diff --git a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml b/rules-deprecated/windows/posh_ps_azurehound_commands.yml similarity index 95% rename from rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml rename to rules-deprecated/windows/posh_ps_azurehound_commands.yml index 96a2831f0..55ede923e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml +++ b/rules-deprecated/windows/posh_ps_azurehound_commands.yml @@ -1,13 +1,13 @@ title: AzureHound PowerShell Commands id: 83083ac6-1816-4e76-97d7-59af9a9ae46e -status: experimental +status: deprecated description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Austin Songer (@austinsonger) date: 2021/10/23 -modified: 2022/01/12 +modified: 2023/01/02 tags: - attack.discovery - attack.t1482 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml b/rules-deprecated/windows/posh_ps_invoke_nightmare.yml similarity index 93% rename from rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml rename to rules-deprecated/windows/posh_ps_invoke_nightmare.yml index 10a74f43a..cdefb1c68 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml +++ b/rules-deprecated/windows/posh_ps_invoke_nightmare.yml @@ -1,12 +1,12 @@ title: PrintNightmare Powershell Exploitation id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf -status: test +status: deprecated description: Detects Commandlet name for PrintNightmare exploitation. references: - https://github.com/calebstewart/CVE-2021-1675 author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2021/10/16 +modified: 2023/01/02 tags: - attack.privilege_escalation - attack.t1548 diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index dfb4995e9..5bcc9ffbe 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -1,4 +1,4 @@ -title: Malicious PowerShell Commandlet Names +title: Malicious PowerShell Commandlets - FileCreation id: f331aa1f-8c53-4fc3-b083-cc159bc971cb related: - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 @@ -21,7 +21,7 @@ references: - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2022/12/04 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -31,118 +31,71 @@ logsource: detection: selection: TargetFilename|endswith: - - '\Invoke-DllInjection.ps1' - - '\Invoke-WmiCommand.ps1' - - '\Get-GPPPassword.ps1' - - '\Get-Keystrokes.ps1' - - '\Get-VaultCredential.ps1' - - '\Invoke-CredentialInjection.ps1' - - '\Invoke-Mimikatz.ps1' - - '\Invoke-NinjaCopy.ps1' - - '\Invoke-TokenManipulation.ps1' - - '\Out-Minidump.ps1' - - '\VolumeShadowCopyTools.ps1' - - '\Invoke-ReflectivePEInjection.ps1' - - '\Get-TimedScreenshot.ps1' - - '\Invoke-UserHunter.ps1' - - '\Find-GPOLocation.ps1' - - '\Invoke-ACLScanner.ps1' - - '\Invoke-DowngradeAccount.ps1' - - '\Get-ServiceUnquoted.ps1' - - '\Get-ServiceFilePermission.ps1' - - '\Get-ServicePermission.ps1' - - '\Invoke-ServiceAbuse.ps1' - - '\Install-ServiceBinary.ps1' - - '\Get-RegAutoLogon.ps1' - - '\Get-VulnAutoRun.ps1' - - '\Get-VulnSchTask.ps1' - - '\Get-UnattendedInstallFile.ps1' - - '\Get-WebConfig.ps1' - - '\Get-ApplicationHost.ps1' - - '\Get-RegAlwaysInstallElevated.ps1' - - '\Get-Unconstrained.ps1' - - '\Add-RegBackdoor.ps1' - - '\Add-ScrnSaveBackdoor.ps1' - - '\Gupt-Backdoor.ps1' - - '\Invoke-ADSBackdoor.ps1' - - '\Enabled-DuplicateToken.ps1' - - '\Invoke-PsUaCme.ps1' - - '\Remove-Update.ps1' - - '\Check-VM.ps1' - - '\Get-LSASecret.ps1' - - '\Get-PassHashes.ps1' - - '\Show-TargetScreen.ps1' - - '\Port-Scan.ps1' - - '\Invoke-PoshRatHttp.ps1' - - '\Invoke-PowerShellTCP.ps1' - - '\Invoke-PowerShellWMI.ps1' - '\Add-Exfiltration.ps1' - '\Add-Persistence.ps1' + - '\Add-RegBackdoor.ps1' + - '\Add-ScrnSaveBackdoor.ps1' + - '\Check-VM.ps1' - '\Do-Exfiltration.ps1' - - '\Start-CaptureServer.ps1' - - '\Invoke-ShellCode.ps1' + - '\DomainPasswordSpray.ps1' + - '\Enabled-DuplicateToken.ps1' + - '\Exploit-Jboss.ps1' + - '\Find-AVSignature.ps1' + - '\Find-Fruit.ps1' + - '\Find-GPOLocation.ps1' + - '\Find-TrustedDocuments.ps1' + - '\Get-ApplicationHost.ps1' - '\Get-ChromeDump.ps1' - '\Get-ClipboardContents.ps1' + - '\Get-ComputerDetail.ps1' - '\Get-FoxDump.ps1' + - '\Get-GPPAutologon.ps1' + - '\Get-GPPPassword.ps1' - '\Get-IndexedItem.ps1' + - '\Get-Keystrokes.ps1' + - '\Get-LSASecret.ps1' + - '\Get-MicrophoneAudio.ps1' + - '\Get-PassHashes.ps1' + - '\Get-RegAlwaysInstallElevated.ps1' + - '\Get-RegAutoLogon.ps1' + - '\Get-RickAstley.ps1' - '\Get-Screenshot.ps1' - - '\Invoke-Inveigh.ps1' - - '\Invoke-NetRipper.ps1' - - '\Invoke-EgressCheck.ps1' - - '\Invoke-PostExfil.ps1' - - '\Invoke-PSInject.ps1' - - '\Invoke-RunAs.ps1' - - '\MailRaider.ps1' - - '\New-HoneyHash.ps1' - - '\Set-MacAttribute.ps1' - - '\Invoke-DCSync.ps1' - - '\Invoke-PowerDump.ps1' - - '\Exploit-Jboss.ps1' - - '\Invoke-ThunderStruck.ps1' - - '\Invoke-VoiceTroll.ps1' - - '\Set-Wallpaper.ps1' - - '\Invoke-InveighRelay.ps1' - - '\Invoke-PsExec.ps1' - - '\Invoke-SSHCommand.ps1' - '\Get-SecurityPackages.ps1' - - '\Install-SSP.ps1' - - '\Invoke-BackdoorLNK.ps1' - - '\PowerBreach.ps1' + - '\Get-ServiceFilePermission.ps1' + - '\Get-ServicePermission.ps1' + - '\Get-ServiceUnquoted.ps1' - '\Get-SiteListPassword.ps1' - '\Get-System.ps1' - - '\Invoke-BypassUAC.ps1' - - '\Invoke-Tater.ps1' - - '\Invoke-WScriptBypassUAC.ps1' - - '\PowerUp.ps1' - - '\PowerView.ps1' - - '\Get-RickAstley.ps1' - - '\Find-Fruit.ps1' + - '\Get-TimedScreenshot.ps1' + - '\Get-UnattendedInstallFile.ps1' + - '\Get-Unconstrained.ps1' + - '\Get-USBKeystrokes.ps1' + - '\Get-VaultCredential.ps1' + - '\Get-VulnAutoRun.ps1' + - '\Get-VulnSchTask.ps1' + - '\Get-WebConfig.ps1' + - '\Gupt-Backdoor.ps1' - '\HTTP-Login.ps1' - - '\Find-TrustedDocuments.ps1' - - '\Invoke-Paranoia.ps1' - - '\Invoke-WinEnum.ps1' + - '\Install-ServiceBinary.ps1' + - '\Install-SSP.ps1' + - '\Invoke-ACLScanner.ps1' + - '\Invoke-ADSBackdoor.ps1' - '\Invoke-ARPScan.ps1' - - '\Invoke-PortScan.ps1' - - '\Invoke-ReverseDNSLookup.ps1' - - '\Invoke-SMBScanner.ps1' - - '\Invoke-Mimikittenz.ps1' - - '\PowerUpSQL.ps1' - - '\Get-ComputerDetail.ps1' - - '\Find-AVSignature.ps1' - - '\Get-GPPAutologon.ps1' - - '\Get-MicrophoneAudio.ps1' - - '\Invoke-EventViewer.ps1' - - '\WSUSpendu.ps1' - - '\Invoke-PowerThIEf.ps1' - - '\WinPwn.ps1' - - '\Offline_Winpwn.ps1' - - '\PowerSharpPack.ps1' + - '\Invoke-BackdoorLNK.ps1' - '\Invoke-BadPotato.ps1' - '\Invoke-BetterSafetyKatz.ps1' + - '\Invoke-BypassUAC.ps1' - '\Invoke-Carbuncle.ps1' - '\Invoke-Certify.ps1' + - '\Invoke-ConPtyShell.ps1' + - '\Invoke-CredentialInjection.ps1' - '\Invoke-DAFT.ps1' + - '\Invoke-DCSync.ps1' - '\Invoke-DinvokeKatz.ps1' + - '\Invoke-DllInjection.ps1' + - '\Invoke-DowngradeAccount.ps1' + - '\Invoke-EgressCheck.ps1' + - '\Invoke-EventViewer.ps1' - '\Invoke-Eyewitness.ps1' - '\Invoke-FakeLogonScreen.ps1' - '\Invoke-Farmer.ps1' @@ -152,23 +105,43 @@ detection: - '\Invoke-Grouper3.ps1' - '\Invoke-HandleKatz.ps1' - '\Invoke-Internalmonologue.ps1' + - '\Invoke-Inveigh.ps1' + - '\Invoke-InveighRelay.ps1' - '\Invoke-KrbRelay.ps1' - '\Invoke-KrbRelayUp.ps1' - '\Invoke-LdapSignCheck.ps1' - '\Invoke-Lockless.ps1' - - '\Invoke-MITM6.ps1' - '\Invoke-MalSCCM.ps1' + - '\Invoke-Mimikatz.ps1' + - '\Invoke-Mimikittenz.ps1' + - '\Invoke-MITM6.ps1' - '\Invoke-NanoDump.ps1' + - '\Invoke-NetRipper.ps1' + - '\Invoke-NinjaCopy.ps1' - '\Invoke-OxidResolver.ps1' - '\Invoke-P0wnedshell.ps1' - '\Invoke-P0wnedshellx86.ps1' + - '\Invoke-Paranoia.ps1' + - '\Invoke-PortScan.ps1' + - '\Invoke-PoshRatHttp.ps1' + - '\Invoke-PostExfil.ps1' + - '\Invoke-PowerDump.ps1' + - '\Invoke-PowerShellTCP.ps1' + - '\Invoke-PowerShellWMI.ps1' + - '\Invoke-PowerThIEf.ps1' - '\Invoke-PPLDump.ps1' + - '\Invoke-PsExec.ps1' + - '\Invoke-PSInject.ps1' + - '\Invoke-PsUaCme.ps1' + - '\Invoke-ReflectivePEInjection.ps1' + - '\Invoke-ReverseDNSLookup.ps1' - '\Invoke-Rubeus.ps1' - - '\Invoke-SCShell.ps1' + - '\Invoke-RunAs.ps1' - '\Invoke-SafetyKatz.ps1' - '\Invoke-SauronEye.ps1' + - '\Invoke-SCShell.ps1' - '\Invoke-Seatbelt.ps1' - - '\Invoke-SharPersist.ps1' + - '\Invoke-ServiceAbuse.ps1' - '\Invoke-SharpAllowedToAct.ps1' - '\Invoke-SharpBlock.ps1' - '\Invoke-SharpBypassUAC.ps1' @@ -177,54 +150,82 @@ detection: - '\Invoke-SharpCloud.ps1' - '\Invoke-SharpDPAPI.ps1' - '\Invoke-SharpDump.ps1' - - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1' + - '\Invoke-SharPersist.ps1' - '\Invoke-SharpGPOAbuse.ps1' + - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1' - '\Invoke-SharpHandler.ps1' - '\Invoke-SharpHide.ps1' + - '\Invoke-Sharphound2.ps1' + - '\Invoke-Sharphound3.ps1' - '\Invoke-SharpHound4.ps1' - '\Invoke-SharpImpersonation.ps1' - '\Invoke-SharpImpersonationNoSpace.ps1' - '\Invoke-SharpKatz.ps1' - '\Invoke-SharpLdapRelayScan.ps1' + - '\Invoke-Sharplocker.ps1' - '\Invoke-SharpLoginPrompt.ps1' - '\Invoke-SharpMove.ps1' - - '\Invoke-SharpPrintNightmare.ps1' - '\Invoke-SharpPrinter.ps1' + - '\Invoke-SharpPrintNightmare.ps1' - '\Invoke-SharpRDP.ps1' - '\Invoke-SharpSCCM.ps1' - - '\Invoke-SharpSSDP.ps1' - '\Invoke-SharpSecDump.ps1' + - '\Invoke-Sharpshares.ps1' - '\Invoke-SharpSniper.ps1' - '\Invoke-SharpSploit.ps1' + - '\Invoke-Sharpsploit_nomimi.ps1' - '\Invoke-SharpSpray.ps1' + - '\Invoke-SharpSSDP.ps1' - '\Invoke-SharpStay.ps1' - '\Invoke-SharpUp.ps1' - - '\Invoke-SharpWSUS.ps1' - - '\Invoke-SharpWatson.ps1' - - '\Invoke-Sharphound2.ps1' - - '\Invoke-Sharphound3.ps1' - - '\Invoke-Sharplocker.ps1' - - '\Invoke-Sharpshares.ps1' - - '\Invoke-Sharpsploit_nomimi.ps1' - '\Invoke-Sharpview.ps1' + - '\Invoke-SharpWatson.ps1' - '\Invoke-Sharpweb.ps1' + - '\Invoke-SharpWSUS.ps1' + - '\Invoke-ShellCode.ps1' + - '\Invoke-SMBScanner.ps1' - '\Invoke-Snaffler.ps1' - '\Invoke-Spoolsample.ps1' + - '\Invoke-SSHCommand.ps1' - '\Invoke-StandIn.ps1' - '\Invoke-StickyNotesExtract.ps1' + - '\Invoke-Tater.ps1' - '\Invoke-Thunderfox.ps1' + - '\Invoke-ThunderStruck.ps1' + - '\Invoke-TokenManipulation.ps1' - '\Invoke-Tokenvator.ps1' - '\Invoke-TotalExec.ps1' - '\Invoke-UrbanBishop.ps1' + - '\Invoke-UserHunter.ps1' + - '\Invoke-VoiceTroll.ps1' - '\Invoke-Whisker.ps1' - - '\Invoke-WireTap.ps1' + - '\Invoke-WinEnum.ps1' - '\Invoke-winPEAS.ps1' + - '\Invoke-WireTap.ps1' + - '\Invoke-WmiCommand.ps1' + - '\Invoke-WScriptBypassUAC.ps1' - '\Invoke-Zerologon.ps1' - - '\Get-USBKeystrokes.ps1' - - '\Start-WebcamRecorder.ps1' - - '\PSAsyncShell.ps1' + - '\MailRaider.ps1' + - '\New-HoneyHash.ps1' - '\OfficeMemScraper.ps1' - - '\DomainPasswordSpray.ps1' + - '\Offline_Winpwn.ps1' + - '\Out-Minidump.ps1' + - '\Port-Scan.ps1' + - '\PowerBreach.ps1' + - '\PowerSharpPack.ps1' + - '\PowerUp.ps1' + - '\PowerUpSQL.ps1' + - '\PowerView.ps1' + - '\PSAsyncShell.ps1' + - '\Remove-Update.ps1' + - '\Set-MacAttribute.ps1' + - '\Set-Wallpaper.ps1' + - '\Show-TargetScreen.ps1' + - '\Start-CaptureServer.ps1' + - '\Start-WebcamRecorder.ps1' + - '\VolumeShadowCopyTools.ps1' + - '\WinPwn.ps1' + - '\WSUSpendu.ps1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 