFileName: nmap.exe
- Image|endswith:
- '\nmap.exe'
- '\zennmap.exe'
- OriginalFileName:
- 'nmap.exe'
- 'zennmap.exe'
condition: selection
falsepositives:
- Network administrator computer
rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml
+25
View File
@@ -0,0 +1,25 @@
title: Perl Inline Command Execution Using "-e"
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: experimental
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali
date: 2023/01/02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml
+26
View File
@@ -0,0 +1,26 @@
title: Php Inline Command Execution Using "-r"
id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
status: experimental
description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
references:
- https://www.php.net/manual/en/features.commandline.php
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali
date: 2023/01/02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\php.exe'
- OriginalFileName: 'php.exe'
selection_cli:
CommandLine|contains: ' -r'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml
+29
View File
@@ -0,0 +1,29 @@
title: Python Inline Command Execution Using "-c"
id: 899133d5-4d7c-4a7f-94ee-27355c879d90
status: experimental
description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
references:
- https://docs.python.org/3/using/cmdline.html#cmdoption-c
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali
date: 2023/01/02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
- OriginalFileName : 'python.exe'
selection_cli:
CommandLine|contains: ' -c'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml
+25
View File
@@ -0,0 +1,25 @@
title: Ruby Inline Command Execution Using "-e"
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: experimental
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali
date: 2023/01/02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml
+26
View File
@@ -0,0 +1,26 @@
title: SharpLDAPmonitor Execution
id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541
status: experimental
description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
references:
- https://github.com/p0dalirius/LDAPmonitor
author: Nasreddine Bencherchali
date: 2022/12/30
tags:
- attack.discovery
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpLDAPmonitor.exe'
- OriginalFileName: 'SharpLDAPmonitor.exe'
selection_cli:
CommandLine|contains|all:
- '/user:'
- '/pass:'
- '/dcip:'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml
+3 -3
View File
@@ -16,14 +16,14 @@ logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
selection_cli:
CommandLine|contains|all:
- '/UpdateDeploymentProvider'
- '/RunHandlerComServer'
- '.dll'
selection_img:
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
filter:
CommandLine|contains:
- ' /ClassId '