Rules Contributing to Suspicious PowerShell Script Alert Type
The following rules are used to identify suspicious activity relating to PowerShell scripts. Any one or more of these will trigger the PowerShell Script Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
PowerShell Mailbox Collection Script |
Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': ['Microsoft.Office.Interop.Outlook', 'Interop.Outlook.olDefaultFolders', '::olFolderInBox', 'Microsoft.Exchange.WebServices.Data.Folder', 'Microsoft.Exchange.WebServices.Data.FileAttachment']}, 'condition': 'selection1'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0009, T1059, T1059.001, T1114 References
N/A
Additional Information
|
||||||||
|
Live Memory Dump Using Powershell |
Detects usage of a PowerShell command to dump the live memory of a Windows machine More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-StorageDiagnosticInfo', '-IncludeLiveDump']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cd185561-4760-45d6-a63e-a51325112cae Author: Max Altgelt (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation CLIP+ Launcher - PowerShell |
Detects Obfuscated use of Clip.exe to execute PowerShell More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|re': '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\"\\{\\d\\}.+-f.+"'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,73e67340-0d25-11eb-adc1-0242ac120002 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS |
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) More details
Rule IDQuery{'selection_sddl_flag': {'ScriptBlockText|contains': ['-SecurityDescriptorSddl ', '-sd ']}, 'selection_set_service': {'ScriptBlockText|contains|all': ['Set-Service ', 'D;;'], 'ScriptBlockText|contains': [';;;IU', ';;;SU', ';;;BA', ';;;SY', ';;;WD']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,22d80745-6f2c-46da-826b-77adaededd74 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential Invoke-Mimikatz PowerShell Script |
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. More details
Rule IDQuery{'selection_1': {'ScriptBlockText|contains|all': ['DumpCreds', 'DumpCerts']}, 'selection_2': {'ScriptBlockText|contains': 'sekurlsa::logonpasswords'}, 'selection_3': {'ScriptBlockText|contains|all': ['crypto::certificates', 'CERT_SYSTEM_STORE_LOCAL_MACHINE']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,189e3b02-82b2-4b90-9662-411eb64486d4 Author: Tim Rauch Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Disable-WindowsOptionalFeature Command PowerShell |
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images More details
Rule IDQuery{'selection_cmd': {'ScriptBlockText|contains|all': ['Disable-WindowsOptionalFeature', '-Online', '-FeatureName']}, 'selection_feature': {'ScriptBlockText|contains': ['Windows-Defender-Gui', 'Windows-Defender-Features', 'Windows-Defender', 'Windows-Defender-ApplicationGuard']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,99c4658d-2c5e-4d87-828d-7c066ca537c3 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell DNSExfiltration |
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel More details
Rule IDQuery{'selection_cmdlet': [{'ScriptBlockText|contains': 'Invoke-DNSExfiltrator'}, {'ScriptBlockText|contains|all': [' -i ', ' -d ', ' -p ', ' -doh ', ' -t ']}], 'condition': 'selection_cmdlet'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d59d7842-9a21-4bc6-ba98-64bfe0091355 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Empire agent CnC activity |
A Powershell Empire framework agent is running on the machine, and it's trying to access the CnC server. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'IF($PSVERSIonTAblE.PSVERsIOn.MajOr -ge 3){'}, 'selection2': {'ScriptBlockText|contains': '[Ref].ASsEmbLY.GeTTYpe('}, 'selection3': {'ScriptBlockText|contains': 'System.Management.Automation.AmsiUtils'}, 'condition': 'selection1 and selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Directory Enumeration |
Detects technique used by MAZE ransomware to enumerate directories using Powershell More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['foreach', 'Get-ChildItem', '-Path ', '-ErrorAction ', 'SilentlyContinue', 'Out-File ', '-append']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,162e69a7-7981-4344-84a9-0f1c9a217a52 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation Via Use MSHTA - PowerShell |
Detects Obfuscated Powershell via use MSHTA in Scripts More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|contains|all': ['set', '&&', 'mshta', 'vbscript:createobject', '.run', '(window.close)']}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e55a5195-4724-480e-a77e-3ebe64bd3759 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Root Certificate Installed - PowerShell |
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains|all': ['Move-Item', 'Cert:\\LocalMachine\\Root']}, 'selection2': {'ScriptBlockText|contains|all': ['Import-Certificate', 'Cert:\\LocalMachine\\Root']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,42821614-9264-4761-acfc-5772c3286f76 Author: oscd.community, @redcanary, Zach Stanford @svch0st Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Clearing Windows Console History |
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'Clear-History'}, 'selection2a': {'ScriptBlockText|contains': ['Remove-Item', 'rm']}, 'selection2b': {'ScriptBlockText|contains': ['ConsoleHost_history.txt', '(Get-PSReadlineOption).HistorySavePath']}, 'condition': 'selection1 or selection2a and selection2b'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bde47d4b-9987-405c-94c7-b080410e8ea7 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Windows Firewall Profile Disabled |
Detects when a user disables the Windows Firewall via a Profile to help evade defense. More details
Rule IDQuery{'selection_args': {'ScriptBlockText|contains|all': ['Set-NetFirewallProfile ', ' -Enabled ', ' False']}, 'selection_opt': {'ScriptBlockText|contains': [' -All ', 'Public', 'Domain', 'Private']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,488b44e7-3781-4a71-888d-c95abfacf44d Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Portable Executable Encoded in Powershell Script |
Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'TVqQAAMAAAAEAAAA'}, 'selection2': {'UserId': 'S-1-5-18'}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Get Information for SMB Share |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'get-smbshare'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,95f0643a-ed40-467c-806b-aac9542ec5ab Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Suspicious Script with Screenshot Capabilities |
Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs). More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'CopyFromScreen'}, 'selection2': {'ScriptBlockText|contains': 'System.Drawing.Bitmap'}, 'selection3': {'ScriptBlockText|contains': 'Drawing.Bitmap'}, 'selection4': {'UserId': 'S-1-5-18'}, 'condition': 'selection1 and (selection2 or selection3) and (not selection4)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0009, T1059, T1059.001, T1113 References
N/A
Additional Information
|
||||||||
|
Registry-Free Process Scope COR_PROFILER |
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013) More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['$env:COR_ENABLE_PROFILING', '$env:COR_PROFILER', '$env:COR_PROFILER_PATH']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,23590215-4702-4a70-8805-8dc9e58314a2 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell |
Detects Obfuscated Powershell via RUNDLL LAUNCHER More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|contains|all': ['rundll32.exe', 'shell32.dll', 'shellexec_rundll', 'powershell']}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Active Directory Computers Enumeration with Get-AdComputer |
Detects usage of the "Get-AdComputer" to enumerate Computers within Active Directory. More details
Rule IDQuery{'selection_cmdlet': {'ScriptBlockText|contains': 'Get-AdComputer '}, 'selection_option': {'ScriptBlockText|contains': ['-Filter ', '-LDAPFilter ', '-Properties ']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,36bed6b2-e9a0-4fff-beeb-413a92b86138 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Execution via CL_Invocation.ps1 - Powershell |
Detects Execution via SyncInvoke in CL_Invocation.ps1 module More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['CL_Invocation.ps1', 'SyncInvoke']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4cd29327-685a-460e-9dac-c3ab96e549dc Author: oscd.community, Natalia Shornikova Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious TCP Tunnel Via PowerShell Script |
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['[System.Net.HttpWebRequest]', 'System.Net.Sockets.TcpListener', 'AcceptTcpClient']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bd33d2aa-497e-4651-9893-5c5364646595 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Store File In Alternate Data Stream |
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. More details
Rule IDQuery{'selection_compspec': {'ScriptBlockText|contains|all': ['Start-Process', '-FilePath "$env:comspec" ', '-ArgumentList ', '>']}, 'condition': 'selection_compspec'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a699b30e-d010-46c8-bbd1-ee2e26765fe9 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential PowerShell Obfuscation Using Character Join |
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['-Alias', ' -Value (-join(']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e8314f79-564d-4f79-bc13-fbc0bf2660d8 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Windows UAC Bypass |
A User Account Control Bypass activity was detected. This can be due to either regular operation or because an attacker is trying to escalate privileges. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'Invoke-UACBypass'}, 'selection2': {'ScriptBlockText|contains': 'Invoke-EventVwrBypass'}, 'selection3': {'ScriptBlockText|contains': 'Invoke-SDCLTBypass'}, 'condition': 'selection1 or selection2 or selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious IO.FileStream |
Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['New-Object', 'IO.FileStream', '\\\\.\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,70ad982f-67c8-40e0-a955-b920c2fa05cb Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation VAR+ Launcher - PowerShell |
Detects Obfuscated use of Environment Variables to execute PowerShell More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|re': '.*cmd.{0,5}(?:/c|/r)(?:\\s|)"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\"\\s+?-f(?:.*\\)){1,}.*"'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0adfbc14-0ed1-11eb-adc1-0242ac120002 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell XML Execute Command |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code More details
Rule IDQuery{'selection_xml': {'ScriptBlockText|contains|all': ['New-Object', 'System.Xml.XmlDocument', '.Load']}, 'selection_exec': {'ScriptBlockText|contains': ['IEX ', 'Invoke-Expression ', 'Invoke-Command ', 'ICM -']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6c6c6282-7671-4fe9-a0ce-a2dcebdc342b Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Dump Credentials from Windows Credential Manager With PowerShell |
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. More details
Rule IDQuery{'selection_kiddie': {'ScriptBlockText|contains': ['Get-PasswordVaultCredentials', 'Get-CredManCreds']}, 'selection_rename_Password': {'ScriptBlockText|contains|all': ['New-Object', 'Windows.Security.Credentials.PasswordVault']}, 'selection_rename_credman': {'ScriptBlockText|contains|all': ['New-Object', 'Microsoft.CSharp.CSharpCodeProvider', '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())', 'Collections.ArrayList', 'System.CodeDom.Compiler.CompilerParameters']}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,99c49d9c-34ea-45f7-84a7-4751ae6b2cbc Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential Suspicious Windows Feature Enabled |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images More details
Rule IDQuery{'selection_cmd': {'ScriptBlockText|contains|all': ['Enable-WindowsOptionalFeature', '-Online', '-FeatureName']}, 'selection_feature': {'ScriptBlockText|contains': ['TelnetServer', 'Internet-Explorer-Optional-amd64', 'TFTP', 'SMB1Protocol', 'Client-ProjFS', 'Microsoft-Windows-Subsystem-Linux']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,55c925c1-7195-426b-a136-a9396800e29b Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious PowerShell Mailbox SMTP Forward Rule |
Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Set-Mailbox ', ' -DeliverToMailboxAndForward ', ' -ForwardingSmtpAddress ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,15b7abbb-8b40-4d01-9ee2-b51994b1d474 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Add Name Resolution Policy Table Rule |
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Add-DnsClientNrptRule', '-Namesp', '-NameSe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4368354e-1797-463c-bc39-a309effbe8d7 Author: Borna Talebi Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Security Software Discovery by Powershell |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viru More details
Rule IDQuery{'selection_1': {'ScriptBlockText|contains|all': ['get-process', '.Description', '-like']}, 'selection_2': {'ScriptBlockText|contains': ['"*virus*"', '"*carbonblack*"', '"*defender*"', '"*cylance*"']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,904e8e61-8edf-4350-b59c-b905fc8e810c Author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious New-PSDrive to Admin Share |
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['New-PSDrive', '-psprovider ', 'filesystem', '-root ', '\\\\', '$']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1c563233-030e-4a07-af8c-ee0490a66d3a Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Script with Token Impersonation Capabilities |
Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': ['Invoke-TokenManipulation', 'ImpersonateNamedPipeClient', 'NtImpersonateThread']}, 'selection2': {'ScriptBlockText|contains': 'STARTUPINFOEX'}, 'selection3': {'ScriptBlockText|contains': 'UpdateProcThreadAttribute'}, 'selection4': {'ScriptBlockText|contains': 'AdjustTokenPrivileges'}, 'selection5': {'ScriptBlockText|contains': 'SeDebugPrivilege'}, 'selection6': {'UserId': 'S-1-5-18'}, 'condition': '(selection1 or (selection2 and selection3) or (selection4 and selection5)) and (not selection6)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0004, T1059, T1059.001, T1106, T1134 References
N/A
Additional Information
|
||||||||
|
Disable of ETW Trace - Powershell |
Detects usage of powershell cmdlets to disable or remove ETW trace sessions More details
Rule IDQuery{'selection_pwsh_remove': {'ScriptBlockText|contains': 'Remove-EtwTraceProvider '}, 'selection_pwsh_set': {'ScriptBlockText|contains|all': ['Set-EtwTraceProvider ', '0x11']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,115fdba9-f017-42e6-84cf-d5573bf2ddf8 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Service Registry Permissions Weakness Check |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['get-acl', 'REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,95afc12e-3cbb-40c3-9340-84a032e596a3 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential COM Objects Download Cradles Usage - PS Script |
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID More details
Rule IDQuery{'selection_1': {'ScriptBlockText|contains': '[Type]::GetTypeFromCLSID('}, 'selection_2': {'ScriptBlockText|contains': ['0002DF01-0000-0000-C000-000000000046', 'F6D90F16-9C73-11D3-B32E-00C04F990BB4', 'F5078F35-C551-11D3-89B9-0000F81FE221', '88d96a0a-f192-11d4-a65f-0040963251e5', 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1', 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3', '88d96a0b-f192-11d4-a65f-0040963251e5', '2087c2f4-2cef-4953-a8ab-66779b670495', '000209FF-0000-0000-C000-000000000046', '00024500-0000-0000-C000-000000000046']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3c7d1587-3b13-439f-9941-7d14313dbdfe Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Dnscat Execution |
Dnscat exfiltration tool execution More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'Start-Dnscat2'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a6d67db4-6220-436d-8afc-f3842fe05d43 Author: Daniil Yugoslavskiy, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Unblock-File |
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Unblock-File ', '-Path ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5947497f-1aa4-41dd-9693-c9848d58727d Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Modify Group Policy Settings - ScriptBlockLogging |
Detect malicious GPO modifications can be used to implement many other malicious behaviors. More details
Rule IDQuery{'selection_path': {'ScriptBlockText|contains': '\\SOFTWARE\\Policies\\Microsoft\\Windows\\System'}, 'selection_key': {'ScriptBlockText|contains': ['GroupPolicyRefreshTimeDC', 'GroupPolicyRefreshTimeOffsetDC', 'GroupPolicyRefreshTime', 'GroupPolicyRefreshTimeOffset', 'EnableSmartScreen', 'ShellSmartScreenLevel']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b7216a7d-687e-4c8d-82b1-3080b2ad961f Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
AMSI Bypass Pattern Assembly GetType |
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['[Ref].Assembly.GetType', 'SetValue($null,$true)', 'NonPublic,Static']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e0d6c087-2d1c-47fd-8799-3904103c5a98 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Remove Account From Domain Admin Group |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Remove-ADGroupMember', '-Identity ', '-Members ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,48a45d45-8112-416b-8a67-46e03a4b2107 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Hyper-V Cmdlets |
Adversaries may carry out malicious operations using a virtual instance to avoid detection More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['New-VM', 'Set-VMFirmware', 'Start-VM']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,42d36aa1-3240-4db0-8257-e0118dcdd9cd Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script |
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|contains|all': ['Compress-Archive ', ' -Path ', ' -DestinationPath ', '$env:TEMP\\']}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b7a3c9a3-09ea-4934-8864-6a32cacd98d9 Author: Nasreddine Bencherchali (Nextron Systems), frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Detected Windows Software Discovery - PowerShell |
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['get-itemProperty', '\\software\\', 'select-object', 'format-table']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2650dd1a-eb2a-412d-ac36-83f06c4f2282 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell ShellCode |
Detects Base64 encoded Shellcode More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'AAAAYInlM'}, 'selection2': {'ScriptBlockText|contains': ['OiCAAAAYInlM', 'OiJAAAAYInlM']}, 'condition': 'selection and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,16b37b70-6fcf-4814-a092-c36bd3aafcbd Author: David Ledbetter (shellcode), Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Eventlog Clear |
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['Clear-EventLog ', 'Remove-EventLog ', 'Limit-EventLog ', 'Clear-WinEvent ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0f017df3-8f5a-414f-ad6b-24aff1128278 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Local Email Collection |
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['Get-Inbox.ps1', 'Microsoft.Office.Interop.Outlook', 'Microsoft.Office.Interop.Outlook.olDefaultFolders', '-comobject outlook.application']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2837e152-93c8-43d2-85ba-c3cd3c2ae614 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious FromBase64String Usage On Gzip Archive - Ps Script |
Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['FromBase64String', 'MemoryStream', 'H4sI']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,df69cb1d-b891-4cd9-90c7-d617d90100ce Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell ADRecon Execution |
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['Function Get-ADRExcelComOb', 'Get-ADRGPO', 'Get-ADRDomainController', 'ADRecon-Report.xlsx']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bf72941a-cba0-41ea-b18c-9aca3925690d Author: Bhabesh Raj Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Access to Browser Login Data |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. More details
