security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e098fc73cb2fb18c723fd9727e116e9dc9bcb22e
blue-team-tools/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml
T
Florian Roth e7144b34ee fix: bug in syntax
2021-07-03 13:19:56 +02:00

150 lines
4.3 KiB
YAML
Raw Blame History

title: Malicious PowerView PowerShell Commandlets
id: dcd74b95-3f36-4ed9-9598-0490951643aa
status: experimental
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
date: 2021/05/18
modified: 2021/07/02
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
tags:
- attack.execution
- attack.t1059.001
author: Bhabesh Raj
logsource:
product: windows
service: powershell
definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
detection:
selection:
EventID: 4104
ScriptBlockText:
- Export-PowerViewCSV
- Get-IPAddress
- Resolve-IPAddress
- Convert-NameToSid
- ConvertTo-SID
- Convert-ADName
- ConvertFrom-UACValue
- Add-RemoteConnection
- Remove-RemoteConnection
- Invoke-UserImpersonation
- Invoke-RevertToSelf
- Request-SPNTicket
- Get-DomainSPNTicket
- Invoke-Kerberoast
- Get-PathAcl
- Get-DNSZone
- Get-DomainDNSZone
- Get-DNSRecord
- Get-DomainDNSRecord
- Get-NetDomain
- Get-Domain
- Get-NetDomainController
- Get-DomainController
- Get-NetForest
- Get-Forest
- Get-NetForestDomain
- Get-ForestDomain
- Get-NetForestCatalog
- Get-ForestGlobalCatalog
- Find-DomainObjectPropertyOutlier
- Get-NetUser
- Get-DomainUser
- New-DomainUser
- Set-DomainUserPassword
- Get-UserEvent
- Get-DomainUserEvent
- Get-NetComputer
- Get-DomainComputer
- Get-ADObject
- Get-DomainObject
- Set-ADObject
- Set-DomainObject
- Get-ObjectAcl
- Get-DomainObjectAcl
- Add-ObjectAcl
- Add-DomainObjectAcl
- Invoke-ACLScanner
- Find-InterestingDomainAcl
- Get-NetOU
- Get-DomainOU
- Get-NetSite
- Get-DomainSite
- Get-NetSubnet
- Get-DomainSubnet
- Get-DomainSID
- Get-NetGroup
- Get-DomainGroup
- New-DomainGroup
- Find-ManagedSecurityGroups
- Get-DomainManagedSecurityGroup
- Get-NetGroupMember
- Get-DomainGroupMember
- Add-DomainGroupMember
- Get-NetFileServer
- Get-DomainFileServer
- Get-DFSshare
- Get-DomainDFSShare
- Get-NetGPO
- Get-DomainGPO
- Get-NetGPOGroup
- Get-DomainGPOLocalGroup
- Find-GPOLocation
- Get-DomainGPOUserLocalGroupMapping
- Find-GPOComputerAdmin
- Get-DomainGPOComputerLocalGroupMapping
- Get-DomainPolicy
- Get-NetLocalGroup
- Get-NetLocalGroupMember
- Get-NetShare
- Get-NetLoggedon
- Get-NetSession
- Get-LoggedOnLocal
- Get-RegLoggedOn
- Get-NetRDPSession
- Invoke-CheckLocalAdminAccess
- Test-AdminAccess
- Get-SiteName
- Get-NetComputerSiteName
- Get-Proxy
- Get-WMIRegProxy
- Get-LastLoggedOn
- Get-WMIRegLastLoggedOn
- Get-CachedRDPConnection
- Get-WMIRegCachedRDPConnection
- Get-RegistryMountedDrive
- Get-WMIRegMountedDrive
- Get-NetProcess
- Get-WMIProcess
- Find-InterestingFile
- Invoke-UserHunter
- Find-DomainUserLocation
- Invoke-ProcessHunter
- Find-DomainProcess
- Invoke-EventHunter
- Find-DomainUserEvent
- Invoke-ShareFinder
- Find-DomainShare
- Invoke-FileFinder
- Find-InterestingDomainShareFile
- Find-LocalAdminAccess
- Invoke-EnumerateLocalAdmin
- Find-DomainLocalGroupMember
- Get-NetDomainTrust
- Get-DomainTrust
- Get-NetForestTrust
- Get-ForestTrust
- Find-ForeignUser
- Get-DomainForeignUser
- Find-ForeignGroup
- Get-DomainForeignGroupMember
- Invoke-MapDomainTrust
- Get-DomainTrustMapping
condition: selection
falsepositives:
- Should not be any as administrators do not use this tool
level: high
Reference in New Issue View Git Blame Copy Permalink