security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
faad0209dec4d91c74d3f51f26a09f87900a9032
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
T
Nasreddine Bencherchali 6aad923023 Fix typo and Update Rule 
- Fixed typo in PowerShell definition to "enabled"
- Removed leading space from "/af" flag in "msdt" rule as it can be used without leading space.
2022-06-01 15:54:40 +01:00

24 lines
616 B
YAML
Raw Blame History

title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: test
description: Detects Commandlet name for PrintNightmare exploitation.
date: 2021/08/09
modified: 2021/10/16
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
selection:
ScriptBlockText|contains: Invoke-Nightmare
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.privilege_escalation
- attack.t1548
Reference in New Issue View Git Blame Copy Permalink