eric-forte-elastic
52 lines
1.3 KiB
Python
52 lines
1.3 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
# Name: Powershell with Suspicious Arguments
|
|
# RTA: powershell_args.py
|
|
# ATT&CK: T1140
|
|
# Description: Calls PowerShell with suspicious command line arguments.
|
|
|
|
import base64
|
|
from pathlib import Path
|
|
|
|
from . import RtaMetadata, common
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="5efc844c-0c11-4f84-a904-ada611315298",
|
|
platforms=["windows"],
|
|
endpoint=[],
|
|
siem=[],
|
|
techniques=[]
|
|
)
|
|
|
|
|
|
def encode(command):
|
|
return base64.b64encode(command.encode("utf-16le"))
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
def main():
|
|
common.log("PowerShell Suspicious Commands")
|
|
temp_script = Path("tmp.ps1").resolve()
|
|
|
|
# Create an empty script
|
|
with open(temp_script, "w") as f:
|
|
f.write("whoami.exe\nexit\n")
|
|
|
|
powershell_commands = [
|
|
["powershell.exe", "-ExecutionPol", "Bypass", temp_script],
|
|
["powershell.exe", "iex", "Get-Process"],
|
|
["powershell.exe", "-ec", encode("Get-Process" + " " * 1000)],
|
|
]
|
|
|
|
for command in powershell_commands:
|
|
common.execute(command)
|
|
|
|
common.remove_file(temp_script)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|