security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
57bfdc7a028eb7b6dd2a762dfd053ebddb31f8bf
blue-team-tools/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml
T
Max Altgelt 5b60e0ea5a feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
2021-08-16 09:13:51 +02:00

28 lines
733 B
YAML
Raw Blame History

title: Malicious ShellIntel PowerShell Commandlets
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
status: experimental
description: Detects Commandlet names from ShellIntel exploitation scripts.
date: 2021/08/09
references:
- https://github.com/Shellntel/scripts/
tags:
- attack.execution
- attack.t1059.001
author: Max Altgelt, Tobias Michalski
logsource:
product: windows
service: powershell
definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
detection:
selection:
EventID: 4104
ScriptBlockText:
- Invoke-SMBAutoBrute
- Invoke-GPOLinks
- Out-Minidump
- Invoke-Potato
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink