security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0e31c236203dec584497f711102a3b98de00fa45
blue-team-tools/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml
T
frack113 ab663f9bcf Add MITTRE Technique
2021-11-20 10:56:41 +01:00

24 lines
615 B
YAML
Raw Blame History

title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: test
description: Detects Commandlet name for PrintNightmare exploitation.
date: 2021/08/09
modified: 2021/10/16
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection:
ScriptBlockText|contains: Invoke-Nightmare
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.privilege_escalation
- attack.t1548
Reference in New Issue View Git Blame Copy Permalink