security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #432 from EccoTheFlintstone/master

Browse Source 
add/modify powershell Empire rules
This commit is contained in:
Florian Roth
2019-09-02 11:40:36 +02:00
committed by GitHub
parent ace0cc36c6 5f30e52739
commit dca5a7a248
3 changed files with 34 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_powershell_empire_lanuch.yml → rules/windows/process_creation/win_susp_powershell_empire_launch.yml
+2
View File
@@ -5,6 +5,7 @@ references:
- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
author: Florian Roth
date: 2019/04/20
tags:
@@ -18,5 +19,6 @@ detection:
CommandLine:
- '* -NoP -sta -NonI -W Hidden -Enc *'
- '* -noP -sta -w 1 -enc *'
- '* -NoP -NonI -W Hidden -enc *'
condition: selection
level: critical
rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml
+28
View File
@@ -0,0 +1,28 @@
title: Empire PowerShell UAC Bypass
status: experimental
description: Detects some Empire PowerShell UAC bypass methods
references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
author: Ecco
date: 2019/08/30
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*'
- '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*'
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1088
- car.2019-04-001
falsepositives:
- unknown
level: critical
rules/windows/process_creation/win_susp_whoami.yml
+4 -2
View File
@@ -15,8 +15,10 @@ logsource:
product: windows
detection:
selection:
CommandLine: whoami
condition: selection
Image: '*\whoami.exe'
selection2:
OriginalFileName: 'whoami.exe'
condition: selection or selection2
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment