Mika Ayenson
48 lines
1.3 KiB
Python
48 lines
1.3 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
# Name: Powershell with Suspicious Arguments
|
|
# RTA: powershell_args.py
|
|
# ATT&CK: T1140
|
|
# Description: Calls PowerShell with suspicious command line arguments.
|
|
|
|
import base64
|
|
import os
|
|
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(uuid="5efc844c-0c11-4f84-a904-ada611315298", platforms=["windows"], endpoint=[], siem=[], techniques=[])
|
|
|
|
|
|
def encode(command):
|
|
return base64.b64encode(command.encode("utf-16le"))
|
|
|
|
|
|
@common.requires_os(metadata.platforms)
|
|
def main():
|
|
common.log("PowerShell Suspicious Commands")
|
|
temp_script = os.path.abspath("tmp.ps1")
|
|
|
|
# Create an empty script
|
|
with open(temp_script, "w") as f:
|
|
f.write("whoami.exe\nexit\n")
|
|
|
|
powershell_commands = [
|
|
["powershell.exe", "-ExecutionPol", "Bypass", temp_script],
|
|
["powershell.exe", "iex", "Get-Process"],
|
|
["powershell.exe", "-ec", encode("Get-Process" + " " * 1000)],
|
|
]
|
|
|
|
for command in powershell_commands:
|
|
common.execute(command)
|
|
|
|
common.remove_file(temp_script)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|