security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c855a38f986999947ac2cc75e02c0a2ae5c8c22c
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
T

123 lines
4.2 KiB
YAML
Raw Blame History

title: Malicious PowerShell Commandlets
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
tags:
- attack.execution
- attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
date: 2017/03/05
modified: 2021/11/29
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
select_Malicious:
ScriptBlockText|contains:
- 'Invoke-DllInjection'
- 'Invoke-Shellcode'
- 'Invoke-WmiCommand'
- 'Get-GPPPassword'
- 'Get-Keystrokes'
- 'Get-TimedScreenshot'
- 'Get-VaultCredential'
- 'Invoke-CredentialInjection'
- 'Invoke-Mimikatz'
- 'Invoke-NinjaCopy'
- 'Invoke-TokenManipulation'
- 'Out-Minidump'
- 'VolumeShadowCopyTools'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-UserHunter'
- 'Find-GPOLocation'
- 'Invoke-ACLScanner'
- 'Invoke-DowngradeAccount'
- 'Get-ServiceUnquoted'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Invoke-ServiceAbuse'
- 'Install-ServiceBinary'
- 'Get-RegAutoLogon'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Get-UnattendedInstallFile'
- 'Get-ApplicationHost'
- 'Get-RegAlwaysInstallElevated'
- 'Get-Unconstrained'
- 'Add-RegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Gupt-Backdoor'
- 'Invoke-ADSBackdoor'
- 'Enabled-DuplicateToken'
- 'Invoke-PsUaCme'
- 'Remove-Update'
- 'Check-VM'
- 'Get-LSASecret'
- 'Get-PassHashes'
- 'Show-TargetScreen'
- 'Port-Scan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Do-Exfiltration'
- 'Start-CaptureServer'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-IndexedItem'
- 'Get-Screenshot'
- 'Invoke-Inveigh'
- 'Invoke-NetRipper'
- 'Invoke-EgressCheck'
- 'Invoke-PostExfil'
- 'Invoke-PSInject'
- 'Invoke-RunAs'
- 'MailRaider'
- 'New-HoneyHash'
- 'Set-MacAttribute'
- 'Invoke-DCSync'
- 'Invoke-PowerDump'
- 'Exploit-Jboss'
- 'Invoke-ThunderStruck'
- 'Invoke-VoiceTroll'
- 'Set-Wallpaper'
- 'Invoke-InveighRelay'
- 'Invoke-PsExec'
- 'Invoke-SSHCommand'
- 'Get-SecurityPackages'
- 'Install-SSP'
- 'Invoke-BackdoorLNK'
- 'PowerBreach'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Invoke-BypassUAC'
- 'Invoke-Tater'
- 'Invoke-WScriptBypassUAC'
- 'PowerUp'
- 'PowerView'
- 'Get-RickAstley'
- 'Find-Fruit'
- 'HTTP-Login'
- 'Find-TrustedDocuments'
- 'Invoke-Paranoia'
- 'Invoke-WinEnum'
- 'Invoke-ARPScan'
- 'Invoke-PortScan'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-SMBScanner'
- 'Invoke-Mimikittenz'
- 'Invoke-AllChecks'
false_positives:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
- C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2
condition: select_Malicious and not false_positives
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink