diff --git a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml index db13219da..84ce15833 100755 --- a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml @@ -2,14 +2,18 @@ title: Malicious PowerShell Commandlet Names id: f331aa1f-8c53-4fc3-b083-cc159bc971cb status: test description: Detects the creation of known powershell scripts for exploitation -author: Markus Neis +author: Markus Neis, Nasreddine Bencherchali references: - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL - https://github.com/CsEnox/EventViewer-UACBypass + - https://github.com/AlsidOfficial/WSUSpendu/ + - https://github.com/nettitude/Invoke-PowerThIEf + - https://github.com/S3cur3Th1sSh1t/WinPwn + - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries date: 2018/04/07 -modified: 2022/05/13 +modified: 2022/05/20 logsource: category: file_event product: windows @@ -117,6 +121,87 @@ detection: - '\Get-GPPAutologon.ps1' - '\Get-MicrophoneAudio.ps1' - '\Invoke-EventViewer.ps1' + - '\WSUSpendu.ps1' + - '\Invoke-PowerThIEf.ps1' + - '\WinPwn.ps1' + - '\Offline_Winpwn.ps1' + - '\PowerSharpPack.ps1' + - '\Invoke-BadPotato.ps1' + - '\Invoke-BetterSafetyKatz.ps1' + - '\Invoke-Carbuncle.ps1' + - '\Invoke-Certify.ps1' + - '\Invoke-DAFT.ps1' + - '\Invoke-DinvokeKatz.ps1' + - '\Invoke-Eyewitness.ps1' + - '\Invoke-FakeLogonScreen.ps1' + - '\Invoke-Farmer.ps1' + - '\Invoke-Get-RBCD-Threaded.ps1' + - '\Invoke-Gopher.ps1' + - '\Invoke-Grouper2.ps1' + - '\Invoke-HandleKatz.ps1' + - '\Invoke-Internalmonologue.ps1' + - '\Invoke-KrbRelayUp.ps1' + - '\Invoke-LdapSignCheck.ps1' + - '\Invoke-Lockless.ps1' + - '\Invoke-MITM6.ps1' + - '\Invoke-NanoDump.ps1' + - '\Invoke-OxidResolver.ps1' + - '\Invoke-P0wnedshell.ps1' + - '\Invoke-P0wnedshellx86.ps1' + - '\Invoke-PPLDump.ps1' + - '\Invoke-Rubeus.ps1' + - '\Invoke-SCShell.ps1' + - '\Invoke-SafetyKatz.ps1' + - '\Invoke-SauronEye.ps1' + - '\Invoke-Seatbelt.ps1' + - '\Invoke-SharPersist.ps1' + - '\Invoke-SharpAllowedToAct.ps1' + - '\Invoke-SharpBlock.ps1' + - '\Invoke-SharpBypassUAC.ps1' + - '\Invoke-SharpChromium.ps1' + - '\Invoke-SharpClipboard.ps1' + - '\Invoke-SharpCloud.ps1' + - '\Invoke-SharpDPAPI.ps1' + - '\Invoke-SharpDump.ps1' + - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1' + - '\Invoke-SharpGPOAbuse.ps1' + - '\Invoke-SharpHandler.ps1' + - '\Invoke-SharpHide.ps1' + - '\Invoke-SharpHound4.ps1' + - '\Invoke-SharpImpersonation.ps1' + - '\Invoke-SharpImpersonationNoSpace.ps1' + - '\Invoke-SharpKatz.ps1' + - '\Invoke-SharpLdapRelayScan.ps1' + - '\Invoke-SharpLoginPrompt.ps1' + - '\Invoke-SharpMove.ps1' + - '\Invoke-SharpPrintNightmare.ps1' + - '\Invoke-SharpPrinter.ps1' + - '\Invoke-SharpRDP.ps1' + - '\Invoke-SharpSSDP.ps1' + - '\Invoke-SharpSecDump.ps1' + - '\Invoke-SharpSniper.ps1' + - '\Invoke-SharpSploit.ps1' + - '\Invoke-SharpSpray.ps1' + - '\Invoke-SharpStay.ps1' + - '\Invoke-SharpUp.ps1' + - '\Invoke-SharpWatson.ps1' + - '\Invoke-Sharphound2.ps1' + - '\Invoke-Sharphound3.ps1' + - '\Invoke-Sharplocker.ps1' + - '\Invoke-Sharpshares.ps1' + - '\Invoke-Sharpsploit_nomimi.ps1' + - '\Invoke-Sharpview.ps1' + - '\Invoke-Sharpweb.ps1' + - '\Invoke-Snaffler.ps1' + - '\Invoke-Spoolsample.ps1' + - '\Invoke-StandIn.ps1' + - '\Invoke-StickyNotesExtract.ps1' + - '\Invoke-Thunderfox.ps1' + - '\Invoke-Tokenvator.ps1' + - '\Invoke-UrbanBishop.ps1' + - '\Invoke-Whisker.ps1' + - '\Invoke-WireTap.ps1' + - '\Invoke-winPEAS.ps1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index b45c6ed55..b380e82af 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -4,12 +4,13 @@ status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 + - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries tags: - attack.execution - attack.t1059.001 -author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update) date: 2017/03/05 -modified: 2021/11/29 +modified: 2022/05/20 logsource: product: windows category: ps_script @@ -112,6 +113,80 @@ detection: - 'Invoke-SMBScanner' - 'Invoke-Mimikittenz' - 'Invoke-AllChecks' + - 'Invoke-BadPotato' + - 'Invoke-BetterSafetyKatz' + - 'Invoke-Carbuncle' + - 'Invoke-Certify' + - 'Invoke-DAFT' + - 'Invoke-DinvokeKatz' + - 'Invoke-Eyewitness' + - 'Invoke-FakeLogonScreen' + - 'Invoke-Farmer' + - 'Invoke-Get-RBCD-Threaded' + - 'Invoke-Gopher' + - 'Invoke-Grouper2' + - 'Invoke-HandleKatz' + - 'Invoke-Internalmonologue' + - 'Invoke-KrbRelayUp' + - 'Invoke-LdapSignCheck' + - 'Invoke-Lockless' + - 'Invoke-MITM6' + - 'Invoke-NanoDump' + - 'Invoke-OxidResolver' + - 'Invoke-P0wnedshell' + - 'Invoke-PPLDump' + - 'Invoke-Rubeus' + - 'Invoke-SCShell' + - 'Invoke-SafetyKatz' + - 'Invoke-SauronEye' + - 'Invoke-Seatbelt' + - 'Invoke-SharPersist' + - 'Invoke-SharpAllowedToAct' + - 'Invoke-SharpBlock' + - 'Invoke-SharpBypassUAC' + - 'Invoke-SharpChromium' + - 'Invoke-SharpClipboard' + - 'Invoke-SharpCloud' + - 'Invoke-SharpDPAPI' + - 'Invoke-SharpDump' + - 'Invoke-SharpGPO-RemoteAccessPolicies' + - 'Invoke-SharpGPOAbuse' + - 'Invoke-SharpHandler' + - 'Invoke-SharpHide' + - 'Invoke-SharpHound4' + - 'Invoke-SharpImpersonation' + - 'Invoke-SharpImpersonationNoSpace' + - 'Invoke-SharpKatz' + - 'Invoke-SharpLdapRelayScan' + - 'Invoke-SharpLoginPrompt' + - 'Invoke-SharpMove' + - 'Invoke-SharpPrintNightmare' + - 'Invoke-SharpPrinter' + - 'Invoke-SharpRDP' + - 'Invoke-SharpSSDP' + - 'Invoke-SharpSecDump' + - 'Invoke-SharpSniper' + - 'Invoke-SharpSploit' + - 'Invoke-SharpSpray' + - 'Invoke-SharpStay' + - 'Invoke-SharpUp' + - 'Invoke-SharpWatson' + - 'Invoke-Sharphound2' + - 'Invoke-Sharphound3' + - 'Invoke-Sharplocker' + - 'Invoke-Sharpshares' + - 'Invoke-Sharpview' + - 'Invoke-Sharpweb' + - 'Invoke-Snaffler' + - 'Invoke-Spoolsample' + - 'Invoke-StandIn' + - 'Invoke-StickyNotesExtract' + - 'Invoke-Thunderfox' + - 'Invoke-Tokenvator' + - 'Invoke-UrbanBishop' + - 'Invoke-Whisker' + - 'Invoke-WireTap' + - 'Invoke-winPEAS' false_positives: ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1