security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
07cf7ae5fa300bcbf7b4a61cd92f366c04d8a939
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
T
frack113 1e5ae09c4b Order yaml field
2022-10-26 09:43:39 +02:00

24 lines
622 B
YAML
Raw Blame History

title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: test
description: Detects Commandlet name for PrintNightmare exploitation.
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
modified: 2021/10/16
tags:
- attack.privilege_escalation
- attack.t1548
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: Invoke-Nightmare
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink