From dfdc232f556d5a99d4dc71c217225ced9b77b411 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 21 Jan 2023 12:28:08 +0100 Subject: [PATCH] fix: optimize "Invoke-Sharp" coverage --- ...e_event_win_powershell_exploit_scripts.yml | 47 +- .../posh_pm_exploit_scripts.yml | 490 ++++++++---------- .../posh_pm_malicious_commandlets.yml | 38 +- .../posh_ps_malicious_commandlets.yml | 38 +- .../proc_creation_win_malicious_cmdlets.yml | 38 +- 5 files changed, 235 insertions(+), 416 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 3aa90cac8..6c1baf07f 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -33,7 +33,7 @@ logsource: category: file_event product: windows detection: - selection: + selection_generic: TargetFilename|endswith: - '\Add-ConstrainedDelegationBackdoor.ps1' - '\Add-Exfiltration.ps1' @@ -185,46 +185,6 @@ detection: - '\Invoke-Seatbelt.ps1' - '\Invoke-ServiceAbuse.ps1' - '\Invoke-SessionGopher.ps1' - - '\Invoke-SharpAllowedToAct.ps1' - - '\Invoke-SharpBlock.ps1' - - '\Invoke-SharpBypassUAC.ps1' - - '\Invoke-SharpChromium.ps1' - - '\Invoke-SharpClipboard.ps1' - - '\Invoke-SharpCloud.ps1' - - '\Invoke-SharpDPAPI.ps1' - - '\Invoke-SharpDump.ps1' - - '\Invoke-SharPersist.ps1' - - '\Invoke-SharpGPOAbuse.ps1' - - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1' - - '\Invoke-SharpHandler.ps1' - - '\Invoke-SharpHide.ps1' - - '\Invoke-Sharphound2.ps1' - - '\Invoke-Sharphound3.ps1' - - '\Invoke-SharpHound4.ps1' - - '\Invoke-SharpImpersonation.ps1' - - '\Invoke-SharpImpersonationNoSpace.ps1' - - '\Invoke-SharpKatz.ps1' - - '\Invoke-SharpLdapRelayScan.ps1' - - '\Invoke-Sharplocker.ps1' - - '\Invoke-SharpLoginPrompt.ps1' - - '\Invoke-SharpMove.ps1' - - '\Invoke-SharpPrinter.ps1' - - '\Invoke-SharpPrintNightmare.ps1' - - '\Invoke-SharpRDP.ps1' - - '\Invoke-SharpSCCM.ps1' - - '\Invoke-SharpSecDump.ps1' - - '\Invoke-Sharpshares.ps1' - - '\Invoke-SharpSniper.ps1' - - '\Invoke-SharpSploit.ps1' - - '\Invoke-Sharpsploit_nomimi.ps1' - - '\Invoke-SharpSpray.ps1' - - '\Invoke-SharpSSDP.ps1' - - '\Invoke-SharpStay.ps1' - - '\Invoke-SharpUp.ps1' - - '\Invoke-Sharpview.ps1' - - '\Invoke-SharpWatson.ps1' - - '\Invoke-Sharpweb.ps1' - - '\Invoke-SharpWSUS.ps1' - '\Invoke-ShellCode.ps1' - '\Invoke-SMBScanner.ps1' - '\Invoke-Snaffler.ps1' @@ -296,7 +256,10 @@ detection: - '\VolumeShadowCopyTools.ps1' - '\WinPwn.ps1' - '\WSUSpendu.ps1' - condition: selection + selection_invoke_sharp: + TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants + TargetFilename|endswith: '.ps1' + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index ca88bd19a..c81d12c31 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -35,270 +35,234 @@ logsource: category: ps_module definition: 'Requirements: PowerShell Module Logging must be enabled' detection: - selection: + selection_generic: ContextInfo|contains: - - '\Add-ConstrainedDelegationBackdoor.ps1' - - '\Add-Exfiltration.ps1' - - '\Add-Persistence.ps1' - - '\Add-RegBackdoor.ps1' - - '\Add-RemoteRegBackdoor.ps1' - - '\Add-ScrnSaveBackdoor.ps1' - - '\Check-VM.ps1' - - '\ConvertTo-ROT13.ps1' - - '\Copy-VSS.ps1' - - '\Create-MultipleSessions.ps1' - - '\DNS_TXT_Pwnage.ps1' - - '\Do-Exfiltration.ps1' - - '\DomainPasswordSpray.ps1' - - '\Download_Execute.ps1' - - '\Download-Execute-PS.ps1' - - '\Enabled-DuplicateToken.ps1' - - '\Enable-DuplicateToken.ps1' - - '\Execute-Command-MSSQL.ps1' - - '\Execute-DNSTXT-Code.ps1' - - '\Execute-OnTime.ps1' - - '\ExetoText.ps1' - - '\Exploit-Jboss.ps1' - - '\Find-AVSignature.ps1' - - '\Find-Fruit.ps1' - - '\Find-GPOLocation.ps1' - - '\Find-TrustedDocuments.ps1' - - '\FireBuster.ps1' - - '\FireListener.ps1' - - '\Get-ApplicationHost.ps1' - - '\Get-ChromeDump.ps1' - - '\Get-ClipboardContents.ps1' - - '\Get-ComputerDetail.ps1' - - '\Get-FoxDump.ps1' - - '\Get-GPPAutologon.ps1' - - '\Get-GPPPassword.ps1' - - '\Get-IndexedItem.ps1' - - '\Get-Keystrokes.ps1' - - '\Get-LSASecret.ps1' - - '\Get-MicrophoneAudio.ps1' - - '\Get-PassHashes.ps1' - - '\Get-PassHints.ps1' - - '\Get-RegAlwaysInstallElevated.ps1' - - '\Get-RegAutoLogon.ps1' - - '\Get-RickAstley.ps1' - - '\Get-Screenshot.ps1' - - '\Get-SecurityPackages.ps1' - - '\Get-ServiceFilePermission.ps1' - - '\Get-ServicePermission.ps1' - - '\Get-ServiceUnquoted.ps1' - - '\Get-SiteListPassword.ps1' - - '\Get-System.ps1' - - '\Get-TimedScreenshot.ps1' - - '\Get-UnattendedInstallFile.ps1' - - '\Get-Unconstrained.ps1' - - '\Get-USBKeystrokes.ps1' - - '\Get-VaultCredential.ps1' - - '\Get-VulnAutoRun.ps1' - - '\Get-VulnSchTask.ps1' - - '\Get-WebConfig.ps1' - - '\Get-WebCredentials.ps1' - - '\Get-WLAN-Keys.ps1' - - '\Gupt-Backdoor.ps1' - - '\HTTP-Backdoor.ps1' - - '\HTTP-Login.ps1' - - '\Install-ServiceBinary.ps1' - - '\Install-SSP.ps1' - - '\Invoke-ACLScanner.ps1' - - '\Invoke-ADSBackdoor.ps1' - - '\Invoke-AmsiBypass.ps1' - - '\Invoke-ARPScan.ps1' - - '\Invoke-BackdoorLNK.ps1' - - '\Invoke-BadPotato.ps1' - - '\Invoke-BetterSafetyKatz.ps1' - - '\Invoke-BruteForce.ps1' - - '\Invoke-BypassUAC.ps1' - - '\Invoke-Carbuncle.ps1' - - '\Invoke-Certify.ps1' - - '\Invoke-ConPtyShell.ps1' - - '\Invoke-CredentialInjection.ps1' - - '\Invoke-CredentialsPhish.ps1' - - '\Invoke-DAFT.ps1' - - '\Invoke-DCSync.ps1' - - '\Invoke-Decode.ps1' - - '\Invoke-DinvokeKatz.ps1' - - '\Invoke-DllInjection.ps1' - - '\Invoke-DowngradeAccount.ps1' - - '\Invoke-EgressCheck.ps1' - - '\Invoke-Encode.ps1' - - '\Invoke-EventViewer.ps1' - - '\Invoke-Eyewitness.ps1' - - '\Invoke-FakeLogonScreen.ps1' - - '\Invoke-Farmer.ps1' - - '\Invoke-Get-RBCD-Threaded.ps1' - - '\Invoke-Gopher.ps1' - - '\Invoke-Grouper2.ps1' - - '\Invoke-Grouper3.ps1' - - '\Invoke-HandleKatz.ps1' - - '\Invoke-Interceptor.ps1' - - '\Invoke-Internalmonologue.ps1' - - '\Invoke-Inveigh.ps1' - - '\Invoke-InveighRelay.ps1' - - '\Invoke-JSRatRegsvr.ps1' - - '\Invoke-JSRatRundll.ps1' - - '\Invoke-KrbRelay.ps1' - - '\Invoke-KrbRelayUp.ps1' - - '\Invoke-LdapSignCheck.ps1' - - '\Invoke-Lockless.ps1' - - '\Invoke-MalSCCM.ps1' - - '\Invoke-Mimikatz.ps1' - - '\Invoke-MimikatzWDigestDowngrade.ps1' - - '\Invoke-Mimikittenz.ps1' - - '\Invoke-MITM6.ps1' - - '\Invoke-NanoDump.ps1' - - '\Invoke-NetRipper.ps1' - - '\Invoke-NetworkRelay.ps1' - - '\Invoke-NinjaCopy.ps1' - - '\Invoke-OxidResolver.ps1' - - '\Invoke-P0wnedshell.ps1' - - '\Invoke-P0wnedshellx86.ps1' - - '\Invoke-Paranoia.ps1' - - '\Invoke-PortScan.ps1' - - '\Invoke-PoshRatHttp.ps1' - - '\Invoke-PoshRatHttps.ps1' - - '\Invoke-PostExfil.ps1' - - '\Invoke-PowerDump.ps1' - - '\Invoke-PowerShellIcmp.ps1' - - '\Invoke-PowerShellTCP.ps1' - - '\Invoke-PowerShellTcpOneLine.ps1' - - '\Invoke-PowerShellTcpOneLineBind.ps1' - - '\Invoke-PowerShellUdp.ps1' - - '\Invoke-PowerShellUdpOneLine.ps1' - - '\Invoke-PowerShellWMI.ps1' - - '\Invoke-PowerThIEf.ps1' - - '\Invoke-PPLDump.ps1' - - '\Invoke-Prasadhak.ps1' - - '\Invoke-PsExec.ps1' - - '\Invoke-PsGcat.ps1' - - '\Invoke-PsGcatAgent.ps1' - - '\Invoke-PSInject.ps1' - - '\Invoke-PsUaCme.ps1' - - '\Invoke-ReflectivePEInjection.ps1' - - '\Invoke-ReverseDNSLookup.ps1' - - '\Invoke-Rubeus.ps1' - - '\Invoke-RunAs.ps1' - - '\Invoke-SafetyKatz.ps1' - - '\Invoke-SauronEye.ps1' - - '\Invoke-SCShell.ps1' - - '\Invoke-Seatbelt.ps1' - - '\Invoke-ServiceAbuse.ps1' - - '\Invoke-SessionGopher.ps1' - - '\Invoke-SharpAllowedToAct.ps1' - - '\Invoke-SharpBlock.ps1' - - '\Invoke-SharpBypassUAC.ps1' - - '\Invoke-SharpChromium.ps1' - - '\Invoke-SharpClipboard.ps1' - - '\Invoke-SharpCloud.ps1' - - '\Invoke-SharpDPAPI.ps1' - - '\Invoke-SharpDump.ps1' - - '\Invoke-SharPersist.ps1' - - '\Invoke-SharpGPOAbuse.ps1' - - '\Invoke-SharpGPO-RemoteAccessPolicies.ps1' - - '\Invoke-SharpHandler.ps1' - - '\Invoke-SharpHide.ps1' - - '\Invoke-Sharphound2.ps1' - - '\Invoke-Sharphound3.ps1' - - '\Invoke-SharpHound4.ps1' - - '\Invoke-SharpImpersonation.ps1' - - '\Invoke-SharpImpersonationNoSpace.ps1' - - '\Invoke-SharpKatz.ps1' - - '\Invoke-SharpLdapRelayScan.ps1' - - '\Invoke-Sharplocker.ps1' - - '\Invoke-SharpLoginPrompt.ps1' - - '\Invoke-SharpMove.ps1' - - '\Invoke-SharpPrinter.ps1' - - '\Invoke-SharpPrintNightmare.ps1' - - '\Invoke-SharpRDP.ps1' - - '\Invoke-SharpSCCM.ps1' - - '\Invoke-SharpSecDump.ps1' - - '\Invoke-Sharpshares.ps1' - - '\Invoke-SharpSniper.ps1' - - '\Invoke-SharpSploit.ps1' - - '\Invoke-Sharpsploit_nomimi.ps1' - - '\Invoke-SharpSpray.ps1' - - '\Invoke-SharpSSDP.ps1' - - '\Invoke-SharpStay.ps1' - - '\Invoke-SharpUp.ps1' - - '\Invoke-Sharpview.ps1' - - '\Invoke-SharpWatson.ps1' - - '\Invoke-Sharpweb.ps1' - - '\Invoke-SharpWSUS.ps1' - - '\Invoke-ShellCode.ps1' - - '\Invoke-SMBScanner.ps1' - - '\Invoke-Snaffler.ps1' - - '\Invoke-Spoolsample.ps1' - - '\Invoke-SSHCommand.ps1' - - '\Invoke-SSIDExfil.ps1' - - '\Invoke-StandIn.ps1' - - '\Invoke-StickyNotesExtract.ps1' - - '\Invoke-Tater.ps1' - - '\Invoke-Thunderfox.ps1' - - '\Invoke-ThunderStruck.ps1' - - '\Invoke-TokenManipulation.ps1' - - '\Invoke-Tokenvator.ps1' - - '\Invoke-TotalExec.ps1' - - '\Invoke-UrbanBishop.ps1' - - '\Invoke-UserHunter.ps1' - - '\Invoke-VoiceTroll.ps1' - - '\Invoke-Whisker.ps1' - - '\Invoke-WinEnum.ps1' - - '\Invoke-winPEAS.ps1' - - '\Invoke-WireTap.ps1' - - '\Invoke-WmiCommand.ps1' - - '\Invoke-WScriptBypassUAC.ps1' - - '\Invoke-Zerologon.ps1' - - '\Keylogger.ps1' - - '\MailRaider.ps1' - - '\New-HoneyHash.ps1' - - '\OfficeMemScraper.ps1' - - '\Offline_Winpwn.ps1' - - '\Out-CHM.ps1' - - '\Out-DnsTxt.ps1' - - '\Out-Excel.ps1' - - '\Out-HTA.ps1' - - '\Out-Java.ps1' - - '\Out-JS.ps1' - - '\Out-Minidump.ps1' - - '\Out-RundllCommand.ps1' - - '\Out-SCF.ps1' - - '\Out-SCT.ps1' - - '\Out-Shortcut.ps1' - - '\Out-WebQuery.ps1' - - '\Out-Word.ps1' - - '\Parse_Keys.ps1' - - '\Port-Scan.ps1' - - '\PowerBreach.ps1' - - '\powercat.ps1' - - '\PowerRunAsSystem.psm1' - - '\PowerSharpPack.ps1' - - '\PowerUp.ps1' - - '\PowerUpSQL.ps1' - - '\PowerView.ps1' - - '\PSAsyncShell.ps1' - - '\RemoteHashRetrieval.ps1' - - '\Remove-Persistence.ps1' - - '\Remove-PoshRat.ps1' - - '\Remove-Update.ps1' - - '\Run-EXEonRemote.ps1' - - '\Set-DCShadowPermissions.ps1' - - '\Set-MacAttribute.ps1' - - '\Set-RemotePSRemoting.ps1' - - '\Set-RemoteWMI.ps1' - - '\Set-Wallpaper.ps1' - - '\Show-TargetScreen.ps1' - - '\Speak.ps1' - - '\Start-CaptureServer.ps1' - - '\Start-WebcamRecorder.ps1' - - '\StringToBase64.ps1' - - '\TexttoExe.ps1' - - '\VolumeShadowCopyTools.ps1' - - '\WinPwn.ps1' - - '\WSUSpendu.ps1' - condition: selection + - 'Add-ConstrainedDelegationBackdoor.ps1' + - 'Add-Exfiltration.ps1' + - 'Add-Persistence.ps1' + - 'Add-RegBackdoor.ps1' + - 'Add-RemoteRegBackdoor.ps1' + - 'Add-ScrnSaveBackdoor.ps1' + - 'Check-VM.ps1' + - 'ConvertTo-ROT13.ps1' + - 'Copy-VSS.ps1' + - 'Create-MultipleSessions.ps1' + - 'DNS_TXT_Pwnage.ps1' + - 'Do-Exfiltration.ps1' + - 'DomainPasswordSpray.ps1' + - 'Download_Execute.ps1' + - 'Download-Execute-PS.ps1' + - 'Enabled-DuplicateToken.ps1' + - 'Enable-DuplicateToken.ps1' + - 'Execute-Command-MSSQL.ps1' + - 'Execute-DNSTXT-Code.ps1' + - 'Execute-OnTime.ps1' + - 'ExetoText.ps1' + - 'Exploit-Jboss.ps1' + - 'Find-AVSignature.ps1' + - 'Find-Fruit.ps1' + - 'Find-GPOLocation.ps1' + - 'Find-TrustedDocuments.ps1' + - 'FireBuster.ps1' + - 'FireListener.ps1' + - 'Get-ApplicationHost.ps1' + - 'Get-ChromeDump.ps1' + - 'Get-ClipboardContents.ps1' + - 'Get-ComputerDetail.ps1' + - 'Get-FoxDump.ps1' + - 'Get-GPPAutologon.ps1' + - 'Get-GPPPassword.ps1' + - 'Get-IndexedItem.ps1' + - 'Get-Keystrokes.ps1' + - 'Get-LSASecret.ps1' + - 'Get-MicrophoneAudio.ps1' + - 'Get-PassHashes.ps1' + - 'Get-PassHints.ps1' + - 'Get-RegAlwaysInstallElevated.ps1' + - 'Get-RegAutoLogon.ps1' + - 'Get-RickAstley.ps1' + - 'Get-Screenshot.ps1' + - 'Get-SecurityPackages.ps1' + - 'Get-ServiceFilePermission.ps1' + - 'Get-ServicePermission.ps1' + - 'Get-ServiceUnquoted.ps1' + - 'Get-SiteListPassword.ps1' + - 'Get-System.ps1' + - 'Get-TimedScreenshot.ps1' + - 'Get-UnattendedInstallFile.ps1' + - 'Get-Unconstrained.ps1' + - 'Get-USBKeystrokes.ps1' + - 'Get-VaultCredential.ps1' + - 'Get-VulnAutoRun.ps1' + - 'Get-VulnSchTask.ps1' + - 'Get-WebConfig.ps1' + - 'Get-WebCredentials.ps1' + - 'Get-WLAN-Keys.ps1' + - 'Gupt-Backdoor.ps1' + - 'HTTP-Backdoor.ps1' + - 'HTTP-Login.ps1' + - 'Install-ServiceBinary.ps1' + - 'Install-SSP.ps1' + - 'Invoke-ACLScanner.ps1' + - 'Invoke-ADSBackdoor.ps1' + - 'Invoke-AmsiBypass.ps1' + - 'Invoke-ARPScan.ps1' + - 'Invoke-BackdoorLNK.ps1' + - 'Invoke-BadPotato.ps1' + - 'Invoke-BetterSafetyKatz.ps1' + - 'Invoke-BruteForce.ps1' + - 'Invoke-BypassUAC.ps1' + - 'Invoke-Carbuncle.ps1' + - 'Invoke-Certify.ps1' + - 'Invoke-ConPtyShell.ps1' + - 'Invoke-CredentialInjection.ps1' + - 'Invoke-CredentialsPhish.ps1' + - 'Invoke-DAFT.ps1' + - 'Invoke-DCSync.ps1' + - 'Invoke-Decode.ps1' + - 'Invoke-DinvokeKatz.ps1' + - 'Invoke-DllInjection.ps1' + - 'Invoke-DowngradeAccount.ps1' + - 'Invoke-EgressCheck.ps1' + - 'Invoke-Encode.ps1' + - 'Invoke-EventViewer.ps1' + - 'Invoke-Eyewitness.ps1' + - 