Rule IDQuery{'selection_cmd': {'ScriptBlockText|contains|all': ['Copy-Item', '-Destination']}, 'selection_path': {'ScriptBlockText|contains': ['\\Opera Software\\Opera Stable\\Login Data', '\\Mozilla\\Firefox\\Profiles', '\\Microsoft\\Edge\\User Data\\Default', '\\Google\\Chrome\\User Data\\Default\\Login Data', '\\Google\\Chrome\\User Data\\Default\\Login Data For Account']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,fc028194-969d-4122-8abe-0470d5b8f12f Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Abuse of Service Permissions to Hide Services Via Set-Service - PS |
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Set-Service ', 'DCLCWPDTSD'], 'ScriptBlockText|contains': ['-SecurityDescriptorSddl ', '-sd ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,953945c5-22fe-4a92-9f8a-a9edc1e522da Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell |
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-ADComputer ', ' -Filter *'], 'ScriptBlockText|contains': [' | Select ', 'Out-File', 'Set-Content', 'Add-Content']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,db885529-903f-4c5d-9864-28fe199e6370 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell PSAttack |
Detects the use of PSAttack PowerShell hack tool More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'PS ATTACK!!!'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5 Author: Sean Metcalf (source), Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Invoke-NinjaCopy script |
Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': ['StealthReadFile', 'StealthReadFileAddr', 'StealthCloseFileDelegate', 'StealthOpenFile', 'StealthCloseFile', 'Invoke-NinjaCopy']}, 'selection2': {'UserId': 'S-1-5-18'}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0006, T1003, T1059, T1059.001 References
N/A
Additional Information
|
||||||||
|
Delete Volume Shadow Copies via WMI with PowerShell - PS Script |
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-WmiObject', 'Win32_Shadowcopy', '.Delete()']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e17121b4-ef2a-4418-8a59-12fb1631fa9e Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell ICMP Exfiltration |
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['New-Object', 'System.Net.NetworkInformation.Ping', '.Send(']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4c4af3cd-2115-479c-8193-6b8bfce9001c Author: Bartlomiej Czyz @bczyz1, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock |
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. More details
Rule IDQuery{'test_2': {'ScriptBlockText|contains': 'get-ADPrincipalGroupMembership'}, 'test_7': {'ScriptBlockText|contains|all': ['get-aduser', '-f ', '-pr ', 'DoesNotRequirePreAuth']}, 'condition': '1 of test_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,88f0884b-331d-403d-a3a1-b668cf035603 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging |
Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet More details
Rule IDQuery{'selection_remove': {'ScriptBlockText|contains': 'Remove-MpPreference'}, 'selection_tamper': {'ScriptBlockText|contains': ['-ControlledFolderAccessProtectedFolders ', '-AttackSurfaceReductionRules_Ids ', '-AttackSurfaceReductionRules_Actions ', '-CheckForSignaturesBeforeRunningScan ']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ae2bdd58-0681-48ac-be7f-58ab4e593458 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|contains|all': ['new-object', 'text.encoding]::ascii'], 'ScriptBlockText|contains': ['system.io.compression.deflatestream', 'system.io.streamreader'], 'ScriptBlockText|endswith': 'readtoend'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,20e5497e-331c-4cd5-8d36-935f6e2a9a07 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential Data Exfiltration Via Audio File |
Detects potential exfiltration attempt via audio file using PowerShell More details
Rule IDQuery{'selection_main': {'ScriptBlockText|contains|all': ['[System.Math]::', '[IO.FileMode]::', 'BinaryWriter']}, 'selection_header_wav': {'ScriptBlockText|contains|all': ['0x52', '0x49', '0x46', '0x57', '0x41', '0x56', '0x45', '0xAC']}, 'condition': 'selection_main and 1 of selection_header_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e4f93c99-396f-47c8-bb0f-201b1fa69034 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Create Volume Shadow Copy with Powershell |
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['win32_shadowcopy', ').Create(', 'ClientAccessible']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,afd12fed-b0ec-45c9-a13d-aa86625dac81 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 More details
Rule IDQuery{'selection_iex': [{'ScriptBlockText|re': '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['}, {'ScriptBlockText|re': '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['}, {'ScriptBlockText|re': '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['}, {'ScriptBlockText|re': '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'}, {'ScriptBlockText|re': '\\*mdr\\*\\W\\s*\\)\\.Name'}, {'ScriptBlockText|re': '\\$VerbosePreference\\.ToString\\('}], 'condition': 'selection_iex'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1b9dc62e-6e9e-42a3-8990-94d7a10007f7 Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Malicious ShellIntel PowerShell Commandlets |
Detects Commandlet names from ShellIntel exploitation scripts. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['Invoke-SMBAutoBrute', 'Invoke-GPOLinks', 'Invoke-Potato']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,402e1e1d-ad59-47b6-bf80-1ee44985b3a7 Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Change User Agents with WebRequest |
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Invoke-WebRequest', '-UserAgent ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d4488827-73af-4f8d-9244-7b7662ef046e Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Timestomp |
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. More details
Rule IDQuery{'selection_ioc': {'ScriptBlockText|contains': ['.CreationTime =', '.LastWriteTime =', '.LastAccessTime =', '[IO.File]::SetCreationTime', '[IO.File]::SetLastAccessTime', '[IO.File]::SetLastWriteTime']}, 'condition': 'selection_ioc'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c6438007-e081-42ce-9483-b067fbef33c3 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell MsXml COM Object |
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['New-Object', '-ComObject', 'MsXml2.', 'XmlHttp']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,78aa1347-1517-4454-9982-b338d6df8343 Author: frack113, MatilJ Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell |
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-ADUser ', ' -Filter *'], 'ScriptBlockText|contains': [' > ', ' | Select ', 'Out-File', 'Set-Content', 'Add-Content']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c2993223-6da8-4b1a-88ee-668b8bf315e9 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Active Directory Group Enumeration With Get-AdGroup |
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-AdGroup ', '-Filter']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8c3a6607-b7dc-4f0d-a646-ef38c00b76ee Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
WMIC Unquoted Services Path Lookup - PowerShell |
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['Get-WmiObject ', 'gwmi '], 'ScriptBlockText|contains|all': [' Win32_Service ', 'Name', 'DisplayName', 'PathName', 'StartMode']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,09658312-bc27-4a3b-91c5-e49ab9046d1b Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Get-ADUser Enumeration Using UserAccountControl Flags |
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-ADUser', '-Filter', 'useraccountcontrol', '-band', '4194304']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,96c982fe-3d08-4df4-bed2-eb14e02f21c8 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Windows Defender Exclusions Added - PowerShell |
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions More details
Rule IDQuery{'selection_args_exc': {'ScriptBlockText|contains': [' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ']}, 'selection_args_pref': {'ScriptBlockText|contains': ['Add-MpPreference ', 'Set-MpPreference ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c1344fa2-323b-4d2e-9176-84b4d4821c88 Author: Tim Rauch Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Get-ADReplAccount |
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-ADReplAccount', '-All ', '-Server ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,060c3ef1-fd0a-4091-bf46-e7d625f60b73 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Suspicious Script with Audio Capture Capabilities |
Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'Get-MicrophoneAudio'}, 'selection2': {'ScriptBlockText|contains': 'waveInGetNumDevs'}, 'selection3': {'ScriptBlockText|contains': 'mciSendStringA'}, 'selection4': {'UserId': 'S-1-5-18'}, 'condition': '(selection1 or (selection2 and selection3)) and (not selection4)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0009, T1059, T1059.001, T1123 References
N/A
Additional Information
|
||||||||
|
PowerShell Suspicious Script with Clipboard Retrieval Capabilities |
Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'Get-Clipboard'}, 'selection2': {'UserId': 'S-1-5-18'}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0009, T1059, T1059.001, T1115 References
N/A
Additional Information
|
||||||||
|
PowerShell Get-Process LSASS in ScriptBlock |
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'Get-Process lsass'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,84c174ab-d3ef-481f-9c86-a50d0b8e3edb Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy |
Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'Get-AdDefaultDomainPasswordPolicy'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bbb9495b-58fc-4016-b9df-9a3a1b67ca82 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious PowerShell Invocations - Generic |
Detects suspicious PowerShell invocation command parameters More details
Rule IDQuery{'selection_encoded': {'ScriptBlockText|contains': [' -enc ', ' -EncodedCommand ', ' -ec ']}, 'selection_hidden': {'ScriptBlockText|contains': [' -w hidden ', ' -window hidden ', ' -windowstyle hidden ', ' -w 1 ']}, 'selection_noninteractive': {'ScriptBlockText|contains': [' -noni ', ' -noninteractive ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ed965133-513f-41d9-a441-e38076a0798f Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Suspicious Win32_PnPEntity |
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'Win32_PnPEntity'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b26647de-4feb-4283-af6b-6117661283c5 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious PowerShell Invocations - Specific |
Detects suspicious PowerShell invocation command parameters More details
Rule IDQuery{'selection_convert_b64': {'ScriptBlockText|contains|all': ['-nop', ' -w ', 'hidden', ' -c ', '[Convert]::FromBase64String']}, 'selection_iex_selection': {'ScriptBlockText|contains|all': [' -w ', 'hidden', '-noni', '-nop', ' -c ', 'iex', 'New-Object']}, 'selection_enc_selection': {'ScriptBlockText|contains|all': [' -w ', 'hidden', '-ep', 'bypass', '-Enc']}, 'selection_reg_selection': {'ScriptBlockText|contains|all': ['powershell', 'reg', 'add', 'HKCU\\software\\microsoft\\windows\\currentversion\\run']}, 'selection_webclient_selection': {'ScriptBlockText|contains|all': ['bypass', '-noprofile', '-windowstyle', 'hidden', 'new-object', 'system.net.webclient', '.download']}, 'selection_iex_webclient': {'ScriptBlockText|contains|all': ['iex', 'New-Object', 'Net.WebClient', '.Download']}, 'filter_chocolatey': {'ScriptBlockText|contains': ["(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1", "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')", 'Write-ChocolateyWarning']}, 'condition': '1 of selection_* and not 1 of filter_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
NTFS Alternate Data Stream |
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. More details
Rule IDQuery{'selection_content': {'ScriptBlockText|contains': ['set-content', 'add-content']}, 'selection_stream': {'ScriptBlockText|contains': '-stream'}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8c521530-5169-495d-a199-0a3a881ad24e Author: Sami Ruohonen Tactics, Techniques, and ProceduresT1059.001, T1059.001, T1564.004 References
N/A
Additional Information
|
||||||||
|
Suspicious Invoke-Item From Mount-DiskImage |
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Mount-DiskImage ', '-ImagePath ', 'Get-Volume', '.DriveLetter', 'invoke-item ', '):\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,902cedee-0398-4e3a-8183-6f3a89773a96 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell WMI Win32_Product Install MSI |
Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Invoke-CimMethod ', '-ClassName ', 'Win32_Product ', '-MethodName ', '.msi']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,91109523-17f0-4248-a800-f81d9e7c081d Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Execute Invoke-command on Remote Host |
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. More details
Rule IDQuery{'selection_cmdlet': {'ScriptBlockText|contains|all': ['invoke-command ', ' -ComputerName ']}, 'condition': 'selection_cmdlet'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7b836d7f-179c-4ba4-90a7-a7e60afb48e6 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious GetTypeFromCLSID ShellExecute |
Detects suspicious Powershell code that execute COM Objects More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['::GetTypeFromCLSID(', '.ShellExecute(']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8bc063d5-3a3a-4f01-a140-bc15e55e8437 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Silence.EDA Detection |
Detects Silence EmpireDNSAgent as described in the Group-IP report More details
Rule IDQuery{'empire': {'ScriptBlockText|contains|all': ['System.Diagnostics.Process', 'Stop-Computer', 'Restart-Computer', 'Exception in execution', '$cmdargs', 'Close-Dnscat2Tunnel']}, 'dnscat': {'ScriptBlockText|contains|all': ['set type=$LookupType`nserver', '$Command | nslookup 2>&1 | Out-String', 'New-RandomDNSField', '[Convert]::ToString($SYNOptions, 16)', '$Session.Dead = $True', '$Session["Driver"] -eq']}, 'condition': 'empire and dnscat'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3ceb2083-a27f-449a-be33-14ec1b7cc973 Author: Alina Stepchenkova, Group-IB, oscd.community Tactics, Techniques, and ProceduresT1059.001, T1059.001, T1071.004, T1529, T1572 References
N/A
Additional Information
|
||||||||
|
Potential Active Directory Enumeration Using AD Module - PsScript |
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. More details
Rule IDQuery{'selection_generic': {'ScriptBlockText|contains|all': ['Import-Module ', 'Microsoft.ActiveDirectory.Management.dll']}, 'selection_specific': {'ScriptBlockText|contains': 'ipmo Microsoft.ActiveDirectory.Management.dll'}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9e620995-f2d8-4630-8430-4afd89f77604 Author: frack113, Nasreddine Bencherchali Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Automated Collection Bookmarks Using Get-ChildItem PowerShell |
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Get-ChildItem', ' -Recurse ', ' -Path ', ' -Filter Bookmarks', ' -ErrorAction SilentlyContinue', ' -Force']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e0565f5d-d420-4e02-8a68-ac00d864f9cf Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'SyncAppvPublishingServer.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,dddfebae-c46f-439c-af7a-fdb6bde90218 Author: Ensar Şamil, @sblmsrsn, OSCD Community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Disable Powershell Command History |
Detects scripts or commands that disabled the Powershell command history by removing psreadline module More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Remove-Module', 'psreadline']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,602f5669-6927-4688-84db-0d4b7afb2150 Author: Ali Alwashali Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Manipulation of User Computer or Group Security Principals Across AD |
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'System.DirectoryServices.AccountManagement'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b29a93fb-087c-4b5b-a84d-ee3309e69d08 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Suspicious Payload Encoded and Compressed |
Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'System.IO.Compression.DeflateStream'}, 'selection2': {'ScriptBlockText|contains': 'System.IO.Compression.GzipStream'}, 'selection3': {'ScriptBlockText|contains': 'IO.Compression.DeflateStream'}, 'selection4': {'ScriptBlockText|contains': 'IO.Compression.GzipStream'}, 'selection5': {'ScriptBlockText|contains': 'FromBase64String'}, 'selection6': {'UserId': 'S-1-5-18'}, 'condition': '(selection1 or selection2 or selection3 or selection4) and selection5 and (not selection6)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0005, T1027, T1059, T1059.001, T1140 References
N/A
Additional Information
|
||||||||
|
Powershell Trigger Profiles by Add_Content |
Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Add-Content', '$profile', '-Value'], 'ScriptBlockText|contains': ['Start-Process', '""']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,05b3e303-faf0-4f4a-9b30-46cc13e69152 Author: frack113, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Windows Screen Capture with CopyFromScreen |
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': '.CopyFromScreen'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d4a11f63-2390-411c-9adf-d791fd152830 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Clear PowerShell History - PowerShell |
Detects keywords that could indicate clearing PowerShell history More details
Rule IDQuery{'selection1a': {'ScriptBlockText|contains': ['del', 'Remove-Item', 'rm']}, 'selection1b': {'ScriptBlockText|contains': '(Get-PSReadlineOption).HistorySavePath'}, 'selection_2': {'ScriptBlockText|contains|all': ['Set-PSReadlineOption', '–HistorySaveStyle', 'SaveNothing']}, 'selection_3': {'ScriptBlockText|contains|all': ['Set-PSReadlineOption', '-HistorySaveStyle', 'SaveNothing']}, 'condition': '1 of selection_* or all of selection1*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,26b692dc-1722-49b2-b496-a8258aa6371d Author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Share Enumeration Script |
Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': ['Invoke-ShareFinder', 'Invoke-ShareFinderThreaded']}, 'selection2': {'ScriptBlockText|contains': 'shi1_netname'}, 'selection3': {'ScriptBlockText|contains': 'shi1_remark'}, 'selection4': {'ScriptBlockText|contains': 'NetShareEnum'}, 'selection5': {'ScriptBlockText|contains': 'NetApiBufferFree'}, 'selection6': {'UserId': 'S-1-5-18'}, 'condition': '(selection1 or (selection2 and selection3) or (selection4 and selection5)) and (not selection6)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0007, T1059, T1059.001, T1106, T1135 References
N/A
Additional Information
|
||||||||
|
DirectorySearcher Powershell Exploitation |
Enumerates Active Directory to determine computers that are joined to the domain More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['New-Object ', 'System.DirectoryServices.DirectorySearcher', '.PropertiesToLoad.Add', '.findall()', 'Properties.name']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1f6399cf-2c80-4924-ace1-6fcff3393480 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation STDIN+ Launcher - Powershell |
Detects Obfuscated use of stdin to execute PowerShell More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|re': '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+"'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,779c8c12-0eb1-11eb-adc1-0242ac120002 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Install a DLL in System Directory |
Uses PowerShell to install/copy a a file into a system directory such as "System32" or "SysWOW64" More details
Rule IDQuery{'selection_copy': {'ScriptBlockText|contains|all': ['Copy-Item ', '-Destination ']}, 'selection_paths': {'ScriptBlockText|contains': ['\\Windows\\System32', '\\Windows\\SysWOW64']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,63bf8794-9917-45bc-88dd-e1b5abc0ecfd Author: frack113, Nasreddine Bencherchali Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script |
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil More details
Rule IDQuery{'selection_get': {'ScriptBlockText|contains': ['Get-WmiObject', 'gwmi', 'Get-CimInstance', 'gcim']}, 'selection_shadowcopy': {'ScriptBlockText|contains': 'Win32_Shadowcopy'}, 'selection_delete': {'ScriptBlockText|contains': ['.Delete()', 'Remove-WmiObject', 'rwmi', 'Remove-CimInstance', 'rcim']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c1337eb8-921a-4b59-855b-4ba188ddcc42 Author: Tim Rauch Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Code Executed Via Office Add-in XLL File |
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['new-object ', '-ComObject ', '.application', '.RegisterXLL']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,36fbec91-fa1b-4d5d-8df1-8d8edcb632ad Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PSAsyncShell - Asynchronous TCP Reverse Shell |
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'PSAsyncShell'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,afd3df04-948d-46f6-ae44-25966c44b97f Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Recon Information for Export with PowerShell |
Once established within a system or network, an adversary may use automated techniques for collecting internal data More details
Rule IDQuery{'selection_action': {'ScriptBlockText|contains': ['Get-Service ', 'Get-ChildItem ', 'Get-Process ']}, 'selection_redirect': {'ScriptBlockText|contains': '> $env:TEMP\\'}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a9723fcc-881c-424c-8709-fd61442ab3c3 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Enable Windows Remote Management |
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. More details
Rule IDQuery{'selection_cmdlet': {'ScriptBlockText|contains': 'Enable-PSRemoting '}, 'condition': 'selection_cmdlet'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,991a9744-f2f0-44f2-bd33-9092eba17dc3 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Enumerate Credentials from Windows Credential Manager With PowerShell |
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. More details
Rule IDQuery{'selection_cmd': {'ScriptBlockText|contains|all': ['vaultcmd', '/listcreds:']}, 'selection_option': {'ScriptBlockText|contains': ['Windows Credentials', 'Web Credentials']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,603c6630-5225-49c1-8047-26c964553e0e Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Extracting Information with PowerShell |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['ls', ' -R', 'select-string ', '-Pattern ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bd5971a7-626d-46ab-8176-ed643f694f68 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential Persistence Via Security Descriptors - ScriptBlock |
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['win32_Trustee', 'win32_Ace', '.AccessMask', '.AceType', '.SetSecurityDescriptor'], 'ScriptBlockText|contains': ['\\Lsa\\JD', '\\Lsa\\Skew1', '\\Lsa\\Data', '\\Lsa\\GBG']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2f77047c-e6e9-4c11-b088-a3de399524cd Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Script with Encryption/Decryption Capabilities |
Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'Cryptography.AESManaged'}, 'selection2': {'ScriptBlockText|contains': 'Cryptography.RijndaelManaged'}, 'selection3': {'ScriptBlockText|contains': 'Cryptography.SHA1Managed'}, 'selection4': {'ScriptBlockText|contains': 'Cryptography.SHA256Managed'}, 'selection5': {'ScriptBlockText|contains': 'Cryptography.SHA384Managed'}, 'selection6': {'ScriptBlockText|contains': 'Cryptography.SHA512Managed'}, 'selection7': {'ScriptBlockText|contains': 'Cryptography.SymmetricAlgorithm'}, 'selection8': {'ScriptBlockText|contains': 'PasswordDeriveBytes'}, 'selection9': {'ScriptBlockText|contains': 'Rfc2898DeriveBytes'}, 'selection10': {'ScriptBlockText|contains': 'CipherMode'}, 'selection11': {'ScriptBlockText|contains': 'PaddingMode'}, 'selection12': {'ScriptBlockText|contains': '.CreateEncryptor'}, 'selection13': {'ScriptBlockText|contains': '.CreateDecryptor'}, 'selection14': {'UserId': 'S-1-5-18'}, 'condition': '(selection1 or selection2 or selection3 or selection4 or selection5 or selection6 or selection7 or selection8 or selection9) and selection10 and selection11 and (selection12 or selection13) and (not selection14)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0005, T1027, T1059.001, T1140 References
N/A
Additional Information
|
||||||||
|
Suspicious SSL Connection |
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['System.Net.Security.SslStream', 'Net.Security.RemoteCertificateValidationCallback', '.AuthenticateAsClient']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,195626f3-5f1b-4403-93b7-e6cfd4d6a078 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Potential Keylogger Activity |
Detects PowerShell scripts that contains reference to keystroke capturing functions More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,965e2db9-eddb-4cf6-a986-7a967df651e4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation Via Use Clip - Powershell |
Detects Obfuscated Powershell via use Clip.exe in Scripts More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|re': '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,db92dd33-a3ad-49cf-8c2c-608c3e30ace0 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Execution via CL_Mutexverifiers.ps1 |
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['CL_Mutexverifiers.ps1', 'runAfterCancelProcess']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,39776c99-1c7b-4ba0-b5aa-641525eee1a4 Author: oscd.community, Natalia Shornikova Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Bloodhound Hack Tool Usage via PowerShell |
Detects the usage of PowerShell to execute Bloodhound hacktool on endpoint More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['Invoke-BloodHound', 'Invoke-AzureHound', 'Get-BloodHoundData']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious X509Enrollment - Ps Script |
Detect use of X509Enrollment More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['X509Enrollment.CBinaryConverter', '884e2002-217d-11da-b2a4-000e7bbb2b09']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,504d63cb-0dba-4d02-8531-e72981aace2c Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Add New Windows Capability - ScriptBlock |
Detects usage of the "Add-WindowsCapability" cmdlet to add new windows capabilities. Notable capabilities could be "OpenSSH" and others. More details
Rule IDQuery{'selection_cmdlet': {'ScriptBlockText|contains': 'Add-WindowsCapability '}, 'selection_capa': {'ScriptBlockText|contains': 'OpenSSH.'}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,155c7fd5-47b4-49b2-bbeb-eb4fab335429 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation Via Use Rundll32 - PowerShell |
Detects Obfuscated Powershell via use Rundll32 in Scripts More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|contains|all': ['&&', 'rundll32', 'shell32.dll', 'shellexec_rundll'], 'ScriptBlockText|contains': ['value', 'invoke', 'comspec', 'iex']}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a5a30a6e-75ca-4233-8b8c-42e0f2037d3b Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Anti-VM check with WMI Query |
WMI Queries allow to inspect Windows properties like the BIOS features. This technique is used by malware to identify virtual and sandboxed host machines, in order to evade security analysis. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': '-query'}, 'selection2': {'ScriptBlockText|re': '.*(Get-WMIObject|gwmi) .*?-query .*? win32_(BIOS|SystemBIOS).*?(bochs|qemu|VBOX|VirtualBox|VM).*'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Connection to Remote Account |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': ['System.DirectoryServices.Protocols.LdapDirectoryIdentifier', 'System.Net.NetworkCredential', 'System.DirectoryServices.Protocols.LdapConnection']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1883444f-084b-419b-ac62-e0d0c5b3693f Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Export-PfxCertificate |
Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'Export-PfxCertificate'}, 'filter_moduleexport': {'ScriptBlockText|contains': 'CmdletsToExport = @('}, 'condition': 'selection and not 1 of filter*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,aa7a3fce-bef5-4311-9cc1-5f04bb8c308c Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Powershell Sensitive File Discovery |
Detect adversaries enumerate sensitive files More details
Rule IDQuery{'selection_action': {'ScriptBlockText|contains': ['ls', 'get-childitem', 'gci']}, 'selection_recurse': {'ScriptBlockText|contains': '-recurse'}, 'selection_file': {'ScriptBlockText|contains': ['.pass', '.kdbx', '.kdb']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7d416556-6502-45b2-9bad-9d2f05f38997 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell |
Detects Obfuscated Powershell via VAR++ LAUNCHER More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|re': '(?i).*&&set.*(\\{\\d\\}){2,}\\\\"\\s+?-f.*&&.*cmd.*/c'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e54f5149-6ba3-49cf-b153-070d24679126 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Testing Usage of Uncommonly Used Port |
Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Test-NetConnection', '-ComputerName ', '-port ']}, 'filter': {'ScriptBlockText|contains': [' 443 ', ' 80 ']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,adf876b3-f1f8-4aa9-a4e4-a64106feec06 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Troubleshooting Pack Cmdlet Execution |
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Invoke-TroubleshootingPack', 'C:\\Windows\\Diagnostics\\System\\PCW', '-AnswerFile', '-Unattended']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,03409c93-a7c7-49ba-9a4c-a00badf2a153 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Invoke-Obfuscation Via Stdin - Powershell |
Detects Obfuscated Powershell via Stdin in Scripts More details
Rule IDQuery{'selection_4104': {'ScriptBlockText|re': '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"'}, 'condition': 'selection_4104'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,86b896ba-ffa1-4fea-83e3-ee28a4c915c7 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious Mount-DiskImage |
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['Mount-DiskImage ', '-ImagePath ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,29e1c216-6408-489d-8a06-ee9d151ef819 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Suspicious PowerShell Mailbox Export to Share - PS |
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['New-MailboxExportRequest', ' -Mailbox ', ' -FilePath \\\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4a241dea-235b-4a7e-8d76-50d817b146c4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Data Compressed - PowerShell |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains|all': ['-Recurse', '|', 'Compress-Archive']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6dc5d284-69ea-42cf-9311-fb1c3932a69a Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell Create Local User |
Detects creation of a local user via PowerShell More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'New-LocalUser'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,243de76f-4725-4f2e-8225-a8a69b15ad61 Author: @ROxPinTeddy Tactics, Techniques, and ProceduresT1059.001, T1059.001, T1136.001 References
N/A
Additional Information
|
||||||||
|
WMI lateral movement using MSI package |
Windows Management Instrumentation (WMI) is able to install MSI packages in remote computers. An attacker can use it to performa lateral movement and execute malicious code. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': 'win32_product'}, 'selection2': {'ScriptBlockText|contains': 'install'}, 'selection3': {'ScriptBlockText|contains': '-ComputerName'}, 'selection4': {'ScriptBlockText|contains': '-Credential'}, 'condition': 'selection1 and selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
Replace Desktop Wallpaper by Powershell |
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper More details
Rule IDQuery{'selection_1': {'ScriptBlockText|contains|all': ['Get-ItemProperty', 'Registry::', 'HKEY_CURRENT_USER\\Control Panel\\Desktop\\', 'WallPaper']}, 'selection_2': {'ScriptBlockText|contains': 'SystemParametersInfo(20,0,*,3)'}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c5ac6a1e-9407-45f5-a0ce-ca9a0806a287 Author: frack113 Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
|
PowerShell MiniDump Script |
This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': ['MiniDumpWriteDump', 'MiniDumpWithFullMemory', 'pmuDetirWpmuDiniM']}, 'selection2': {'UserId': 'S-1-5-18'}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, TA0006, T1003, T1059, T1059.001 References
N/A
Additional Information
|
||||||||
|
PowerShell PSReflect Script |
Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions. More details
Rule IDQuery{'selection1': {'ScriptBlockText|contains': ['New-InMemoryModule', 'Add-Win32Type', 'psenum', 'DefineDynamicAssembly', 'DefineDynamicModule', 'Reflection.TypeAttributes', 'Reflection.Emit.OpCodes', 'Reflection.Emit.CustomAttributeBuilder', 'Runtime.InteropServices.DllImportAttribute']}, 'selection2': {'UserId': 'S-1-5-18'}, 'condition': 'selection1 and (not selection2)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0002, T1059, T1059.001, T1106 References
N/A
Additional Information
|
||||||||
|
Winlogon Helper DLL |
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. More details
Rule IDQuery{'selection': {'ScriptBlockText|contains': 'CurrentVersion\\Winlogon'}, 'selection2': {'ScriptBlockText|contains': ['Set-ItemProperty', 'New-Item']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,851c506b-6b7c-4ce2-8802-c703009d03c0 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
