security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: updates and enhancements

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-01-02 14:49:45 +01:00
parent 2589ffe6b7
commit a99b5082e1
21 changed files with 793 additions and 447 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
-30
View File
@@ -1,30 +0,0 @@
title: AzureHound PowerShell Commands
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
status: experimental
description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
references:
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Austin Songer (@austinsonger)
date: 2021/10/23
modified: 2022/01/12
tags:
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: Invoke-AzureHound
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
-23
View File
@@ -1,23 +0,0 @@
title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: test
description: Detects Commandlet name for PrintNightmare exploitation.
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
modified: 2021/10/16
tags:
- attack.privilege_escalation
- attack.t1548
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: 'Invoke-Nightmare'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+124 -106
View File
@@ -1,8 +1,12 @@
title: Malicious PowerShell Commandlets
title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
- id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
type: similar
- id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
type: obsoletes
- id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
type: obsoletes
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
@@ -14,120 +18,91 @@ references:
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update)
date: 2017/03/05
modified: 2022/12/27
modified: 2023/01/02
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
select_Malicious:
selection:
ScriptBlockText|contains:
- 'Invoke-DllInjection'
- 'Invoke-Shellcode'
- 'Invoke-WmiCommand'
- 'Get-GPPPassword'
- 'Get-Keystrokes'
- 'Get-TimedScreenshot'
- 'Get-VaultCredential'
- 'Invoke-CredentialInjection'
- 'Invoke-Mimikatz'
- 'Invoke-NinjaCopy'
- 'Invoke-TokenManipulation'
- 'Out-Minidump'
- 'VolumeShadowCopyTools'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-UserHunter'
- 'Find-GPOLocation'
- 'Invoke-ACLScanner'
- 'Invoke-DowngradeAccount'
- 'Get-ServiceUnquoted'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Invoke-ServiceAbuse'
- 'Install-ServiceBinary'
- 'Get-RegAutoLogon'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Get-UnattendedInstallFile'
- 'Get-ApplicationHost'
- 'Get-RegAlwaysInstallElevated'
- 'Get-Unconstrained'
- 'Add-RegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Gupt-Backdoor'
- 'Invoke-ADSBackdoor'
- 'Enabled-DuplicateToken'
- 'Invoke-PsUaCme'
- 'Remove-Update'
- 'Check-VM'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Show-TargetScreen'
- 'Port-Scan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'Do-Exfiltration'
- 'Start-CaptureServer'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Invoke-Inveigh'
- 'Invoke-NetRipper'
- 'Invoke-EgressCheck'
- 'Invoke-PostExfil'
- 'Invoke-PSInject'
- 'Invoke-RunAs'
- 'MailRaider'
- 'New-HoneyHash'
- 'Set-MacAttribute'
- 'Invoke-DCSync'
- 'Invoke-PowerDump'
- 'Exploit-Jboss'
- 'Invoke-ThunderStruck'
- 'Invoke-VoiceTroll'
- 'Set-Wallpaper'
- 'Invoke-InveighRelay'
- 'Invoke-PsExec'
- 'Invoke-SSHCommand'
- 'Get-SecurityPackages'
- 'Install-SSP'
- 'Invoke-BackdoorLNK'
- 'PowerBreach'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Invoke-BypassUAC'
- 'Invoke-Tater'
- 'Invoke-WScriptBypassUAC'
- 'PowerUp'
- 'PowerView'
- 'Get-RickAstley'
- 'Find-Fruit'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Find-TrustedDocuments'
- 'Invoke-Paranoia'
- 'Invoke-WinEnum'
- 'Invoke-ARPScan'
- 'Invoke-PortScan'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-SMBScanner'
- 'Invoke-Mimikittenz'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADSBackdoor'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
@@ -136,22 +111,43 @@ detection:
- 'Invoke-Grouper' # cover Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MITM6'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-SCShell'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-SharPersist'
- 'Invoke-SharpAllowedToAct'
- 'Invoke-SharpBlock'
- 'Invoke-SharpBypassUAC'
@@ -160,58 +156,80 @@ detection:
- 'Invoke-SharpCloud'
- 'Invoke-SharpDPAPI'
- 'Invoke-SharpDump'
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharPersist'
- 'Invoke-SharpGPOAbuse'
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharpHandler'
- 'Invoke-SharpHide'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-SharpImpersonation'
- 'Invoke-SharpImpersonationNoSpace'
- 'Invoke-SharpKatz'
- 'Invoke-SharpLdapRelayScan'
- 'Invoke-Sharplocker'
- 'Invoke-SharpLoginPrompt'
- 'Invoke-SharpMove'
- 'Invoke-SharpPrintNightmare'
- 'Invoke-SharpPrinter'
- 'Invoke-SharpPrintNightmare'
- 'Invoke-SharpRDP'
- 'Invoke-SharpSCCM'
- 'Invoke-SharpSSDP'
- 'Invoke-SharpSecDump'
- 'Invoke-Sharpshares'
- 'Invoke-SharpSniper'
- 'Invoke-SharpSploit'
- 'Invoke-SharpSpray'
- 'Invoke-SharpSSDP'
- 'Invoke-SharpStay'
- 'Invoke-SharpUp'
- 'Invoke-SharpWSUS'
- 'Invoke-SharpWatson'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-Sharplocker'
- 'Invoke-Sharpshares'
- 'Invoke-Sharpview'
- 'Invoke-SharpWatson'
- 'Invoke-Sharpweb'
- 'Invoke-SharpWSUS'
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-TotalExec'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WireTap'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'Get-USBKeystrokes'
- 'MailRaider'
- 'New-HoneyHash'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'PowerUp'
- 'PowerView'
- 'Remove-Update'
- 'Set-MacAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'Invoke-OfficeScrape'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-SpraySinglePassword'
false_positive1:
- 'VolumeShadowCopyTools'
filter_1:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2
false_positive2:
filter_2:
ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved'
condition: select_Malicious and not 1 of false_positive*
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+72 -72
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/samratashok/nishang
author: Alec Costello
date: 2019/05/16
modified: 2022/08/29
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -17,77 +17,77 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- Add-ConstrainedDelegationBackdoor
- Set-DCShadowPermissions
- DNS_TXT_Pwnage
- Execute-OnTime
- HTTP-Backdoor
- Set-RemotePSRemoting
- Set-RemoteWMI
- Invoke-AmsiBypass
- Out-CHM
- Out-HTA
- Out-SCF
- Out-SCT
- Out-Shortcut
- Out-WebQuery
- Out-Word
- Enable-Duplication
- Remove-Update
- Download-Execute-PS
- Download_Execute
- Execute-Command-MSSQL
- Execute-DNSTXT-Code
- Out-RundllCommand
- Copy-VSS
- FireBuster
- FireListener
- Get-Information
- Get-PassHints
- Get-WLAN-Keys
- Get-Web-Credentials
- Invoke-CredentialsPhish
- Invoke-MimikatzWDigestDowngrade
- Invoke-SSIDExfil
- Invoke-SessionGopher
- Keylogger
- Invoke-Interceptor
- Create-MultipleSessions
- Invoke-NetworkRelay
- Run-EXEonRemote
- Invoke-Prasadhak
- Invoke-BruteForce
- Password-List
- Invoke-JSRatRegsvr
- Invoke-JSRatRundll
- Invoke-PoshRatHttps
- Invoke-PowerShellIcmp
- Invoke-PowerShellUdp
- Invoke-PSGcat
- Invoke-PsGcatAgent
- Remove-PoshRat
- Add-Persistence
- ExetoText
- Invoke-Decode
- Invoke-Encode
- Parse_Keys
- Remove-Persistence
- StringtoBase64
- TexttoExe
- Powerpreter
- Nishang
- DataToEncode
- LoggedKeys
- OUT-DNSTXT
# - Jitter # Prone to FPs
- ExfilOption
- DumpCerts
- DumpCreds
- Shellcode32
- Shellcode64
- NotAllNameSpaces
- exfill
- FakeDC
- 'Add-ConstrainedDelegationBackdoor'
- 'Add-Persistence'
- 'Copy-VSS'
- 'Create-MultipleSessions'
- 'DataToEncode'
- 'DNS_TXT_Pwnage'
- 'Download_Execute'
- 'Download-Execute-PS'
- 'DumpCerts'
- 'DumpCreds'
- 'Enable-Duplication'
- 'Execute-Command-MSSQL'
- 'Execute-DNSTXT-Code'
- 'Execute-OnTime'
- 'ExetoText'
- 'exfill'
- 'ExfilOption'
- 'FakeDC'
- 'FireBuster'
- 'FireListener'
- 'Get-Information'
- 'Get-PassHints'
- 'Get-Web-Credentials'
- 'Get-WLAN-Keys'
- 'HTTP-Backdoor'
- 'Invoke-AmsiBypass'
- 'Invoke-BruteForce'
- 'Invoke-CredentialsPhish'
- 'Invoke-Decode'
- 'Invoke-Encode'
- 'Invoke-Interceptor'