18c55ea85..a5b82ca41 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -1,8 +1,12 @@ -title: Malicious PowerShell Commandlets +title: Malicious PowerShell Commandlets - ScriptBlock id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 related: - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb type: similar + - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf + type: obsoletes + - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e + type: obsoletes status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -14,120 +18,91 @@ references: - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec -author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) + - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare + - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 + - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update) date: 2017/03/05 -modified: 2022/12/27 +modified: 2023/01/02 tags: - attack.execution + - attack.discovery + - attack.t1482 + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 + - attack.t1069.001 + - attack.t1069.002 + - attack.t1069 - attack.t1059.001 logsource: product: windows category: ps_script definition: Script Block Logging must be enabled detection: - select_Malicious: + selection: ScriptBlockText|contains: - - 'Invoke-DllInjection' - - 'Invoke-Shellcode' - - 'Invoke-WmiCommand' - - 'Get-GPPPassword' - - 'Get-Keystrokes' - - 'Get-TimedScreenshot' - - 'Get-VaultCredential' - - 'Invoke-CredentialInjection' - - 'Invoke-Mimikatz' - - 'Invoke-NinjaCopy' - - 'Invoke-TokenManipulation' - - 'Out-Minidump' - - 'VolumeShadowCopyTools' - - 'Invoke-ReflectivePEInjection' - - 'Invoke-UserHunter' - - 'Find-GPOLocation' - - 'Invoke-ACLScanner' - - 'Invoke-DowngradeAccount' - - 'Get-ServiceUnquoted' - - 'Get-ServiceFilePermission' - - 'Get-ServicePermission' - - 'Invoke-ServiceAbuse' - - 'Install-ServiceBinary' - - 'Get-RegAutoLogon' - - 'Get-VulnAutoRun' - - 'Get-VulnSchTask' - - 'Get-UnattendedInstallFile' - - 'Get-ApplicationHost' - - 'Get-RegAlwaysInstallElevated' - - 'Get-Unconstrained' - - 'Add-RegBackdoor' - - 'Add-ScrnSaveBackdoor' - - 'Gupt-Backdoor' - - 'Invoke-ADSBackdoor' - - 'Enabled-DuplicateToken' - - 'Invoke-PsUaCme' - - 'Remove-Update' - - 'Check-VM' - - 'Get-LSASecret' - - 'Get-PassHashes' - - 'Show-TargetScreen' - - 'Port-Scan' - - 'Invoke-PoshRatHttp' - - 'Invoke-PowerShellTCP' - - 'Invoke-PowerShellWMI' - 'Add-Exfiltration' - 'Add-Persistence' + - 'Add-RegBackdoor' + - 'Add-ScrnSaveBackdoor' + - 'Check-VM' - 'Do-Exfiltration' - - 'Start-CaptureServer' + - 'Enabled-DuplicateToken' + - 'Exploit-Jboss' + - 'Find-Fruit' + - 'Find-GPOLocation' + - 'Find-TrustedDocuments' + - 'Get-ApplicationHost' - 'Get-ChromeDump' - 'Get-ClipboardContents' - 'Get-FoxDump' + - 'Get-GPPPassword' - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Get-LSASecret' + - 'Get-PassHashes' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-RickAstley' - 'Get-Screenshot' - - 'Invoke-Inveigh' - - 'Invoke-NetRipper' - - 'Invoke-EgressCheck' - - 'Invoke-PostExfil' - - 'Invoke-PSInject' - - 'Invoke-RunAs' - - 'MailRaider' - - 'New-HoneyHash' - - 'Set-MacAttribute' - - 'Invoke-DCSync' - - 'Invoke-PowerDump' - - 'Exploit-Jboss' - - 'Invoke-ThunderStruck' - - 'Invoke-VoiceTroll' - - 'Set-Wallpaper' - - 'Invoke-InveighRelay' - - 'Invoke-PsExec' - - 'Invoke-SSHCommand' - 'Get-SecurityPackages' - - 'Install-SSP' - - 'Invoke-BackdoorLNK' - - 'PowerBreach' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Get-ServiceUnquoted' - 'Get-SiteListPassword' - 'Get-System' - - 'Invoke-BypassUAC' - - 'Invoke-Tater' - - 'Invoke-WScriptBypassUAC' - - 'PowerUp' - - 'PowerView' - - 'Get-RickAstley' - - 'Find-Fruit' + - 'Get-TimedScreenshot' + - 'Get-UnattendedInstallFile' + - 'Get-Unconstrained' + - 'Get-USBKeystrokes' + - 'Get-VaultCredential' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Gupt-Backdoor' - 'HTTP-Login' - - 'Find-TrustedDocuments' - - 'Invoke-Paranoia' - - 'Invoke-WinEnum' - - 'Invoke-ARPScan' - - 'Invoke-PortScan' - - 'Invoke-ReverseDNSLookup' - - 'Invoke-SMBScanner' - - 'Invoke-Mimikittenz' + - 'Install-ServiceBinary' + - 'Install-SSP' + - 'Invoke-ACLScanner' + - 'Invoke-ADSBackdoor' - 'Invoke-AllChecks' + - 'Invoke-ARPScan' + - 'Invoke-AzureHound' + - 'Invoke-BackdoorLNK' - 'Invoke-BadPotato' - 'Invoke-BetterSafetyKatz' + - 'Invoke-BypassUAC' - 'Invoke-Carbuncle' - 'Invoke-Certify' + - 'Invoke-ConPtyShell' + - 'Invoke-CredentialInjection' - 'Invoke-DAFT' + - 'Invoke-DCSync' - 'Invoke-DinvokeKatz' + - 'Invoke-DllInjection' + - 'Invoke-DomainPasswordSpray' + - 'Invoke-DowngradeAccount' + - 'Invoke-EgressCheck' - 'Invoke-Eyewitness' - 'Invoke-FakeLogonScreen' - 'Invoke-Farmer' @@ -136,22 +111,43 @@ detection: - 'Invoke-Grouper' # cover Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' + - 'Invoke-Inveigh' + - 'Invoke-InveighRelay' - 'Invoke-KrbRelay' - 'Invoke-LdapSignCheck' - 'Invoke-Lockless' - - 'Invoke-MITM6' - 'Invoke-MalSCCM' + - 'Invoke-Mimikatz' + - 'Invoke-Mimikittenz' + - 'Invoke-MITM6' - 'Invoke-NanoDump' + - 'Invoke-NetRipper' + - 'Invoke-Nightmare' + - 'Invoke-NinjaCopy' + - 'Invoke-OfficeScrape' - 'Invoke-OxidResolver' - 'Invoke-P0wnedshell' + - 'Invoke-Paranoia' + - 'Invoke-PortScan' + - 'Invoke-PoshRatHttp' + - 'Invoke-PostExfil' + - 'Invoke-PowerDump' + - 'Invoke-PowerShellTCP' + - 'Invoke-PowerShellWMI' - 'Invoke-PPLDump' + - 'Invoke-PsExec' + - 'Invoke-PSInject' + - 'Invoke-PsUaCme' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-ReverseDNSLookup' - 'Invoke-Rubeus' - - 'Invoke-SCShell' + - 'Invoke-RunAs' - 'Invoke-SafetyKatz' - 'Invoke-SauronEye' + - 'Invoke-SCShell' - 'Invoke-Seatbelt' + - 'Invoke-ServiceAbuse' - 'Invoke-ShadowSpray' - - 'Invoke-SharPersist' - 'Invoke-SharpAllowedToAct' - 'Invoke-SharpBlock' - 'Invoke-SharpBypassUAC' @@ -160,58 +156,80 @@ detection: - 'Invoke-SharpCloud' - 'Invoke-SharpDPAPI' - 'Invoke-SharpDump' - - 'Invoke-SharpGPO-RemoteAccessPolicies' + - 'Invoke-SharPersist' - 'Invoke-SharpGPOAbuse' + - 'Invoke-SharpGPO-RemoteAccessPolicies' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' + - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' - 'Invoke-SharpLdapRelayScan' + - 'Invoke-Sharplocker' - 'Invoke-SharpLoginPrompt' - 'Invoke-SharpMove' - - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpPrinter' + - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpRDP' - 'Invoke-SharpSCCM' - - 'Invoke-SharpSSDP' - 'Invoke-SharpSecDump' + - 'Invoke-Sharpshares' - 'Invoke-SharpSniper' - 'Invoke-SharpSploit' - 'Invoke-SharpSpray' + - 'Invoke-SharpSSDP' - 'Invoke-SharpStay' - 'Invoke-SharpUp' - - 'Invoke-SharpWSUS' - - 'Invoke-SharpWatson' - - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. - - 'Invoke-Sharplocker' - - 'Invoke-Sharpshares' - 'Invoke-Sharpview' + - 'Invoke-SharpWatson' - 'Invoke-Sharpweb' + - 'Invoke-SharpWSUS' + - 'Invoke-Shellcode' + - 'Invoke-SMBScanner' - 'Invoke-Snaffler' - 'Invoke-Spoolsample' + - 'Invoke-SpraySinglePassword' + - 'Invoke-SSHCommand' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' - - 'Invoke-TotalExec' + - 'Invoke-Tater' - 'Invoke-Thunderfox' + - 'Invoke-ThunderStruck' + - 'Invoke-TokenManipulation' - 'Invoke-Tokenvator' + - 'Invoke-TotalExec' - 'Invoke-UrbanBishop' + - 'Invoke-UserHunter' + - 'Invoke-VoiceTroll' - 'Invoke-Whisker' - - 'Invoke-WireTap' + - 'Invoke-WinEnum' - 'Invoke-winPEAS' + - 'Invoke-WireTap' + - 'Invoke-WmiCommand' + - 'Invoke-WScriptBypassUAC' - 'Invoke-Zerologon' - - 'Get-USBKeystrokes' + - 'MailRaider' + - 'New-HoneyHash' + - 'Out-Minidump' + - 'Port-Scan' + - 'PowerBreach' + - 'PowerUp' + - 'PowerView' + - 'Remove-Update' + - 'Set-MacAttribute' + - 'Set-Wallpaper' + - 'Show-TargetScreen' + - 'Start-CaptureServer' - 'Start-WebcamRecorder' - - 'Invoke-OfficeScrape' - - 'Invoke-DomainPasswordSpray' - - 'Invoke-SpraySinglePassword' - false_positive1: + - 'VolumeShadowCopyTools' + filter_1: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2 - false_positive2: + filter_2: ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved' - condition: select_Malicious and not 1 of false_positive* + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index bb2e5aecd..9a68fcd84 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -6,7 +6,7 @@ references: - https://github.com/samratashok/nishang author: Alec Costello date: 2019/05/16 -modified: 2022/08/29 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -17,77 +17,77 @@ logsource: detection: selection: ScriptBlockText|contains: - - Add-ConstrainedDelegationBackdoor - - Set-DCShadowPermissions - - DNS_TXT_Pwnage - - Execute-OnTime - - HTTP-Backdoor - - Set-RemotePSRemoting - - Set-RemoteWMI - - Invoke-AmsiBypass - - Out-CHM - - Out-HTA - - Out-SCF - - Out-SCT - - Out-Shortcut - - Out-WebQuery - - Out-Word - - Enable-Duplication - - Remove-Update - - Download-Execute-PS - - Download_Execute - - Execute-Command-MSSQL - - Execute-DNSTXT-Code - - Out-RundllCommand - - Copy-VSS - - FireBuster - - FireListener - - Get-Information - - Get-PassHints - - Get-WLAN-Keys - - Get-Web-Credentials - - Invoke-CredentialsPhish - - Invoke-MimikatzWDigestDowngrade - - Invoke-SSIDExfil - - Invoke-SessionGopher - - Keylogger - - Invoke-Interceptor - - Create-MultipleSessions - - Invoke-NetworkRelay - - Run-EXEonRemote - - Invoke-Prasadhak - - Invoke-BruteForce - - Password-List - - Invoke-JSRatRegsvr - - Invoke-JSRatRundll - - Invoke-PoshRatHttps - - Invoke-PowerShellIcmp - - Invoke-PowerShellUdp - - Invoke-PSGcat - - Invoke-PsGcatAgent - - Remove-PoshRat - - Add-Persistence - - ExetoText - - Invoke-Decode - - Invoke-Encode - - Parse_Keys - - Remove-Persistence - - StringtoBase64 - - TexttoExe - - Powerpreter - - Nishang - - DataToEncode - - LoggedKeys - - OUT-DNSTXT - # - Jitter # Prone to FPs - - ExfilOption - - DumpCerts - - DumpCreds - - Shellcode32 - - Shellcode64 - - NotAllNameSpaces - - exfill - - FakeDC + - 'Add-ConstrainedDelegationBackdoor' + - 'Add-Persistence' + - 'Copy-VSS' + - 'Create-MultipleSessions' + - 'DataToEncode' + - 'DNS_TXT_Pwnage' + - 'Download_Execute' + - 'Download-Execute-PS' + - 'DumpCerts' + - 'DumpCreds' + - 'Enable-Duplication' + - 'Execute-Command-MSSQL' + - 'Execute-DNSTXT-Code' + - 'Execute-OnTime' + - 'ExetoText' + - 'exfill' + - 'ExfilOption' + - 'FakeDC' + - 'FireBuster' + - 'FireListener' + - 'Get-Information' + - 'Get-PassHints' + - 'Get-Web-Credentials' + - 'Get-WLAN-Keys' + - 'HTTP-Backdoor' + - 'Invoke-AmsiBypass' + - 'Invoke-BruteForce' + - 'Invoke-CredentialsPhish' + - 'Invoke-Decode' + - 'Invoke-Encode' + - 'Invoke-Interceptor' + - 'Invoke-JSRatRegsvr' + - 'Invoke-JSRatRundll' + - 'Invoke-MimikatzWDigestDowngrade' + - 'Invoke-NetworkRelay' + - 'Invoke-PoshRatHttps' + - 'Invoke-PowerShellIcmp' + - 'Invoke-PowerShellUdp' + - 'Invoke-Prasadhak' + - 'Invoke-PSGcat' + - 'Invoke-PsGcatAgent' + - 'Invoke-SessionGopher' + - 'Invoke-SSIDExfil' + #- Jitter # Prone to FPs + - 'Keylogger' + - 'LoggedKeys' + - 'Nishang' + - 'NotAllNameSpaces' + - 'Out-CHM' + - 'OUT-DNSTXT' + - 'Out-HTA' + - 'Out-RundllCommand' + - 'Out-SCF' + - 'Out-SCT' + - 'Out-Shortcut' + - 'Out-WebQuery' + - 'Out-Word' + - 'Parse_Keys' + - 'Password-List' + - 'Powerpreter' + - 'Remove-Persistence' + - 'Remove-PoshRat' + - 'Remove-Update' + - 'Run-EXEonRemote' + - 'Set-DCShadowPermissions' + - 'Set-RemotePSRemoting' + - 'Set-RemoteWMI' + - 'Shellcode32' + - 'Shellcode64' + - 'StringtoBase64' + - 'TexttoExe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 3d8b8245c..12036f63b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -9,7 +9,7 @@ references: - https://adsecurity.org/?p=2277 author: Bhabesh Raj date: 2021/05/18 -modified: 2022/12/25 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -20,128 +20,85 @@ logsource: detection: selection: ScriptBlockText|contains: - - Export-PowerViewCSV - - Get-IPAddress - - Resolve-IPAddress - - Convert-NameToSid - - ConvertTo-SID - - Convert-ADName - - ConvertFrom-UACValue - - Add-RemoteConnection - - Remove-RemoteConnection - - Invoke-UserImpersonation - - Invoke-RevertToSelf - - Request-SPNTicket - - Get-DomainSPNTicket - - Invoke-Kerberoast - - Get-PathAcl - - Get-DNSZone - - Get-DomainDNSZone - - Get-DNSRecord - - Get-DomainDNSRecord - - Get-NetDomain - - Get-Domain - - Get-NetDomainController - - Get-DomainController - - Get-NetForest - - Get-Forest - - Get-NetForestDomain - - Get-ForestDomain - - Get-NetForestCatalog - - Get-ForestGlobalCatalog - - Find-DomainObjectPropertyOutlier - - Get-NetUser - - Get-DomainUser - - New-DomainUser - - Set-DomainUserPassword - - Get-UserEvent - - Get-DomainUserEvent - - Get-NetComputer - - Get-DomainComputer - - Get-ADObject - - Get-DomainObject - - Set-ADObject - - Set-DomainObject - - Get-ObjectAcl - - Get-DomainObjectAcl - - Add-ObjectAcl - - Add-DomainObjectAcl - - Invoke-ACLScanner - - Find-InterestingDomainAcl - - Get-NetOU - - Get-DomainOU - - Get-NetSite - - Get-DomainSite - - Get-NetSubnet - - Get-DomainSubnet - - Get-DomainSID - - Get-NetGroup - - Get-DomainGroup - - New-DomainGroup - - Find-ManagedSecurityGroups - - Get-DomainManagedSecurityGroup - - Get-NetGroupMember - - Get-DomainGroupMember - - Add-DomainGroupMember - - Get-NetFileServer - - Get-DomainFileServer - - Get-DFSshare - - Get-DomainDFSShare - - Get-NetGPO - - Get-DomainGPO - - Get-NetGPOGroup - - Get-DomainGPOLocalGroup - - Find-GPOLocation - - Get-DomainGPOUserLocalGroupMapping - - Find-GPOComputerAdmin - - Get-DomainGPOComputerLocalGroupMapping - - Get-DomainPolicy - - Get-NetLocalGroup - - Get-NetLocalGroupMember - - Get-NetShare - - Get-NetLoggedon - - Get-NetSession - - Get-LoggedOnLocal - - Get-RegLoggedOn - - Get-NetRDPSession - - Invoke-CheckLocalAdminAccess - - Test-AdminAccess - - Get-SiteName - - Get-NetComputerSiteName - - Get-Proxy - - Get-WMIRegProxy - - Get-LastLoggedOn - - Get-WMIRegLastLoggedOn - - Get-CachedRDPConnection - - Get-WMIRegCachedRDPConnection - - Get-RegistryMountedDrive - - Get-WMIRegMountedDrive - - Get-NetProcess - - Get-WMIProcess - - Find-InterestingFile - - Invoke-UserHunter - - Find-DomainUserLocation - - Invoke-ProcessHunter - - Find-DomainProcess - - Invoke-EventHunter - - Find-DomainUserEvent - - Invoke-ShareFinder - - Find-DomainShare - - Invoke-FileFinder - - Find-InterestingDomainShareFile - - Find-LocalAdminAccess - - Invoke-EnumerateLocalAdmin - - Find-DomainLocalGroupMember - - Get-NetDomainTrust - - Get-DomainTrust - - Get-NetForestTrust - - Get-ForestTrust - - Find-ForeignUser - - Get-DomainForeignUser - - Find-ForeignGroup - - Get-DomainForeignGroupMember - - Invoke-MapDomainTrust - - Get-DomainTrustMapping + - 'Add-DomainGroupMember' + - 'Add-DomainObjectAcl' + - 'Add-ObjectAcl' + - 'Add-RemoteConnection' + - 'Convert-ADName' + - 'ConvertFrom-UACValue' + - 'Convert-NameToSid' + - 'ConvertTo-SID' + - 'Export-PowerViewCSV' + - 'Find-DomainLocalGroupMember' + - 'Find-DomainObjectPropertyOutlier' + - 'Find-DomainProcess' + - 'Find-DomainShare' + - 'Find-DomainUserEvent' + - 'Find-DomainUserLocation' + - 'Find-ForeignGroup' + - 'Find-ForeignUser' + - 'Find-GPOComputerAdmin' + - 'Find-GPOLocation' + - 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile + - 'Find-InterestingFile' + - 'Find-LocalAdminAccess' + - 'Find-ManagedSecurityGroups' + - 'Get-ADObject' + - 'Get-CachedRDPConnection' + - 'Get-DFSshare' + - 'Get-DNSRecord' + - 'Get-DNSZone' + - 'Get-Domain' # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO...etc. + - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust + - 'Get-IPAddress' + - 'Get-LastLoggedOn' + - 'Get-LoggedOnLocal' + - 'Get-NetComputer' # Covers: Get-NetComputerSiteName + - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust + - 'Get-NetFileServer' + - 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust + - 'Get-NetGPO' # Covers: Get-NetGPOGroup + - 'Get-NetGroup' # Covers: Get-NetGroupMember + - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember + - 'Get-NetLoggedon' + - 'Get-NetOU' + - 'Get-NetProcess' + - 'Get-NetRDPSession' + - 'Get-NetSession' + - 'Get-NetShare' + - 'Get-NetSite' + - 'Get-NetSubnet' + - 'Get-NetUser' + - 'Get-ObjectAcl' + - 'Get-PathAcl' + - 'Get-Proxy' + - 'Get-RegistryMountedDrive' + - 'Get-RegLoggedOn' + - 'Get-SiteName' + - 'Get-UserEvent' + - 'Get-WMIProcess' + - 'Get-WMIReg' # Covers: Get-WMIRegCachedRDPConnection, Get-WMIRegLastLoggedOn, Get-WMIRegMountedDrive, WMIRegProxy + - 'Invoke-ACLScanner' + - 'Invoke-CheckLocalAdminAccess' + - 'Invoke-EnumerateLocalAdmin' + - 'Invoke-EventHunter' + - 'Invoke-FileFinder' + - 'Invoke-Kerberoast' + - 'Invoke-MapDomainTrust' + - 'Invoke-ProcessHunter' + - 'Invoke-RevertToSelf' + - 'Invoke-ShareFinder' + - 'Invoke-UserHunter' + - 'Invoke-UserImpersonation' + - 'New-DomainGroup' + - 'New-DomainUser' + - 'Remove-RemoteConnection' + - 'Request-SPNTicket' + - 'Resolve-IPAddress' + - 'Set-ADObject' + - 'Set-DomainObject' + - 'Set-DomainUserPassword' + - 'Test-AdminAccess' condition: selection falsepositives: - Should not be any as administrators do not use this tool diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 3dd62bff8..aa160f594 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -9,6 +9,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 author: frack113 date: 2022/01/06 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -19,7 +20,7 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - New-PSSession + - 'New-PSSession' - '-ComputerName ' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index f135dce1b..0e7ce203a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -6,7 +6,7 @@ references: - https://github.com/Shellntel/scripts/ author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2022/12/25 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -17,10 +17,10 @@ logsource: detection: selection: ScriptBlockText|contains: - - Invoke-SMBAutoBrute - - Invoke-GPOLinks - - Out-Minidump - - Invoke-Potato + - 'Invoke-SMBAutoBrute' + - 'Invoke-GPOLinks' + #- 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + - 'Invoke-Potato' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 38840bf2a..5fe1d34d9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols author: frack113 date: 2022/01/23 +modified: 2023/01/02 tags: - attack.command_and_control - attack.t1071.001 @@ -18,7 +19,7 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - Invoke-WebRequest + - 'Invoke-WebRequest' - '-UserAgent ' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index cbf5ad9eb..1321b31b9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -9,7 +9,7 @@ references: - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 author: Florian Roth, Perez Diego (@darkquassar) date: 2019/02/11 -modified: 2022/12/25 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -29,8 +29,8 @@ detection: - 'SuspendThread' - 'rundll32' # - 'FromBase64' - - 'Invoke-WMIMethod' - - 'http://127.0.0.1' + #- 'Invoke-WMIMethod' # Prone to FP + #- 'http://127.0.0.1' # Prone to FP condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml index 766c40007..2ba788f2a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml @@ -8,6 +8,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 author: frack113 date: 2022/01/07 +modified: 2023/01/02 tags: - attack.exfiltration - attack.t1020 @@ -20,11 +21,12 @@ detection: ScriptBlockText|contains: - 'Invoke-WebRequest' - 'iwr ' - selection_method: + selection_flag: ScriptBlockText|contains: '-Method ' selection_verb: - - ' Put ' - - ' Post ' + ScriptBlockText|contains: + - ' Put ' + - ' Post ' condition: all of selection_* falsepositives: - Legitimate script diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index 20239ddca..78da29951 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests author: frack113 date: 2022/01/19 +modified: 2023/01/02 tags: - attack.execution - attack.t1059.001 @@ -19,12 +20,13 @@ logsource: detection: selection_xml: ScriptBlockText|contains|all: - - New-Object - - System.Xml.XmlDocument - - .Load + - 'New-Object' + - 'System.Xml.XmlDocument' + - '.Load' selection_exec: - - IEX - - Invoke-Expression + ScriptBlockText|contains: + - 'IEX ' + - 'Invoke-Expression ' condition: all of selection_* falsepositives: - Legitimate administrative script diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml new file mode 100644 index 000000000..dc17f37e7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -0,0 +1,223 @@ +title: Malicious PowerShell Commandlets - ProcessCreation +id: 02030f2f-6199-49ec-b258-ea71b07e03dc +related: + - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + type: derived +status: experimental +description: Detects Commandlet names from well-known PowerShell exploitation frameworks +references: + - https://adsecurity.org/?p=2921 + - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries + - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 + - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 + - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 + - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec + - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare + - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 + - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html +author: Nasreddine Bencherchali +modified: 2023/01/02 +tags: + - attack.execution + - attack.discovery + - attack.t1482 + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 + - attack.t1069.001 + - attack.t1069.002 + - attack.t1069 + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Add-Exfiltration' + - 