Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
38 lines
1.4 KiB
YAML
38 lines
1.4 KiB
YAML
title: Suspicious PowerShell Keywords
|
|
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
|
|
status: experimental
|
|
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
|
|
date: 2019/02/11
|
|
modified: 2021/06/10
|
|
author: Florian Roth, Perez Diego (@darkquassar)
|
|
references:
|
|
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
|
|
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
|
|
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
|
|
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104'
|
|
detection:
|
|
keywords:
|
|
- "System.Reflection.Assembly.Load"
|
|
- "[System.Reflection.Assembly]::Load"
|
|
- "[Reflection.Assembly]::Load"
|
|
- "System.Reflection.AssemblyName"
|
|
- "Reflection.Emit.AssemblyBuilderAccess"
|
|
- "Runtime.InteropServices.DllImportAttribute"
|
|
- "SuspendThread"
|
|
- "rundll32"
|
|
- "FromBase64"
|
|
- "Invoke-WMIMethod"
|
|
- "http://127.0.0.1"
|
|
condition: keywords
|
|
falsepositives:
|
|
- Penetration tests
|
|
level: high
|