security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5b60e0ea5ab8e1dc56fe371f4be3bc48f9592c0b
blue-team-tools/rules/windows/powershell/powershell_invoke_nightmare.yml
T
Max Altgelt 5b60e0ea5a feat: Add some rules to detect Conti behaviour 
Add rules based on the leaks from the Conti group to detect
malicious behaviour.
2021-08-16 09:13:51 +02:00

22 lines
602 B
YAML
Raw Blame History

title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: experimental
description: Detects Commandlet name for PrintNightmare exploitation.
date: 2021/08/09
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
logsource:
product: windows
service: powershell
definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
detection:
selection:
EventID: 4104
ScriptBlockText:
- Invoke-Nightmare
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink