security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bcce3a85aa43a936412fd32ffdfd41ea71ce1e02
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml
T
frack113 1f8e37351e order yaml
2022-10-28 15:06:36 +02:00

158 lines
5.1 KiB
YAML
Raw Blame History

title: Suspicious Execution of SharpView Aka PowerView
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
status: experimental
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/tevora-threat/SharpView/
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021/12/10
modified: 2022/09/27
tags:
- attack.discovery
- attack.t1049
- attack.t1069.002
- attack.t1482
- attack.t1135
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: SharpView.exe
- Image|endswith: '\SharpView.exe'
- CommandLine|contains:
- Get-DomainGPOUserLocalGroupMapping
- Find-GPOLocation
- Get-DomainGPOComputerLocalGroupMapping
- Find-GPOComputerAdmin
- Get-DomainObjectAcl
#- Get-ObjectAcl
- Add-DomainObjectAcl
- Add-ObjectAcl
- Remove-DomainObjectAcl
- Get-RegLoggedOn
- Get-LoggedOnLocal
- Get-NetRDPSession
- Test-AdminAccess
- Invoke-CheckLocalAdminAccess
- Get-WMIProcess
- Get-NetProcess
- Get-WMIRegProxy
#- Get-Proxy
- Get-WMIRegLastLoggedOn
- Get-LastLoggedOn
- Get-WMIRegCachedRDPConnection
- Get-CachedRDPConnection
- Get-WMIRegMountedDrive
- Get-RegistryMountedDrive
- Find-InterestingDomainAcl
- Invoke-ACLScanner
- Get-NetShare
- Get-NetLoggedon
- Get-NetLocalGroup
- Get-NetLocalGroupMember
- Get-NetSession
- Get-PathAcl
- ConvertFrom-UACValue
- Get-PrincipalContext
- New-DomainGroup
- New-DomainUser
- Add-DomainGroupMember
- Set-DomainUserPassword
- Invoke-Kerberoast
- Export-PowerViewCSV
- Find-LocalAdminAccess
- Find-DomainLocalGroupMember
- Find-DomainShare
- Find-DomainUserEvent
- Find-DomainProcess
- Find-DomainUserLocation
- Find-InterestingFile
- Find-InterestingDomainShareFile
- Find-DomainObjectPropertyOutlier
#- TestMethod
#- Get-Domain
- Get-NetDomain
- Get-DomainComputer
- Get-NetComputer
- Get-DomainController
- Get-NetDomainController
- Get-DomainFileServer
- Get-NetFileServer
- Convert-ADName
- Get-DomainObject
- Get-ADObject
- Get-DomainUser
- Get-NetUser
- Get-DomainGroup
#- Get-NetGroup
- Get-DomainDFSShare
- Get-DFSshare
- Get-DomainDNSRecord
#- Get-DNSRecord
#- Get-DomainDNSZone
#- Get-DNSZone
- Get-DomainForeignGroupMember
- Find-ForeignGroup
- Get-DomainForeignUser
- Find-ForeignUser
- ConvertFrom-SID
- Convert-SidToName
- Get-DomainGroupMember
- Get-NetGroupMember
- Get-DomainManagedSecurityGroup
- Find-ManagedSecurityGroups
- Get-DomainOU
- Get-NetOU
- Get-DomainSID
#- Get-Forest
- Get-NetForest
- Get-ForestTrust
- Get-NetForestTrust
- Get-DomainTrust
- Get-NetDomainTrust
- Get-ForestDomain
- Get-NetForestDomain
- Get-DomainSite
- Get-NetSite
- Get-DomainSubnet
- Get-NetSubnet
- Get-DomainTrustMapping
- Invoke-MapDomainTrust
- Get-ForestGlobalCatalog
- Get-NetForestCatalog
- Get-DomainUserEvent
#- Get-UserEvent
- Get-DomainGUIDMap
#- Get-GUIDMap
- Resolve-IPAddress
#- Get-IPAddress
- ConvertTo-SID
- Invoke-UserImpersonation
#- Invoke-RevertToSelf
- Get-DomainSPNTicket
- Request-SPNTicket
- Get-NetComputerSiteName
#- Get-SiteName
- Get-DomainGPO
- Get-NetGPO
- Set-DomainObject
#- Set-ADObject
- Add-RemoteConnection
- Remove-RemoteConnection
#- Get-IniContent
- Get-GptTmpl
- Get-GroupsXML
- Get-DomainPolicyData
- Get-DomainPolicy
- Get-DomainGPOLocalGroup
- Get-NetGPOGroup
- Invoke-Sharefinder
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink