security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #508 from Karneades/fixRule3

Browse Source 
fix: bound keywords to field in multiple PS rules
This commit is contained in:
Thomas Patzke
2019-10-29 22:34:08 +01:00
committed by GitHub
parent 78d8ca2b41 aafab2e936
commit f4e9690d6b
4 changed files with 126 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_malicious_commandlets.yml
+95 -94
View File
@@ -14,100 +14,101 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Invoke-DllInjection
- Invoke-Shellcode
- Invoke-WmiCommand
- Get-GPPPassword
- Get-Keystrokes
- Get-TimedScreenshot
- Get-VaultCredential
- Invoke-CredentialInjection
- Invoke-Mimikatz
- Invoke-NinjaCopy
- Invoke-TokenManipulation
- Out-Minidump
- VolumeShadowCopyTools
- Invoke-ReflectivePEInjection
- Invoke-UserHunter
- Find-GPOLocation
- Invoke-ACLScanner
- Invoke-DowngradeAccount
- Get-ServiceUnquoted
- Get-ServiceFilePermission
- Get-ServicePermission
- Invoke-ServiceAbuse
- Install-ServiceBinary
- Get-RegAutoLogon
- Get-VulnAutoRun
- Get-VulnSchTask
- Get-UnattendedInstallFile
- Get-ApplicationHost
- Get-RegAlwaysInstallElevated
- Get-Unconstrained
- Add-RegBackdoor
- Add-ScrnSaveBackdoor
- Gupt-Backdoor
- Invoke-ADSBackdoor
- Enabled-DuplicateToken
- Invoke-PsUaCme
- Remove-Update
- Check-VM
- Get-LSASecret
- Get-PassHashes
- Show-TargetScreen
- Port-Scan
- Invoke-PoshRatHttp
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Add-Exfiltration
- Add-Persistence
- Do-Exfiltration
- Start-CaptureServer
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-IndexedItem
- Get-Screenshot
- Invoke-Inveigh
- Invoke-NetRipper
- Invoke-EgressCheck
- Invoke-PostExfil
- Invoke-PSInject
- Invoke-RunAs
- MailRaider
- New-HoneyHash
- Set-MacAttribute
- Invoke-DCSync
- Invoke-PowerDump
- Exploit-Jboss
- Invoke-ThunderStruck
- Invoke-VoiceTroll
- Set-Wallpaper
- Invoke-InveighRelay
- Invoke-PsExec
- Invoke-SSHCommand
- Get-SecurityPackages
- Install-SSP
- Invoke-BackdoorLNK
- PowerBreach
- Get-SiteListPassword
- Get-System
- Invoke-BypassUAC
- Invoke-Tater
- Invoke-WScriptBypassUAC
- PowerUp
- PowerView
- Get-RickAstley
- Find-Fruit
- HTTP-Login
- Find-TrustedDocuments
- Invoke-Paranoia
- Invoke-WinEnum
- Invoke-ARPScan
- Invoke-PortScan
- Invoke-ReverseDNSLookup
- Invoke-SMBScanner
- Invoke-Mimikittenz
Message:
- "*Invoke-DllInjection*"
- "*Invoke-Shellcode*"
- "*Invoke-WmiCommand*"
- "*Get-GPPPassword*"
- "*Get-Keystrokes*"
- "*Get-TimedScreenshot*"
- "*Get-VaultCredential*"
- "*Invoke-CredentialInjection*"
- "*Invoke-Mimikatz*"
- "*Invoke-NinjaCopy*"
- "*Invoke-TokenManipulation*"
- "*Out-Minidump*"
- "*VolumeShadowCopyTools*"
- "*Invoke-ReflectivePEInjection*"
- "*Invoke-UserHunter*"
- "*Find-GPOLocation*"
- "*Invoke-ACLScanner*"
- "*Invoke-DowngradeAccount*"
- "*Get-ServiceUnquoted*"
- "*Get-ServiceFilePermission*"
- "*Get-ServicePermission*"
- "*Invoke-ServiceAbuse*"
- "*Install-ServiceBinary*"
- "*Get-RegAutoLogon*"
- "*Get-VulnAutoRun*"
- "*Get-VulnSchTask*"
- "*Get-UnattendedInstallFile*"
- "*Get-ApplicationHost*"
- "*Get-RegAlwaysInstallElevated*"
- "*Get-Unconstrained*"
- "*Add-RegBackdoor*"
- "*Add-ScrnSaveBackdoor*"
- "*Gupt-Backdoor*"
- "*Invoke-ADSBackdoor*"
- "*Enabled-DuplicateToken*"
- "*Invoke-PsUaCme*"
- "*Remove-Update*"
- "*Check-VM*"
- "*Get-LSASecret*"
- "*Get-PassHashes*"
- "*Show-TargetScreen*"
- "*Port-Scan*"
- "*Invoke-PoshRatHttp*"
- "*Invoke-PowerShellTCP*"
- "*Invoke-PowerShellWMI*"
- "*Add-Exfiltration*"
- "*Add-Persistence*"
- "*Do-Exfiltration*"
- "*Start-CaptureServer*"
- "*Get-ChromeDump*"
- "*Get-ClipboardContents*"
- "*Get-FoxDump*"
- "*Get-IndexedItem*"
- "*Get-Screenshot*"
- "*Invoke-Inveigh*"
- "*Invoke-NetRipper*"
- "*Invoke-EgressCheck*"
- "*Invoke-PostExfil*"
- "*Invoke-PSInject*"
- "*Invoke-RunAs*"
- "*MailRaider*"
- "*New-HoneyHash*"
- "*Set-MacAttribute*"
- "*Invoke-DCSync*"
- "*Invoke-PowerDump*"
- "*Exploit-Jboss*"
- "*Invoke-ThunderStruck*"
- "*Invoke-VoiceTroll*"
- "*Set-Wallpaper*"
- "*Invoke-InveighRelay*"
- "*Invoke-PsExec*"
- "*Invoke-SSHCommand*"
- "*Get-SecurityPackages*"
- "*Install-SSP*"
- "*Invoke-BackdoorLNK*"
- "*PowerBreach*"
- "*Get-SiteListPassword*"
- "*Get-System*"
- "*Invoke-BypassUAC*"
- "*Invoke-Tater*"
- "*Invoke-WScriptBypassUAC*"
- "*PowerUp*"
- "*PowerView*"
- "*Get-RickAstley*"
- "*Find-Fruit*"
- "*HTTP-Login*"
- "*Find-TrustedDocuments*"
- "*Invoke-Paranoia*"
- "*Invoke-WinEnum*"
- "*Invoke-ARPScan*"
- "*Invoke-PortScan*"
- "*Invoke-ReverseDNSLookup*"
- "*Invoke-SMBScanner*"
- "*Invoke-Mimikittenz*"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
rules/windows/powershell/powershell_malicious_keywords.yml
+21 -20
View File
@@ -14,26 +14,27 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- AdjustTokenPrivileges
- IMAGE_NT_OPTIONAL_HDR64_MAGIC
- Microsoft.Win32.UnsafeNativeMethods
- ReadProcessMemory.Invoke
- SE_PRIVILEGE_ENABLED
- LSA_UNICODE_STRING
- MiniDumpWriteDump
- PAGE_EXECUTE_READ
- SECURITY_DELEGATION
- TOKEN_ADJUST_PRIVILEGES
- TOKEN_ALL_ACCESS
- TOKEN_ASSIGN_PRIMARY
- TOKEN_DUPLICATE
- TOKEN_ELEVATION
- TOKEN_IMPERSONATE
- TOKEN_INFORMATION_CLASS
- TOKEN_PRIVILEGES
- TOKEN_QUERY
- Metasploit
- Mimikatz
Message:
- "*AdjustTokenPrivileges*"
- "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
- "*Microsoft.Win32.UnsafeNativeMethods*"
- "*ReadProcessMemory.Invoke*"
- "*SE_PRIVILEGE_ENABLED*"
- "*LSA_UNICODE_STRING*"
- "*MiniDumpWriteDump*"
- "*PAGE_EXECUTE_READ*"
- "*SECURITY_DELEGATION*"
- "*TOKEN_ADJUST_PRIVILEGES*"
- "*TOKEN_ALL_ACCESS*"
- "*TOKEN_ASSIGN_PRIMARY*"
- "*TOKEN_DUPLICATE*"
- "*TOKEN_ELEVATION*"
- "*TOKEN_IMPERSONATE*"
- "*TOKEN_INFORMATION_CLASS*"
- "*TOKEN_PRIVILEGES*"
- "*TOKEN_QUERY*"
- "*Metasploit*"
- "*Mimikatz*"
condition: keywords
falsepositives:
- Penetration tests
rules/windows/powershell/powershell_suspicious_download.yml
+3 -2
View File
@@ -10,8 +10,9 @@ logsource:
service: powershell
detection:
keywords:
- 'System.Net.WebClient).DownloadString('
- 'system.net.webclient).downloadfile('
Message:
- '*System.Net.WebClient).DownloadString(*'
- '*system.net.webclient).downloadfile(*'
condition: keywords
falsepositives:
- PowerShell scripts that download content from the Internet
rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+7 -6
View File
@@ -10,12 +10,13 @@ logsource:
service: powershell
detection:
keywords:
- ' -nop -w hidden -c * [Convert]::FromBase64String'
- ' -w hidden -noni -nop -c "iex(New-Object'
- ' -w hidden -ep bypass -Enc'
- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'
- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'
- 'iex(New-Object Net.WebClient).Download'
Message:
- '* -nop -w hidden -c * [Convert]::FromBase64String*'
- '* -w hidden -noni -nop -c "iex(New-Object*'
- '* -w hidden -ep bypass -Enc*'
- '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
- '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
- '*iex(New-Object Net.WebClient).Download*'
condition: keywords
falsepositives:
- Penetration tests