security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth
2023-01-09 09:56:21 +01:00
committed by GitHub
parent 0a9be5922c 679c2a0500
commit bcce3a85aa
300 changed files with 1505 additions and 527 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+13 -2
View File
@@ -21,9 +21,10 @@ references:
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017/03/05
modified: 2023/01/02
modified: 2023/01/05
tags:
- attack.execution
- attack.discovery
@@ -38,15 +39,18 @@ tags:
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Do-Exfiltration'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
@@ -64,6 +68,12 @@ detection:
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
@@ -211,6 +221,7 @@ detection:
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'