Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
43 lines
1.3 KiB
YAML
43 lines
1.3 KiB
YAML
title: Malicious PowerShell Keywords
|
|
id: f62176f3-8128-4faa-bf6c-83261322e5eb
|
|
status: experimental
|
|
description: Detects keywords from well-known PowerShell exploitation frameworks
|
|
references:
|
|
- https://adsecurity.org/?p=2921
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
author: Sean Metcalf (source), Florian Roth (rule)
|
|
date: 2017/03/05
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
|
|
detection:
|
|
keywords:
|
|
- "AdjustTokenPrivileges"
|
|
- "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
|
|
- "Microsoft.Win32.UnsafeNativeMethods"
|
|
- "ReadProcessMemory.Invoke"
|
|
- "SE_PRIVILEGE_ENABLED"
|
|
- "LSA_UNICODE_STRING"
|
|
- "MiniDumpWriteDump"
|
|
- "PAGE_EXECUTE_READ"
|
|
- "SECURITY_DELEGATION"
|
|
- "TOKEN_ADJUST_PRIVILEGES"
|
|
- "TOKEN_ALL_ACCESS"
|
|
- "TOKEN_ASSIGN_PRIMARY"
|
|
- "TOKEN_DUPLICATE"
|
|
- "TOKEN_ELEVATION"
|
|
- "TOKEN_IMPERSONATE"
|
|
- "TOKEN_INFORMATION_CLASS"
|
|
- "TOKEN_PRIVILEGES"
|
|
- "TOKEN_QUERY"
|
|
- "Metasploit"
|
|
- "Mimikatz"
|
|
condition: keywords
|
|
falsepositives:
|
|
- Penetration tests
|
|
level: high
|