'Invoke-FakeLogonScreen.ps1' + - 'Invoke-Farmer.ps1' + - 'Invoke-Get-RBCD-Threaded.ps1' + - 'Invoke-Gopher.ps1' + - 'Invoke-Grouper2.ps1' + - 'Invoke-Grouper3.ps1' + - 'Invoke-HandleKatz.ps1' + - 'Invoke-Interceptor.ps1' + - 'Invoke-Internalmonologue.ps1' + - 'Invoke-Inveigh.ps1' + - 'Invoke-InveighRelay.ps1' + - 'Invoke-JSRatRegsvr.ps1' + - 'Invoke-JSRatRundll.ps1' + - 'Invoke-KrbRelay.ps1' + - 'Invoke-KrbRelayUp.ps1' + - 'Invoke-LdapSignCheck.ps1' + - 'Invoke-Lockless.ps1' + - 'Invoke-MalSCCM.ps1' + - 'Invoke-Mimikatz.ps1' + - 'Invoke-MimikatzWDigestDowngrade.ps1' + - 'Invoke-Mimikittenz.ps1' + - 'Invoke-MITM6.ps1' + - 'Invoke-NanoDump.ps1' + - 'Invoke-NetRipper.ps1' + - 'Invoke-NetworkRelay.ps1' + - 'Invoke-NinjaCopy.ps1' + - 'Invoke-OxidResolver.ps1' + - 'Invoke-P0wnedshell.ps1' + - 'Invoke-P0wnedshellx86.ps1' + - 'Invoke-Paranoia.ps1' + - 'Invoke-PortScan.ps1' + - 'Invoke-PoshRatHttp.ps1' + - 'Invoke-PoshRatHttps.ps1' + - 'Invoke-PostExfil.ps1' + - 'Invoke-PowerDump.ps1' + - 'Invoke-PowerShellIcmp.ps1' + - 'Invoke-PowerShellTCP.ps1' + - 'Invoke-PowerShellTcpOneLine.ps1' + - 'Invoke-PowerShellTcpOneLineBind.ps1' + - 'Invoke-PowerShellUdp.ps1' + - 'Invoke-PowerShellUdpOneLine.ps1' + - 'Invoke-PowerShellWMI.ps1' + - 'Invoke-PowerThIEf.ps1' + - 'Invoke-PPLDump.ps1' + - 'Invoke-Prasadhak.ps1' + - 'Invoke-PsExec.ps1' + - 'Invoke-PsGcat.ps1' + - 'Invoke-PsGcatAgent.ps1' + - 'Invoke-PSInject.ps1' + - 'Invoke-PsUaCme.ps1' + - 'Invoke-ReflectivePEInjection.ps1' + - 'Invoke-ReverseDNSLookup.ps1' + - 'Invoke-Rubeus.ps1' + - 'Invoke-RunAs.ps1' + - 'Invoke-SafetyKatz.ps1' + - 'Invoke-SauronEye.ps1' + - 'Invoke-SCShell.ps1' + - 'Invoke-Seatbelt.ps1' + - 'Invoke-ServiceAbuse.ps1' + - 'Invoke-SessionGopher.ps1' + - 'Invoke-ShellCode.ps1' + - 'Invoke-SMBScanner.ps1' + - 'Invoke-Snaffler.ps1' + - 'Invoke-Spoolsample.ps1' + - 'Invoke-SSHCommand.ps1' + - 'Invoke-SSIDExfil.ps1' + - 'Invoke-StandIn.ps1' + - 'Invoke-StickyNotesExtract.ps1' + - 'Invoke-Tater.ps1' + - 'Invoke-Thunderfox.ps1' + - 'Invoke-ThunderStruck.ps1' + - 'Invoke-TokenManipulation.ps1' + - 'Invoke-Tokenvator.ps1' + - 'Invoke-TotalExec.ps1' + - 'Invoke-UrbanBishop.ps1' + - 'Invoke-UserHunter.ps1' + - 'Invoke-VoiceTroll.ps1' + - 'Invoke-Whisker.ps1' + - 'Invoke-WinEnum.ps1' + - 'Invoke-winPEAS.ps1' + - 'Invoke-WireTap.ps1' + - 'Invoke-WmiCommand.ps1' + - 'Invoke-WScriptBypassUAC.ps1' + - 'Invoke-Zerologon.ps1' + - 'Keylogger.ps1' + - 'MailRaider.ps1' + - 'New-HoneyHash.ps1' + - 'OfficeMemScraper.ps1' + - 'Offline_Winpwn.ps1' + - 'Out-CHM.ps1' + - 'Out-DnsTxt.ps1' + - 'Out-Excel.ps1' + - 'Out-HTA.ps1' + - 'Out-Java.ps1' + - 'Out-JS.ps1' + - 'Out-Minidump.ps1' + - 'Out-RundllCommand.ps1' + - 'Out-SCF.ps1' + - 'Out-SCT.ps1' + - 'Out-Shortcut.ps1' + - 'Out-WebQuery.ps1' + - 'Out-Word.ps1' + - 'Parse_Keys.ps1' + - 'Port-Scan.ps1' + - 'PowerBreach.ps1' + - 'powercat.ps1' + - 'PowerRunAsSystem.psm1' + - 'PowerSharpPack.ps1' + - 'PowerUp.ps1' + - 'PowerUpSQL.ps1' + - 'PowerView.ps1' + - 'PSAsyncShell.ps1' + - 'RemoteHashRetrieval.ps1' + - 'Remove-Persistence.ps1' + - 'Remove-PoshRat.ps1' + - 'Remove-Update.ps1' + - 'Run-EXEonRemote.ps1' + - 'Set-DCShadowPermissions.ps1' + - 'Set-MacAttribute.ps1' + - 'Set-RemotePSRemoting.ps1' + - 'Set-RemoteWMI.ps1' + - 'Set-Wallpaper.ps1' + - 'Show-TargetScreen.ps1' + - 'Speak.ps1' + - 'Start-CaptureServer.ps1' + - 'Start-WebcamRecorder.ps1' + - 'StringToBase64.ps1' + - 'TexttoExe.ps1' + - 'VolumeShadowCopyTools.ps1' + - 'WinPwn.ps1' + - 'WSUSpendu.ps1' + selection_invoke_sharp: + ContextInfo|contains|all: + - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants + - '.ps1' + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 19de59aaf..bfff23265 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -161,43 +161,7 @@ detection: - 'Invoke-Seatbelt' - 'Invoke-ServiceAbuse' - 'Invoke-ShadowSpray' - - 'Invoke-SharpAllowedToAct' - - 'Invoke-SharpBlock' - - 'Invoke-SharpBypassUAC' - - 'Invoke-SharpChromium' - - 'Invoke-SharpClipboard' - - 'Invoke-SharpCloud' - - 'Invoke-SharpDPAPI' - - 'Invoke-SharpDump' - - 'Invoke-SharPersist' - - 'Invoke-SharpGPOAbuse' - - 'Invoke-SharpGPO-RemoteAccessPolicies' - - 'Invoke-SharpHandler' - - 'Invoke-SharpHide' - - 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc. - - 'Invoke-SharpImpersonation' - - 'Invoke-SharpImpersonationNoSpace' - - 'Invoke-SharpKatz' - - 'Invoke-SharpLdapRelayScan' - - 'Invoke-Sharplocker' - - 'Invoke-SharpLoginPrompt' - - 'Invoke-SharpMove' - - 'Invoke-SharpPrinter' - - 'Invoke-SharpPrintNightmare' - - 'Invoke-SharpRDP' - - 'Invoke-SharpSCCM' - - 'Invoke-SharpSecDump' - - 'Invoke-Sharpshares' - - 'Invoke-SharpSniper' - - 'Invoke-SharpSploit' - - 'Invoke-SharpSpray' - - 'Invoke-SharpSSDP' - - 'Invoke-SharpStay' - - 'Invoke-SharpUp' - - 'Invoke-Sharpview' - - 'Invoke-SharpWatson' - - 'Invoke-Sharpweb' - - 'Invoke-SharpWSUS' + - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants - 'Invoke-Shellcode' - 'Invoke-SMBScanner' - 'Invoke-Snaffler' diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 31ac1e1e1..e81d3072e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -166,43 +166,7 @@ detection: - 'Invoke-Seatbelt' - 'Invoke-ServiceAbuse' - 'Invoke-ShadowSpray' - - 'Invoke-SharpAllowedToAct' - - 'Invoke-SharpBlock' - - 'Invoke-SharpBypassUAC' - - 'Invoke-SharpChromium' - - 'Invoke-SharpClipboard' - - 'Invoke-SharpCloud' - - 'Invoke-SharpDPAPI' - - 'Invoke-SharpDump' - - 'Invoke-SharPersist' - - 'Invoke-SharpGPOAbuse' - - 'Invoke-SharpGPO-RemoteAccessPolicies' - - 'Invoke-SharpHandler' - - 'Invoke-SharpHide' - - 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc. - - 'Invoke-SharpImpersonation' - - 'Invoke-SharpImpersonationNoSpace' - - 'Invoke-SharpKatz' - - 'Invoke-SharpLdapRelayScan' - - 'Invoke-Sharplocker' - - 'Invoke-SharpLoginPrompt' - - 'Invoke-SharpMove' - - 'Invoke-SharpPrinter' - - 'Invoke-SharpPrintNightmare' - - 'Invoke-SharpRDP' - - 'Invoke-SharpSCCM' - - 'Invoke-SharpSecDump' - - 'Invoke-Sharpshares' - - 'Invoke-SharpSniper' - - 'Invoke-SharpSploit' - - 'Invoke-SharpSpray' - - 'Invoke-SharpSSDP' - - 'Invoke-SharpStay' - - 'Invoke-SharpUp' - - 'Invoke-Sharpview' - - 'Invoke-SharpWatson' - - 'Invoke-Sharpweb' - - 'Invoke-SharpWSUS' + - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants - 'Invoke-Shellcode' - 'Invoke-SMBScanner' - 'Invoke-Snaffler' diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml index f8a021787..70e991f2b 100644 --- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -161,43 +161,7 @@ detection: - 'Invoke-Seatbelt' - 'Invoke-ServiceAbuse' - 'Invoke-ShadowSpray' - - 'Invoke-SharpAllowedToAct' - - 'Invoke-SharpBlock' - - 'Invoke-SharpBypassUAC' - - 'Invoke-SharpChromium' - - 'Invoke-SharpClipboard' - - 'Invoke-SharpCloud' - - 'Invoke-SharpDPAPI' - - 'Invoke-SharpDump' - - 'Invoke-SharPersist' - - 'Invoke-SharpGPOAbuse' - - 'Invoke-SharpGPO-RemoteAccessPolicies' - - 'Invoke-SharpHandler' - - 'Invoke-SharpHide' - - 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc. - - 'Invoke-SharpImpersonation' - - 'Invoke-SharpImpersonationNoSpace' - - 'Invoke-SharpKatz' - - 'Invoke-SharpLdapRelayScan' - - 'Invoke-Sharplocker' - - 'Invoke-SharpLoginPrompt' - - 'Invoke-SharpMove' - - 'Invoke-SharpPrinter' - - 'Invoke-SharpPrintNightmare' - - 'Invoke-SharpRDP' - - 'Invoke-SharpSCCM' - - 'Invoke-SharpSecDump' - - 'Invoke-Sharpshares' - - 'Invoke-SharpSniper' - - 'Invoke-SharpSploit' - - 'Invoke-SharpSpray' - - 'Invoke-SharpSSDP' - - 'Invoke-SharpStay' - - 'Invoke-SharpUp' - - 'Invoke-Sharpview' - - 'Invoke-SharpWatson' - - 'Invoke-Sharpweb' - - 'Invoke-SharpWSUS' + - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants - 'Invoke-Shellcode' - 'Invoke-SMBScanner' - 'Invoke-Snaffler'