Nasreddine Bencherchali
198 lines
6.8 KiB
YAML
198 lines
6.8 KiB
YAML
title: Malicious PowerShell Commandlets
|
|
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
|
|
status: experimental
|
|
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
|
|
references:
|
|
- https://adsecurity.org/?p=2921
|
|
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update)
|
|
date: 2017/03/05
|
|
modified: 2022/05/20
|
|
logsource:
|
|
product: windows
|
|
category: ps_script
|
|
definition: Script Block Logging must be enable
|
|
detection:
|
|
select_Malicious:
|
|
ScriptBlockText|contains:
|
|
- 'Invoke-DllInjection'
|
|
- 'Invoke-Shellcode'
|
|
- 'Invoke-WmiCommand'
|
|
- 'Get-GPPPassword'
|
|
- 'Get-Keystrokes'
|
|
- 'Get-TimedScreenshot'
|
|
- 'Get-VaultCredential'
|
|
- 'Invoke-CredentialInjection'
|
|
- 'Invoke-Mimikatz'
|
|
- 'Invoke-NinjaCopy'
|
|
- 'Invoke-TokenManipulation'
|
|
- 'Out-Minidump'
|
|
- 'VolumeShadowCopyTools'
|
|
- 'Invoke-ReflectivePEInjection'
|
|
- 'Invoke-UserHunter'
|
|
- 'Find-GPOLocation'
|
|
- 'Invoke-ACLScanner'
|
|
- 'Invoke-DowngradeAccount'
|
|
- 'Get-ServiceUnquoted'
|
|
- 'Get-ServiceFilePermission'
|
|
- 'Get-ServicePermission'
|
|
- 'Invoke-ServiceAbuse'
|
|
- 'Install-ServiceBinary'
|
|
- 'Get-RegAutoLogon'
|
|
- 'Get-VulnAutoRun'
|
|
- 'Get-VulnSchTask'
|
|
- 'Get-UnattendedInstallFile'
|
|
- 'Get-ApplicationHost'
|
|
- 'Get-RegAlwaysInstallElevated'
|
|
- 'Get-Unconstrained'
|
|
- 'Add-RegBackdoor'
|
|
- 'Add-ScrnSaveBackdoor'
|
|
- 'Gupt-Backdoor'
|
|
- 'Invoke-ADSBackdoor'
|
|
- 'Enabled-DuplicateToken'
|
|
- 'Invoke-PsUaCme'
|
|
- 'Remove-Update'
|
|
- 'Check-VM'
|
|
- 'Get-LSASecret'
|
|
- 'Get-PassHashes'
|
|
- 'Show-TargetScreen'
|
|
- 'Port-Scan'
|
|
- 'Invoke-PoshRatHttp'
|
|
- 'Invoke-PowerShellTCP'
|
|
- 'Invoke-PowerShellWMI'
|
|
- 'Add-Exfiltration'
|
|
- 'Add-Persistence'
|
|
- 'Do-Exfiltration'
|
|
- 'Start-CaptureServer'
|
|
- 'Get-ChromeDump'
|
|
- 'Get-ClipboardContents'
|
|
- 'Get-FoxDump'
|
|
- 'Get-IndexedItem'
|
|
- 'Get-Screenshot'
|
|
- 'Invoke-Inveigh'
|
|
- 'Invoke-NetRipper'
|
|
- 'Invoke-EgressCheck'
|
|
- 'Invoke-PostExfil'
|
|
- 'Invoke-PSInject'
|
|
- 'Invoke-RunAs'
|
|
- 'MailRaider'
|
|
- 'New-HoneyHash'
|
|
- 'Set-MacAttribute'
|
|
- 'Invoke-DCSync'
|
|
- 'Invoke-PowerDump'
|
|
- 'Exploit-Jboss'
|
|
- 'Invoke-ThunderStruck'
|
|
- 'Invoke-VoiceTroll'
|
|
- 'Set-Wallpaper'
|
|
- 'Invoke-InveighRelay'
|
|
- 'Invoke-PsExec'
|
|
- 'Invoke-SSHCommand'
|
|
- 'Get-SecurityPackages'
|
|
- 'Install-SSP'
|
|
- 'Invoke-BackdoorLNK'
|
|
- 'PowerBreach'
|
|
- 'Get-SiteListPassword'
|
|
- 'Get-System'
|
|
- 'Invoke-BypassUAC'
|
|
- 'Invoke-Tater'
|
|
- 'Invoke-WScriptBypassUAC'
|
|
- 'PowerUp'
|
|
- 'PowerView'
|
|
- 'Get-RickAstley'
|
|
- 'Find-Fruit'
|
|
- 'HTTP-Login'
|
|
- 'Find-TrustedDocuments'
|
|
- 'Invoke-Paranoia'
|
|
- 'Invoke-WinEnum'
|
|
- 'Invoke-ARPScan'
|
|
- 'Invoke-PortScan'
|
|
- 'Invoke-ReverseDNSLookup'
|
|
- 'Invoke-SMBScanner'
|
|
- 'Invoke-Mimikittenz'
|
|
- 'Invoke-AllChecks'
|
|
- 'Invoke-BadPotato'
|
|
- 'Invoke-BetterSafetyKatz'
|
|
- 'Invoke-Carbuncle'
|
|
- 'Invoke-Certify'
|
|
- 'Invoke-DAFT'
|
|
- 'Invoke-DinvokeKatz'
|
|
- 'Invoke-Eyewitness'
|
|
- 'Invoke-FakeLogonScreen'
|
|
- 'Invoke-Farmer'
|
|
- 'Invoke-Get-RBCD-Threaded'
|
|
- 'Invoke-Gopher'
|
|
- 'Invoke-Grouper2'
|
|
- 'Invoke-HandleKatz'
|
|
- 'Invoke-Internalmonologue'
|
|
- 'Invoke-KrbRelayUp'
|
|
- 'Invoke-LdapSignCheck'
|
|
- 'Invoke-Lockless'
|
|
- 'Invoke-MITM6'
|
|
- 'Invoke-NanoDump'
|
|
- 'Invoke-OxidResolver'
|
|
- 'Invoke-P0wnedshell'
|
|
- 'Invoke-PPLDump'
|
|
- 'Invoke-Rubeus'
|
|
- 'Invoke-SCShell'
|
|
- 'Invoke-SafetyKatz'
|
|
- 'Invoke-SauronEye'
|
|
- 'Invoke-Seatbelt'
|
|
- 'Invoke-SharPersist'
|
|
- 'Invoke-SharpAllowedToAct'
|
|
- 'Invoke-SharpBlock'
|
|
- 'Invoke-SharpBypassUAC'
|
|
- 'Invoke-SharpChromium'
|
|
- 'Invoke-SharpClipboard'
|
|
- 'Invoke-SharpCloud'
|
|
- 'Invoke-SharpDPAPI'
|
|
- 'Invoke-SharpDump'
|
|
- 'Invoke-SharpGPO-RemoteAccessPolicies'
|
|
- 'Invoke-SharpGPOAbuse'
|
|
- 'Invoke-SharpHandler'
|
|
- 'Invoke-SharpHide'
|
|
- 'Invoke-SharpHound4'
|
|
- 'Invoke-SharpImpersonation'
|
|
- 'Invoke-SharpImpersonationNoSpace'
|
|
- 'Invoke-SharpKatz'
|
|
- 'Invoke-SharpLdapRelayScan'
|
|
- 'Invoke-SharpLoginPrompt'
|
|
- 'Invoke-SharpMove'
|
|
- 'Invoke-SharpPrintNightmare'
|
|
- 'Invoke-SharpPrinter'
|
|
- 'Invoke-SharpRDP'
|
|
- 'Invoke-SharpSSDP'
|
|
- 'Invoke-SharpSecDump'
|
|
- 'Invoke-SharpSniper'
|
|
- 'Invoke-SharpSploit'
|
|
- 'Invoke-SharpSpray'
|
|
- 'Invoke-SharpStay'
|
|
- 'Invoke-SharpUp'
|
|
- 'Invoke-SharpWatson'
|
|
- 'Invoke-Sharphound2'
|
|
- 'Invoke-Sharphound3'
|
|
- 'Invoke-Sharplocker'
|
|
- 'Invoke-Sharpshares'
|
|
- 'Invoke-Sharpview'
|
|
- 'Invoke-Sharpweb'
|
|
- 'Invoke-Snaffler'
|
|
- 'Invoke-Spoolsample'
|
|
- 'Invoke-StandIn'
|
|
- 'Invoke-StickyNotesExtract'
|
|
- 'Invoke-Thunderfox'
|
|
- 'Invoke-Tokenvator'
|
|
- 'Invoke-UrbanBishop'
|
|
- 'Invoke-Whisker'
|
|
- 'Invoke-WireTap'
|
|
- 'Invoke-winPEAS'
|
|
false_positives:
|
|
ScriptBlockText|contains:
|
|
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
|
|
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2
|
|
condition: select_Malicious and not false_positives
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|