'Add-Persistence' + - 'Add-RegBackdoor' + - 'Add-ScrnSaveBackdoor' + - 'Check-VM' + - 'Do-Exfiltration' + - 'Enabled-DuplicateToken' + - 'Exploit-Jboss' + - 'Find-Fruit' + - 'Find-GPOLocation' + - 'Find-TrustedDocuments' + - 'Get-ApplicationHost' + - 'Get-ChromeDump' + - 'Get-ClipboardContents' + - 'Get-FoxDump' + - 'Get-GPPPassword' + - 'Get-IndexedItem' + - 'Get-Keystrokes' + - 'Get-LSASecret' + - 'Get-PassHashes' + - 'Get-RegAlwaysInstallElevated' + - 'Get-RegAutoLogon' + - 'Get-RickAstley' + - 'Get-Screenshot' + - 'Get-SecurityPackages' + - 'Get-ServiceFilePermission' + - 'Get-ServicePermission' + - 'Get-ServiceUnquoted' + - 'Get-SiteListPassword' + - 'Get-System' + - 'Get-TimedScreenshot' + - 'Get-UnattendedInstallFile' + - 'Get-Unconstrained' + - 'Get-USBKeystrokes' + - 'Get-VaultCredential' + - 'Get-VulnAutoRun' + - 'Get-VulnSchTask' + - 'Gupt-Backdoor' + - 'HTTP-Login' + - 'Install-ServiceBinary' + - 'Install-SSP' + - 'Invoke-ACLScanner' + - 'Invoke-ADSBackdoor' + - 'Invoke-AllChecks' + - 'Invoke-ARPScan' + - 'Invoke-AzureHound' + - 'Invoke-BackdoorLNK' + - 'Invoke-BadPotato' + - 'Invoke-BetterSafetyKatz' + - 'Invoke-BypassUAC' + - 'Invoke-Carbuncle' + - 'Invoke-Certify' + - 'Invoke-ConPtyShell' + - 'Invoke-CredentialInjection' + - 'Invoke-DAFT' + - 'Invoke-DCSync' + - 'Invoke-DinvokeKatz' + - 'Invoke-DllInjection' + - 'Invoke-DomainPasswordSpray' + - 'Invoke-DowngradeAccount' + - 'Invoke-EgressCheck' + - 'Invoke-Eyewitness' + - 'Invoke-FakeLogonScreen' + - 'Invoke-Farmer' + - 'Invoke-Get-RBCD-Threaded' + - 'Invoke-Gopher' + - 'Invoke-Grouper' # cover Invoke-GrouperX + - 'Invoke-HandleKatz' + - 'Invoke-Internalmonologue' + - 'Invoke-Inveigh' + - 'Invoke-InveighRelay' + - 'Invoke-KrbRelay' + - 'Invoke-LdapSignCheck' + - 'Invoke-Lockless' + - 'Invoke-MalSCCM' + - 'Invoke-Mimikatz' + - 'Invoke-Mimikittenz' + - 'Invoke-MITM6' + - 'Invoke-NanoDump' + - 'Invoke-NetRipper' + - 'Invoke-Nightmare' + - 'Invoke-NinjaCopy' + - 'Invoke-OfficeScrape' + - 'Invoke-OxidResolver' + - 'Invoke-P0wnedshell' + - 'Invoke-Paranoia' + - 'Invoke-PortScan' + - 'Invoke-PoshRatHttp' + - 'Invoke-PostExfil' + - 'Invoke-PowerDump' + - 'Invoke-PowerShellTCP' + - 'Invoke-PowerShellWMI' + - 'Invoke-PPLDump' + - 'Invoke-PsExec' + - 'Invoke-PSInject' + - 'Invoke-PsUaCme' + - 'Invoke-ReflectivePEInjection' + - 'Invoke-ReverseDNSLookup' + - 'Invoke-Rubeus' + - 'Invoke-RunAs' + - 'Invoke-SafetyKatz' + - 'Invoke-SauronEye' + - 'Invoke-SCShell' + - 'Invoke-Seatbelt' + - 'Invoke-ServiceAbuse' + - 'Invoke-ShadowSpray' + - 'Invoke-SharpAllowedToAct' + - 'Invoke-SharpBlock' + - 'Invoke-SharpBypassUAC' + - 'Invoke-SharpChromium' + - 'Invoke-SharpClipboard' + - 'Invoke-SharpCloud' + - 'Invoke-SharpDPAPI' + - 'Invoke-SharpDump' + - 'Invoke-SharPersist' + - 'Invoke-SharpGPOAbuse' + - 'Invoke-SharpGPO-RemoteAccessPolicies' + - 'Invoke-SharpHandler' + - 'Invoke-SharpHide' + - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. + - 'Invoke-SharpImpersonation' + - 'Invoke-SharpImpersonationNoSpace' + - 'Invoke-SharpKatz' + - 'Invoke-SharpLdapRelayScan' + - 'Invoke-Sharplocker' + - 'Invoke-SharpLoginPrompt' + - 'Invoke-SharpMove' + - 'Invoke-SharpPrinter' + - 'Invoke-SharpPrintNightmare' + - 'Invoke-SharpRDP' + - 'Invoke-SharpSCCM' + - 'Invoke-SharpSecDump' + - 'Invoke-Sharpshares' + - 'Invoke-SharpSniper' + - 'Invoke-SharpSploit' + - 'Invoke-SharpSpray' + - 'Invoke-SharpSSDP' + - 'Invoke-SharpStay' + - 'Invoke-SharpUp' + - 'Invoke-Sharpview' + - 'Invoke-SharpWatson' + - 'Invoke-Sharpweb' + - 'Invoke-SharpWSUS' + - 'Invoke-Shellcode' + - 'Invoke-SMBScanner' + - 'Invoke-Snaffler' + - 'Invoke-Spoolsample' + - 'Invoke-SpraySinglePassword' + - 'Invoke-SSHCommand' + - 'Invoke-StandIn' + - 'Invoke-StickyNotesExtract' + - 'Invoke-Tater' + - 'Invoke-Thunderfox' + - 'Invoke-ThunderStruck' + - 'Invoke-TokenManipulation' + - 'Invoke-Tokenvator' + - 'Invoke-TotalExec' + - 'Invoke-UrbanBishop' + - 'Invoke-UserHunter' + - 'Invoke-VoiceTroll' + - 'Invoke-Whisker' + - 'Invoke-WinEnum' + - 'Invoke-winPEAS' + - 'Invoke-WireTap' + - 'Invoke-WmiCommand' + - 'Invoke-WScriptBypassUAC' + - 'Invoke-Zerologon' + - 'MailRaider' + - 'New-HoneyHash' + - 'Out-Minidump' + - 'Port-Scan' + - 'PowerBreach' + - 'PowerUp' + - 'PowerView' + - 'Remove-Update' + - 'Set-MacAttribute' + - 'Set-Wallpaper' + - 'Show-TargetScreen' + - 'Start-CaptureServer' + - 'Start-WebcamRecorder' + - 'VolumeShadowCopyTools' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_netcat_execution.yml b/rules/windows/process_creation/proc_creation_win_netcat_execution.yml index 175f33b88..5e5168ec7 100644 --- a/rules/windows/process_creation/proc_creation_win_netcat_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_netcat_execution.yml @@ -1,13 +1,14 @@ -title: Ncat Execution +title: Netcat Suspicious Execution id: e31033fc-33f0-4020-9a16-faf9b31cbf08 status: experimental -description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md + - https://www.revshells.com/ author: frack113, Florian Roth date: 2021/07/21 -modified: 2022/07/11 +modified: 2023/01/02 tags: - attack.command_and_control - attack.t1095 @@ -18,6 +19,7 @@ detection: selection_img: # can not use OriginalFileName as is empty Image|endswith: + - '\nc.exe' - '\ncat.exe' - '\netcat.exe' selection_cmdline: @@ -28,8 +30,11 @@ detection: - ' -l -v -p ' - ' -lv -p ' - ' -l --proxy-type http ' - - ' --exec cmd.exe ' + #- ' --exec cmd.exe ' # Not specific enough for netcat - ' -vnl --exec ' + - ' -vnl -e ' + - ' --lua-exec ' + - ' --sh-exec ' condition: 1 of selection_* falsepositives: - Legitimate ncat use diff --git a/rules/windows/process_creation/proc_creation_win_susp_nmap.yml b/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml similarity index 56% rename from rules/windows/process_creation/proc_creation_win_susp_nmap.yml rename to rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml index 748feff5a..87c2ea2e7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nmap.yml +++ b/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml @@ -1,13 +1,13 @@ -title: Suspicious Nmap Execution +title: Nmap/Zenmap Execution id: f6ecd1cf-19b8-4488-97f6-00f0924991a3 status: test -description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation +description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation references: - https://nmap.org/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows author: frack113 date: 2021/12/10 -modified: 2022/12/25 +modified: 2022/12/30 tags: - attack.discovery - attack.t1046 @@ -16,7 +16,12 @@ logsource: product: windows detection: selection: - OriginalFileName: nmap.exe + - Image|endswith: + - '\nmap.exe' + - '\zennmap.exe' + - OriginalFileName: + - 'nmap.exe' + - 'zennmap.exe' condition: selection falsepositives: - Network administrator computer diff --git a/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml new file mode 100644 index 000000000..0b418d513 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -0,0 +1,25 @@ +title: Perl Inline Command Execution Using "-e" +id: f426547a-e0f7-441a-b63e-854ac5bdf54d +status: experimental +description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: Nasreddine Bencherchali +date: 2023/01/02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\perl.exe' + - OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe + selection_cli: + CommandLine|contains: ' -e' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml new file mode 100644 index 000000000..d76462058 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -0,0 +1,26 @@ +title: Php Inline Command Execution Using "-r" +id: d81871ef-5738-47ab-9797-7a9c90cd4bfb +status: experimental +description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. +references: + - https://www.php.net/manual/en/features.commandline.php + - https://www.revshells.com/ + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +author: Nasreddine Bencherchali +date: 2023/01/02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\php.exe' + - OriginalFileName: 'php.exe' + selection_cli: + CommandLine|contains: ' -r' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml new file mode 100644 index 000000000..975197cf0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -0,0 +1,29 @@ +title: Python Inline Command Execution Using "-c" +id: 899133d5-4d7c-4a7f-94ee-27355c879d90 +status: experimental +description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. +references: + - https://docs.python.org/3/using/cmdline.html#cmdoption-c + - https://www.revshells.com/ + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +author: Nasreddine Bencherchali +date: 2023/01/02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - 'python.exe' # no \ bc of e.g. ipython.exe + - 'python3.exe' + - 'python2.exe' + - OriginalFileName : 'python.exe' + selection_cli: + CommandLine|contains: ' -c' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml new file mode 100644 index 000000000..29a542518 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -0,0 +1,25 @@ +title: Ruby Inline Command Execution Using "-e" +id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 +status: experimental +description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. +references: + - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet + - https://www.revshells.com/ +author: Nasreddine Bencherchali +date: 2023/01/02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\ruby.exe' + - OriginalFileName: 'ruby.exe' + selection_cli: + CommandLine|contains: ' -e' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml b/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml new file mode 100644 index 000000000..326d40318 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml @@ -0,0 +1,26 @@ +title: SharpLDAPmonitor Execution +id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541 +status: experimental +description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. +references: + - https://github.com/p0dalirius/LDAPmonitor +author: Nasreddine Bencherchali +date: 2022/12/30 +tags: + - attack.discovery +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\SharpLDAPmonitor.exe' + - OriginalFileName: 'SharpLDAPmonitor.exe' + selection_cli: + CommandLine|contains|all: + - '/user:' + - '/pass:' + - '/dcip:' + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml index 8369716b3..62b624552 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml @@ -16,14 +16,14 @@ logsource: product: windows category: process_creation detection: + selection_img: + - Image|endswith: '\wuauclt.exe' + - OriginalFileName: 'wuauclt.exe' selection_cli: CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - '.dll' - selection_img: - - Image|endswith: '\wuauclt.exe' - - OriginalFileName: 'wuauclt.exe' filter: CommandLine|contains: - ' /ClassId '