From d2d49c445a38f0f695ca96a7ae1db21e41bb8263 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 15 Oct 2020 16:00:20 -0300 Subject: [PATCH] Update sysmon_powershell_exploit_scripts.yml --- .../sysmon_powershell_exploit_scripts.yml | 192 +++++++++--------- 1 file changed, 96 insertions(+), 96 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index 7ca774187..e446c5307 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -15,102 +15,102 @@ logsource: product: windows detection: selection: - TargetFilename: - - '*\Invoke-DllInjection.ps1' - - '*\Invoke-WmiCommand.ps1' - - '*\Get-GPPPassword.ps1' - - '*\Get-Keystrokes.ps1' - - '*\Get-VaultCredential.ps1' - - '*\Invoke-CredentialInjection.ps1' - - '*\Invoke-Mimikatz.ps1' - - '*\Invoke-NinjaCopy.ps1' - - '*\Invoke-TokenManipulation.ps1' - - '*\Out-Minidump.ps1' - - '*\VolumeShadowCopyTools.ps1' - - '*\Invoke-ReflectivePEInjection.ps1' - - '*\Get-TimedScreenshot.ps1' - - '*\Invoke-UserHunter.ps1' - - '*\Find-GPOLocation.ps1' - - '*\Invoke-ACLScanner.ps1' - - '*\Invoke-DowngradeAccount.ps1' - - '*\Get-ServiceUnquoted.ps1' - - '*\Get-ServiceFilePermission.ps1' - - '*\Get-ServicePermission.ps1' - - '*\Invoke-ServiceAbuse.ps1' - - '*\Install-ServiceBinary.ps1' - - '*\Get-RegAutoLogon.ps1' - - '*\Get-VulnAutoRun.ps1' - - '*\Get-VulnSchTask.ps1' - - '*\Get-UnattendedInstallFile.ps1' - - '*\Get-WebConfig.ps1' - - '*\Get-ApplicationHost.ps1' - - '*\Get-RegAlwaysInstallElevated.ps1' - - '*\Get-Unconstrained.ps1' - - '*\Add-RegBackdoor.ps1' - - '*\Add-ScrnSaveBackdoor.ps1' - - '*\Gupt-Backdoor.ps1' - - '*\Invoke-ADSBackdoor.ps1' - - '*\Enabled-DuplicateToken.ps1' - - '*\Invoke-PsUaCme.ps1' - - '*\Remove-Update.ps1' - - '*\Check-VM.ps1' - - '*\Get-LSASecret.ps1' - - '*\Get-PassHashes.ps1' - - '*\Show-TargetScreen.ps1' - - '*\Port-Scan.ps1' - - '*\Invoke-PoshRatHttp.ps1' - - '*\Invoke-PowerShellTCP.ps1' - - '*\Invoke-PowerShellWMI.ps1' - - '*\Add-Exfiltration.ps1' - - '*\Add-Persistence.ps1' - - '*\Do-Exfiltration.ps1' - - '*\Start-CaptureServer.ps1' - - '*\Invoke-ShellCode.ps1' - - '*\Get-ChromeDump.ps1' - - '*\Get-ClipboardContents.ps1' - - '*\Get-FoxDump.ps1' - - '*\Get-IndexedItem.ps1' - - '*\Get-Screenshot.ps1' - - '*\Invoke-Inveigh.ps1' - - '*\Invoke-NetRipper.ps1' - - '*\Invoke-EgressCheck.ps1' - - '*\Invoke-PostExfil.ps1' - - '*\Invoke-PSInject.ps1' - - '*\Invoke-RunAs.ps1' - - '*\MailRaider.ps1' - - '*\New-HoneyHash.ps1' - - '*\Set-MacAttribute.ps1' - - '*\Invoke-DCSync.ps1' - - '*\Invoke-PowerDump.ps1' - - '*\Exploit-Jboss.ps1' - - '*\Invoke-ThunderStruck.ps1' - - '*\Invoke-VoiceTroll.ps1' - - '*\Set-Wallpaper.ps1' - - '*\Invoke-InveighRelay.ps1' - - '*\Invoke-PsExec.ps1' - - '*\Invoke-SSHCommand.ps1' - - '*\Get-SecurityPackages.ps1' - - '*\Install-SSP.ps1' - - '*\Invoke-BackdoorLNK.ps1' - - '*\PowerBreach.ps1' - - '*\Get-SiteListPassword.ps1' - - '*\Get-System.ps1' - - '*\Invoke-BypassUAC.ps1' - - '*\Invoke-Tater.ps1' - - '*\Invoke-WScriptBypassUAC.ps1' - - '*\PowerUp.ps1' - - '*\PowerView.ps1' - - '*\Get-RickAstley.ps1' - - '*\Find-Fruit.ps1' - - '*\HTTP-Login.ps1' - - '*\Find-TrustedDocuments.ps1' - - '*\Invoke-Paranoia.ps1' - - '*\Invoke-WinEnum.ps1' - - '*\Invoke-ARPScan.ps1' - - '*\Invoke-PortScan.ps1' - - '*\Invoke-ReverseDNSLookup.ps1' - - '*\Invoke-SMBScanner.ps1' - - '*\Invoke-Mimikittenz.ps1' + TargetFilename|endswith: + - '\Invoke-DllInjection.ps1' + - '\Invoke-WmiCommand.ps1' + - '\Get-GPPPassword.ps1' + - '\Get-Keystrokes.ps1' + - '\Get-VaultCredential.ps1' + - '\Invoke-CredentialInjection.ps1' + - '\Invoke-Mimikatz.ps1' + - '\Invoke-NinjaCopy.ps1' + - '\Invoke-TokenManipulation.ps1' + - '\Out-Minidump.ps1' + - '\VolumeShadowCopyTools.ps1' + - '\Invoke-ReflectivePEInjection.ps1' + - '\Get-TimedScreenshot.ps1' + - '\Invoke-UserHunter.ps1' + - '\Find-GPOLocation.ps1' + - '\Invoke-ACLScanner.ps1' + - '\Invoke-DowngradeAccount.ps1' + - '\Get-ServiceUnquoted.ps1' + - '\Get-ServiceFilePermission.ps1' + - '\Get-ServicePermission.ps1' + - '\Invoke-ServiceAbuse.ps1' + - '\Install-ServiceBinary.ps1' + - '\Get-RegAutoLogon.ps1' + - '\Get-VulnAutoRun.ps1' + - '\Get-VulnSchTask.ps1' + - '\Get-UnattendedInstallFile.ps1' + - '\Get-WebConfig.ps1' + - '\Get-ApplicationHost.ps1' + - '\Get-RegAlwaysInstallElevated.ps1' + - '\Get-Unconstrained.ps1' + - '\Add-RegBackdoor.ps1' + - '\Add-ScrnSaveBackdoor.ps1' + - '\Gupt-Backdoor.ps1' + - '\Invoke-ADSBackdoor.ps1' + - '\Enabled-DuplicateToken.ps1' + - '\Invoke-PsUaCme.ps1' + - '\Remove-Update.ps1' + - '\Check-VM.ps1' + - '\Get-LSASecret.ps1' + - '\Get-PassHashes.ps1' + - '\Show-TargetScreen.ps1' + - '\Port-Scan.ps1' + - '\Invoke-PoshRatHttp.ps1' + - '\Invoke-PowerShellTCP.ps1' + - '\Invoke-PowerShellWMI.ps1' + - '\Add-Exfiltration.ps1' + - '\Add-Persistence.ps1' + - '\Do-Exfiltration.ps1' + - '\Start-CaptureServer.ps1' + - '\Invoke-ShellCode.ps1' + - '\Get-ChromeDump.ps1' + - '\Get-ClipboardContents.ps1' + - '\Get-FoxDump.ps1' + - '\Get-IndexedItem.ps1' + - '\Get-Screenshot.ps1' + - '\Invoke-Inveigh.ps1' + - '\Invoke-NetRipper.ps1' + - '\Invoke-EgressCheck.ps1' + - '\Invoke-PostExfil.ps1' + - '\Invoke-PSInject.ps1' + - '\Invoke-RunAs.ps1' + - '\MailRaider.ps1' + - '\New-HoneyHash.ps1' + - '\Set-MacAttribute.ps1' + - '\Invoke-DCSync.ps1' + - '\Invoke-PowerDump.ps1' + - '\Exploit-Jboss.ps1' + - '\Invoke-ThunderStruck.ps1' + - '\Invoke-VoiceTroll.ps1' + - '\Set-Wallpaper.ps1' + - '\Invoke-InveighRelay.ps1' + - '\Invoke-PsExec.ps1' + - '\Invoke-SSHCommand.ps1' + - '\Get-SecurityPackages.ps1' + - '\Install-SSP.ps1' + - '\Invoke-BackdoorLNK.ps1' + - '\PowerBreach.ps1' + - '\Get-SiteListPassword.ps1' + - '\Get-System.ps1' + - '\Invoke-BypassUAC.ps1' + - '\Invoke-Tater.ps1' + - '\Invoke-WScriptBypassUAC.ps1' + - '\PowerUp.ps1' + - '\PowerView.ps1' + - '\Get-RickAstley.ps1' + - '\Find-Fruit.ps1' + - '\HTTP-Login.ps1' + - '\Find-TrustedDocuments.ps1' + - '\Invoke-Paranoia.ps1' + - '\Invoke-WinEnum.ps1' + - '\Invoke-ARPScan.ps1' + - '\Invoke-PortScan.ps1' + - '\Invoke-ReverseDNSLookup.ps1' + - '\Invoke-SMBScanner.ps1' + - '\Invoke-Mimikittenz.ps1' condition: selection falsepositives: - Penetration Tests