- 'Invoke-JSRatRegsvr'
- 'Invoke-JSRatRundll'
- 'Invoke-MimikatzWDigestDowngrade'
- 'Invoke-NetworkRelay'
- 'Invoke-PoshRatHttps'
- 'Invoke-PowerShellIcmp'
- 'Invoke-PowerShellUdp'
- 'Invoke-Prasadhak'
- 'Invoke-PSGcat'
- 'Invoke-PsGcatAgent'
- 'Invoke-SessionGopher'
- 'Invoke-SSIDExfil'
#- Jitter # Prone to FPs
- 'Keylogger'
- 'LoggedKeys'
- 'Nishang'
- 'NotAllNameSpaces'
- 'Out-CHM'
- 'OUT-DNSTXT'
- 'Out-HTA'
- 'Out-RundllCommand'
- 'Out-SCF'
- 'Out-SCT'
- 'Out-Shortcut'
- 'Out-WebQuery'
- 'Out-Word'
- 'Parse_Keys'
- 'Password-List'
- 'Powerpreter'
- 'Remove-Persistence'
- 'Remove-PoshRat'
- 'Remove-Update'
- 'Run-EXEonRemote'
- 'Set-DCShadowPermissions'
- 'Set-RemotePSRemoting'
- 'Set-RemoteWMI'
- 'Shellcode32'
- 'Shellcode64'
- 'StringtoBase64'
- 'TexttoExe'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
+80 -123
View File
@@ -9,7 +9,7 @@ references:
- https://adsecurity.org/?p=2277
author: Bhabesh Raj
date: 2021/05/18
modified: 2022/12/25
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -20,128 +20,85 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- Export-PowerViewCSV
- Get-IPAddress
- Resolve-IPAddress
- Convert-NameToSid
- ConvertTo-SID
- Convert-ADName
- ConvertFrom-UACValue
- Add-RemoteConnection
- Remove-RemoteConnection
- Invoke-UserImpersonation
- Invoke-RevertToSelf
- Request-SPNTicket
- Get-DomainSPNTicket
- Invoke-Kerberoast
- Get-PathAcl
- Get-DNSZone
- Get-DomainDNSZone
- Get-DNSRecord
- Get-DomainDNSRecord
- Get-NetDomain
- Get-Domain
- Get-NetDomainController
- Get-DomainController
- Get-NetForest
- Get-Forest
- Get-NetForestDomain
- Get-ForestDomain
- Get-NetForestCatalog
- Get-ForestGlobalCatalog
- Find-DomainObjectPropertyOutlier
- Get-NetUser
- Get-DomainUser
- New-DomainUser
- Set-DomainUserPassword
- Get-UserEvent
- Get-DomainUserEvent
- Get-NetComputer
- Get-DomainComputer
- Get-ADObject
- Get-DomainObject
- Set-ADObject
- Set-DomainObject
- Get-ObjectAcl
- Get-DomainObjectAcl
- Add-ObjectAcl
- Add-DomainObjectAcl
- Invoke-ACLScanner
- Find-InterestingDomainAcl
- Get-NetOU
- Get-DomainOU
- Get-NetSite
- Get-DomainSite
- Get-NetSubnet
- Get-DomainSubnet
- Get-DomainSID
- Get-NetGroup
- Get-DomainGroup
- New-DomainGroup
- Find-ManagedSecurityGroups
- Get-DomainManagedSecurityGroup
- Get-NetGroupMember
- Get-DomainGroupMember
- Add-DomainGroupMember
- Get-NetFileServer
- Get-DomainFileServer
- Get-DFSshare
- Get-DomainDFSShare
- Get-NetGPO
- Get-DomainGPO
- Get-NetGPOGroup
- Get-DomainGPOLocalGroup
- Find-GPOLocation
- Get-DomainGPOUserLocalGroupMapping
- Find-GPOComputerAdmin
- Get-DomainGPOComputerLocalGroupMapping
- Get-DomainPolicy
- Get-NetLocalGroup
- Get-NetLocalGroupMember
- Get-NetShare
- Get-NetLoggedon
- Get-NetSession
- Get-LoggedOnLocal
- Get-RegLoggedOn
- Get-NetRDPSession
- Invoke-CheckLocalAdminAccess
- Test-AdminAccess
- Get-SiteName
- Get-NetComputerSiteName
- Get-Proxy
- Get-WMIRegProxy
- Get-LastLoggedOn
- Get-WMIRegLastLoggedOn
- Get-CachedRDPConnection
- Get-WMIRegCachedRDPConnection
- Get-RegistryMountedDrive
- Get-WMIRegMountedDrive
- Get-NetProcess
- Get-WMIProcess
- Find-InterestingFile
- Invoke-UserHunter
- Find-DomainUserLocation
- Invoke-ProcessHunter
- Find-DomainProcess
- Invoke-EventHunter
- Find-DomainUserEvent
- Invoke-ShareFinder
- Find-DomainShare
- Invoke-FileFinder
- Find-InterestingDomainShareFile
- Find-LocalAdminAccess
- Invoke-EnumerateLocalAdmin
- Find-DomainLocalGroupMember
- Get-NetDomainTrust
- Get-DomainTrust
- Get-NetForestTrust
- Get-ForestTrust
- Find-ForeignUser
- Get-DomainForeignUser
- Find-ForeignGroup
- Get-DomainForeignGroupMember
- Invoke-MapDomainTrust
- Get-DomainTrustMapping
- 'Add-DomainGroupMember'
- 'Add-DomainObjectAcl'
- 'Add-ObjectAcl'
- 'Add-RemoteConnection'
- 'Convert-ADName'
- 'ConvertFrom-UACValue'
- 'Convert-NameToSid'
- 'ConvertTo-SID'
- 'Export-PowerViewCSV'
- 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile
- 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
- 'Get-ADObject'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
- 'Get-DNSRecord'
- 'Get-DNSZone'
- 'Get-Domain' # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO...etc.
- 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
- 'Get-IPAddress'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetComputer' # Covers: Get-NetComputerSiteName
- 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
- 'Get-NetFileServer'
- 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
- 'Get-NetGPO' # Covers: Get-NetGPOGroup
- 'Get-NetGroup' # Covers: Get-NetGroupMember
- 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
- 'Get-NetLoggedon'
- 'Get-NetOU'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-NetSession'
- 'Get-NetShare'
- 'Get-NetSite'
- 'Get-NetSubnet'
- 'Get-NetUser'
- 'Get-ObjectAcl'
- 'Get-PathAcl'
- 'Get-Proxy'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
- 'Get-SiteName'
- 'Get-UserEvent'
- 'Get-WMIProcess'
- 'Get-WMIReg' # Covers: Get-WMIRegCachedRDPConnection, Get-WMIRegLastLoggedOn, Get-WMIRegMountedDrive, WMIRegProxy
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-EnumerateLocalAdmin'
- 'Invoke-EventHunter'
- 'Invoke-FileFinder'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-ProcessHunter'
- 'Invoke-RevertToSelf'
- 'Invoke-ShareFinder'
- 'Invoke-UserHunter'
- 'Invoke-UserImpersonation'
- 'New-DomainGroup'
- 'New-DomainUser'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
- 'Resolve-IPAddress'
- 'Set-ADObject'
- 'Set-DomainObject'
- 'Set-DomainUserPassword'
- 'Test-AdminAccess'
condition: selection
falsepositives:
- Should not be any as administrators do not use this tool
rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
+2 -1
View File
@@ -9,6 +9,7 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
author: frack113
date: 2022/01/06
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -19,7 +20,7 @@ logsource:
detection:
selection:
ScriptBlockText|contains|all:
- New-PSSession
- 'New-PSSession'
- '-ComputerName '
condition: selection
falsepositives:
rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
+5 -5
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/Shellntel/scripts/
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
modified: 2022/12/25
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -17,10 +17,10 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- Invoke-SMBAutoBrute
- Invoke-GPOLinks
- Out-Minidump
- Invoke-Potato
- 'Invoke-SMBAutoBrute'
- 'Invoke-GPOLinks'
#- 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-Potato'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
+2 -1
View File
@@ -8,6 +8,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022/01/23
modified: 2023/01/02
tags:
- attack.command_and_control
- attack.t1071.001
@@ -18,7 +19,7 @@ logsource:
detection:
selection:
ScriptBlockText|contains|all:
- Invoke-WebRequest
- 'Invoke-WebRequest'
- '-UserAgent '
condition: selection
falsepositives:
rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
+3 -3
View File
@@ -9,7 +9,7 @@ references:
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth, Perez Diego (@darkquassar)
date: 2019/02/11
modified: 2022/12/25
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -29,8 +29,8 @@ detection:
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
- 'Invoke-WMIMethod'
- 'http://127.0.0.1'
#- 'Invoke-WMIMethod' # Prone to FP
#- 'http://127.0.0.1' # Prone to FP
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_script/posh_ps_upload.yml
+5 -3
View File
@@ -8,6 +8,7 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
author: frack113
date: 2022/01/07
modified: 2023/01/02
tags:
- attack.exfiltration
- attack.t1020
@@ -20,11 +21,12 @@ detection:
ScriptBlockText|contains:
- 'Invoke-WebRequest'
- 'iwr '
selection_method:
selection_flag:
ScriptBlockText|contains: '-Method '
selection_verb:
- ' Put '
- ' Post '
ScriptBlockText|contains:
- ' Put '
- ' Post '
condition: all of selection_*
falsepositives:
- Legitimate script
rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
+7 -5
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022/01/19
modified: 2023/01/02
tags:
- attack.execution
- attack.t1059.001
@@ -19,12 +20,13 @@ logsource:
detection:
selection_xml:
ScriptBlockText|contains|all:
- New-Object
- System.Xml.XmlDocument
- .Load
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
- IEX
- Invoke-Expression
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
condition: all of selection_*
falsepositives:
- Legitimate administrative script