notebook.community

Edit and run

Malicious PowerShell Commandlet Names

Detects the creation of known powershell scripts for exploitation

Rule Content

- title: Malicious PowerShell Commandlet Names
  id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
  status: experimental
  description: Detects the creation of known powershell scripts for exploitation
  references:
  - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
  tags:
  - attack.execution
  - attack.t1086
  author: Markus Neis
  date: 2018/04/07
  logsource:
    product: windows
    service: sysmon
    category: null
  detection:
    selection:
      EventID: 11
      TargetFilename:
      - '*\Invoke-DllInjection.ps1'
      - '*\Invoke-WmiCommand.ps1'
      - '*\Get-GPPPassword.ps1'
      - '*\Get-Keystrokes.ps1'
      - '*\Get-VaultCredential.ps1'
      - '*\Invoke-CredentialInjection.ps1'
      - '*\Invoke-Mimikatz.ps1'
      - '*\Invoke-NinjaCopy.ps1'
      - '*\Invoke-TokenManipulation.ps1'
      - '*\Out-Minidump.ps1'
      - '*\VolumeShadowCopyTools.ps1'
      - '*\Invoke-ReflectivePEInjection.ps1'
      - '*\Get-TimedScreenshot.ps1'
      - '*\Invoke-UserHunter.ps1'
      - '*\Find-GPOLocation.ps1'
      - '*\Invoke-ACLScanner.ps1'
      - '*\Invoke-DowngradeAccount.ps1'
      - '*\Get-ServiceUnquoted.ps1'
      - '*\Get-ServiceFilePermission.ps1'
      - '*\Get-ServicePermission.ps1'
      - '*\Invoke-ServiceAbuse.ps1'
      - '*\Install-ServiceBinary.ps1'
      - '*\Get-RegAutoLogon.ps1'
      - '*\Get-VulnAutoRun.ps1'
      - '*\Get-VulnSchTask.ps1'
      - '*\Get-UnattendedInstallFile.ps1'
      - '*\Get-WebConfig.ps1'
      - '*\Get-ApplicationHost.ps1'
      - '*\Get-RegAlwaysInstallElevated.ps1'
      - '*\Get-Unconstrained.ps1'
      - '*\Add-RegBackdoor.ps1'
      - '*\Add-ScrnSaveBackdoor.ps1'
      - '*\Gupt-Backdoor.ps1'
      - '*\Invoke-ADSBackdoor.ps1'
      - '*\Enabled-DuplicateToken.ps1'
      - '*\Invoke-PsUaCme.ps1'
      - '*\Remove-Update.ps1'
      - '*\Check-VM.ps1'
      - '*\Get-LSASecret.ps1'
      - '*\Get-PassHashes.ps1'
      - '*\Show-TargetScreen.ps1'
      - '*\Port-Scan.ps1'
      - '*\Invoke-PoshRatHttp.ps1'
      - '*\Invoke-PowerShellTCP.ps1'
      - '*\Invoke-PowerShellWMI.ps1'
      - '*\Add-Exfiltration.ps1'
      - '*\Add-Persistence.ps1'
      - '*\Do-Exfiltration.ps1'
      - '*\Start-CaptureServer.ps1'
      - '*\Invoke-ShellCode.ps1'
      - '*\Get-ChromeDump.ps1'
      - '*\Get-ClipboardContents.ps1'
      - '*\Get-FoxDump.ps1'
      - '*\Get-IndexedItem.ps1'
      - '*\Get-Screenshot.ps1'
      - '*\Invoke-Inveigh.ps1'
      - '*\Invoke-NetRipper.ps1'
      - '*\Invoke-EgressCheck.ps1'
      - '*\Invoke-PostExfil.ps1'
      - '*\Invoke-PSInject.ps1'
      - '*\Invoke-RunAs.ps1'
      - '*\MailRaider.ps1'
      - '*\New-HoneyHash.ps1'
      - '*\Set-MacAttribute.ps1'
      - '*\Invoke-DCSync.ps1'
      - '*\Invoke-PowerDump.ps1'
      - '*\Exploit-Jboss.ps1'
      - '*\Invoke-ThunderStruck.ps1'
      - '*\Invoke-VoiceTroll.ps1'
      - '*\Set-Wallpaper.ps1'
      - '*\Invoke-InveighRelay.ps1'
      - '*\Invoke-PsExec.ps1'
      - '*\Invoke-SSHCommand.ps1'
      - '*\Get-SecurityPackages.ps1'
      - '*\Install-SSP.ps1'
      - '*\Invoke-BackdoorLNK.ps1'
      - '*\PowerBreach.ps1'
      - '*\Get-SiteListPassword.ps1'
      - '*\Get-System.ps1'
      - '*\Invoke-BypassUAC.ps1'
      - '*\Invoke-Tater.ps1'
      - '*\Invoke-WScriptBypassUAC.ps1'
      - '*\PowerUp.ps1'
      - '*\PowerView.ps1'
      - '*\Get-RickAstley.ps1'
      - '*\Find-Fruit.ps1'
      - '*\HTTP-Login.ps1'
      - '*\Find-TrustedDocuments.ps1'
      - '*\Invoke-Paranoia.ps1'
      - '*\Invoke-WinEnum.ps1'
      - '*\Invoke-ARPScan.ps1'
      - '*\Invoke-PortScan.ps1'
      - '*\Invoke-ReverseDNSLookup.ps1'
      - '*\Invoke-SMBScanner.ps1'
      - '*\Invoke-Mimikittenz.ps1'
    condition: selection
  falsepositives:
  - Penetration Tests
  level: high

Querying Elasticsearch

Import Libraries





In [ ]:



    


from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client





In [ ]:



    


es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')

Run Elasticsearch Query





In [ ]:



    


s = searchContext.query('query_string', query='(event_id:"11" AND file_name.keyword:(*\\Invoke\-DllInjection.ps1 OR *\\Invoke\-WmiCommand.ps1 OR *\\Get\-GPPPassword.ps1 OR *\\Get\-Keystrokes.ps1 OR *\\Get\-VaultCredential.ps1 OR *\\Invoke\-CredentialInjection.ps1 OR *\\Invoke\-Mimikatz.ps1 OR *\\Invoke\-NinjaCopy.ps1 OR *\\Invoke\-TokenManipulation.ps1 OR *\\Out\-Minidump.ps1 OR *\\VolumeShadowCopyTools.ps1 OR *\\Invoke\-ReflectivePEInjection.ps1 OR *\\Get\-TimedScreenshot.ps1 OR *\\Invoke\-UserHunter.ps1 OR *\\Find\-GPOLocation.ps1 OR *\\Invoke\-ACLScanner.ps1 OR *\\Invoke\-DowngradeAccount.ps1 OR *\\Get\-ServiceUnquoted.ps1 OR *\\Get\-ServiceFilePermission.ps1 OR *\\Get\-ServicePermission.ps1 OR *\\Invoke\-ServiceAbuse.ps1 OR *\\Install\-ServiceBinary.ps1 OR *\\Get\-RegAutoLogon.ps1 OR *\\Get\-VulnAutoRun.ps1 OR *\\Get\-VulnSchTask.ps1 OR *\\Get\-UnattendedInstallFile.ps1 OR *\\Get\-WebConfig.ps1 OR *\\Get\-ApplicationHost.ps1 OR *\\Get\-RegAlwaysInstallElevated.ps1 OR *\\Get\-Unconstrained.ps1 OR *\\Add\-RegBackdoor.ps1 OR *\\Add\-ScrnSaveBackdoor.ps1 OR *\\Gupt\-Backdoor.ps1 OR *\\Invoke\-ADSBackdoor.ps1 OR *\\Enabled\-DuplicateToken.ps1 OR *\\Invoke\-PsUaCme.ps1 OR *\\Remove\-Update.ps1 OR *\\Check\-VM.ps1 OR *\\Get\-LSASecret.ps1 OR *\\Get\-PassHashes.ps1 OR *\\Show\-TargetScreen.ps1 OR *\\Port\-Scan.ps1 OR *\\Invoke\-PoshRatHttp.ps1 OR *\\Invoke\-PowerShellTCP.ps1 OR *\\Invoke\-PowerShellWMI.ps1 OR *\\Add\-Exfiltration.ps1 OR *\\Add\-Persistence.ps1 OR *\\Do\-Exfiltration.ps1 OR *\\Start\-CaptureServer.ps1 OR *\\Invoke\-ShellCode.ps1 OR *\\Get\-ChromeDump.ps1 OR *\\Get\-ClipboardContents.ps1 OR *\\Get\-FoxDump.ps1 OR *\\Get\-IndexedItem.ps1 OR *\\Get\-Screenshot.ps1 OR *\\Invoke\-Inveigh.ps1 OR *\\Invoke\-NetRipper.ps1 OR *\\Invoke\-EgressCheck.ps1 OR *\\Invoke\-PostExfil.ps1 OR *\\Invoke\-PSInject.ps1 OR *\\Invoke\-RunAs.ps1 OR *\\MailRaider.ps1 OR *\\New\-HoneyHash.ps1 OR *\\Set\-MacAttribute.ps1 OR *\\Invoke\-DCSync.ps1 OR *\\Invoke\-PowerDump.ps1 OR *\\Exploit\-Jboss.ps1 OR *\\Invoke\-ThunderStruck.ps1 OR *\\Invoke\-VoiceTroll.ps1 OR *\\Set\-Wallpaper.ps1 OR *\\Invoke\-InveighRelay.ps1 OR *\\Invoke\-PsExec.ps1 OR *\\Invoke\-SSHCommand.ps1 OR *\\Get\-SecurityPackages.ps1 OR *\\Install\-SSP.ps1 OR *\\Invoke\-BackdoorLNK.ps1 OR *\\PowerBreach.ps1 OR *\\Get\-SiteListPassword.ps1 OR *\\Get\-System.ps1 OR *\\Invoke\-BypassUAC.ps1 OR *\\Invoke\-Tater.ps1 OR *\\Invoke\-WScriptBypassUAC.ps1 OR *\\PowerUp.ps1 OR *\\PowerView.ps1 OR *\\Get\-RickAstley.ps1 OR *\\Find\-Fruit.ps1 OR *\\HTTP\-Login.ps1 OR *\\Find\-TrustedDocuments.ps1 OR *\\Invoke\-Paranoia.ps1 OR *\\Invoke\-WinEnum.ps1 OR *\\Invoke\-ARPScan.ps1 OR *\\Invoke\-PortScan.ps1 OR *\\Invoke\-ReverseDNSLookup.ps1 OR *\\Invoke\-SMBScanner.ps1 OR *\\Invoke\-Mimikittenz.ps1))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results





In [ ]:



    


df.head()

Content source: Cyb3rWard0g/HELK

Similar notebooks:

notebook.community | gallery | about