- title: Malicious PowerShell Commandlet Names
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
status: experimental
description: Detects the creation of known powershell scripts for exploitation
references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
tags:
- attack.execution
- attack.t1086
author: Markus Neis
date: 2018/04/07
logsource:
product: windows
service: sysmon
category: null
detection:
selection:
EventID: 11
TargetFilename:
- '*\Invoke-DllInjection.ps1'
- '*\Invoke-WmiCommand.ps1'
- '*\Get-GPPPassword.ps1'
- '*\Get-Keystrokes.ps1'
- '*\Get-VaultCredential.ps1'
- '*\Invoke-CredentialInjection.ps1'
- '*\Invoke-Mimikatz.ps1'
- '*\Invoke-NinjaCopy.ps1'
- '*\Invoke-TokenManipulation.ps1'
- '*\Out-Minidump.ps1'
- '*\VolumeShadowCopyTools.ps1'
- '*\Invoke-ReflectivePEInjection.ps1'
- '*\Get-TimedScreenshot.ps1'
- '*\Invoke-UserHunter.ps1'
- '*\Find-GPOLocation.ps1'
- '*\Invoke-ACLScanner.ps1'
- '*\Invoke-DowngradeAccount.ps1'
- '*\Get-ServiceUnquoted.ps1'
- '*\Get-ServiceFilePermission.ps1'
- '*\Get-ServicePermission.ps1'
- '*\Invoke-ServiceAbuse.ps1'
- '*\Install-ServiceBinary.ps1'
- '*\Get-RegAutoLogon.ps1'
- '*\Get-VulnAutoRun.ps1'
- '*\Get-VulnSchTask.ps1'
- '*\Get-UnattendedInstallFile.ps1'
- '*\Get-WebConfig.ps1'
- '*\Get-ApplicationHost.ps1'
- '*\Get-RegAlwaysInstallElevated.ps1'
- '*\Get-Unconstrained.ps1'
- '*\Add-RegBackdoor.ps1'
- '*\Add-ScrnSaveBackdoor.ps1'
- '*\Gupt-Backdoor.ps1'
- '*\Invoke-ADSBackdoor.ps1'
- '*\Enabled-DuplicateToken.ps1'
- '*\Invoke-PsUaCme.ps1'
- '*\Remove-Update.ps1'
- '*\Check-VM.ps1'
- '*\Get-LSASecret.ps1'
- '*\Get-PassHashes.ps1'
- '*\Show-TargetScreen.ps1'
- '*\Port-Scan.ps1'
- '*\Invoke-PoshRatHttp.ps1'
- '*\Invoke-PowerShellTCP.ps1'
- '*\Invoke-PowerShellWMI.ps1'
- '*\Add-Exfiltration.ps1'
- '*\Add-Persistence.ps1'
- '*\Do-Exfiltration.ps1'
- '*\Start-CaptureServer.ps1'
- '*\Invoke-ShellCode.ps1'
- '*\Get-ChromeDump.ps1'
- '*\Get-ClipboardContents.ps1'
- '*\Get-FoxDump.ps1'
- '*\Get-IndexedItem.ps1'
- '*\Get-Screenshot.ps1'
- '*\Invoke-Inveigh.ps1'
- '*\Invoke-NetRipper.ps1'
- '*\Invoke-EgressCheck.ps1'
- '*\Invoke-PostExfil.ps1'
- '*\Invoke-PSInject.ps1'
- '*\Invoke-RunAs.ps1'
- '*\MailRaider.ps1'
- '*\New-HoneyHash.ps1'
- '*\Set-MacAttribute.ps1'
- '*\Invoke-DCSync.ps1'
- '*\Invoke-PowerDump.ps1'
- '*\Exploit-Jboss.ps1'
- '*\Invoke-ThunderStruck.ps1'
- '*\Invoke-VoiceTroll.ps1'
- '*\Set-Wallpaper.ps1'
- '*\Invoke-InveighRelay.ps1'
- '*\Invoke-PsExec.ps1'
- '*\Invoke-SSHCommand.ps1'
- '*\Get-SecurityPackages.ps1'
- '*\Install-SSP.ps1'
- '*\Invoke-BackdoorLNK.ps1'
- '*\PowerBreach.ps1'
- '*\Get-SiteListPassword.ps1'
- '*\Get-System.ps1'
- '*\Invoke-BypassUAC.ps1'
- '*\Invoke-Tater.ps1'
- '*\Invoke-WScriptBypassUAC.ps1'
- '*\PowerUp.ps1'
- '*\PowerView.ps1'
- '*\Get-RickAstley.ps1'
- '*\Find-Fruit.ps1'
- '*\HTTP-Login.ps1'
- '*\Find-TrustedDocuments.ps1'
- '*\Invoke-Paranoia.ps1'
- '*\Invoke-WinEnum.ps1'
- '*\Invoke-ARPScan.ps1'
- '*\Invoke-PortScan.ps1'
- '*\Invoke-ReverseDNSLookup.ps1'
- '*\Invoke-SMBScanner.ps1'
- '*\Invoke-Mimikittenz.ps1'
condition: selection
falsepositives:
- Penetration Tests
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(event_id:"11" AND file_name.keyword:(*\\Invoke\-DllInjection.ps1 OR *\\Invoke\-WmiCommand.ps1 OR *\\Get\-GPPPassword.ps1 OR *\\Get\-Keystrokes.ps1 OR *\\Get\-VaultCredential.ps1 OR *\\Invoke\-CredentialInjection.ps1 OR *\\Invoke\-Mimikatz.ps1 OR *\\Invoke\-NinjaCopy.ps1 OR *\\Invoke\-TokenManipulation.ps1 OR *\\Out\-Minidump.ps1 OR *\\VolumeShadowCopyTools.ps1 OR *\\Invoke\-ReflectivePEInjection.ps1 OR *\\Get\-TimedScreenshot.ps1 OR *\\Invoke\-UserHunter.ps1 OR *\\Find\-GPOLocation.ps1 OR *\\Invoke\-ACLScanner.ps1 OR *\\Invoke\-DowngradeAccount.ps1 OR *\\Get\-ServiceUnquoted.ps1 OR *\\Get\-ServiceFilePermission.ps1 OR *\\Get\-ServicePermission.ps1 OR *\\Invoke\-ServiceAbuse.ps1 OR *\\Install\-ServiceBinary.ps1 OR *\\Get\-RegAutoLogon.ps1 OR *\\Get\-VulnAutoRun.ps1 OR *\\Get\-VulnSchTask.ps1 OR *\\Get\-UnattendedInstallFile.ps1 OR *\\Get\-WebConfig.ps1 OR *\\Get\-ApplicationHost.ps1 OR *\\Get\-RegAlwaysInstallElevated.ps1 OR *\\Get\-Unconstrained.ps1 OR *\\Add\-RegBackdoor.ps1 OR *\\Add\-ScrnSaveBackdoor.ps1 OR *\\Gupt\-Backdoor.ps1 OR *\\Invoke\-ADSBackdoor.ps1 OR *\\Enabled\-DuplicateToken.ps1 OR *\\Invoke\-PsUaCme.ps1 OR *\\Remove\-Update.ps1 OR *\\Check\-VM.ps1 OR *\\Get\-LSASecret.ps1 OR *\\Get\-PassHashes.ps1 OR *\\Show\-TargetScreen.ps1 OR *\\Port\-Scan.ps1 OR *\\Invoke\-PoshRatHttp.ps1 OR *\\Invoke\-PowerShellTCP.ps1 OR *\\Invoke\-PowerShellWMI.ps1 OR *\\Add\-Exfiltration.ps1 OR *\\Add\-Persistence.ps1 OR *\\Do\-Exfiltration.ps1 OR *\\Start\-CaptureServer.ps1 OR *\\Invoke\-ShellCode.ps1 OR *\\Get\-ChromeDump.ps1 OR *\\Get\-ClipboardContents.ps1 OR *\\Get\-FoxDump.ps1 OR *\\Get\-IndexedItem.ps1 OR *\\Get\-Screenshot.ps1 OR *\\Invoke\-Inveigh.ps1 OR *\\Invoke\-NetRipper.ps1 OR *\\Invoke\-EgressCheck.ps1 OR *\\Invoke\-PostExfil.ps1 OR *\\Invoke\-PSInject.ps1 OR *\\Invoke\-RunAs.ps1 OR *\\MailRaider.ps1 OR *\\New\-HoneyHash.ps1 OR *\\Set\-MacAttribute.ps1 OR *\\Invoke\-DCSync.ps1 OR *\\Invoke\-PowerDump.ps1 OR *\\Exploit\-Jboss.ps1 OR *\\Invoke\-ThunderStruck.ps1 OR *\\Invoke\-VoiceTroll.ps1 OR *\\Set\-Wallpaper.ps1 OR *\\Invoke\-InveighRelay.ps1 OR *\\Invoke\-PsExec.ps1 OR *\\Invoke\-SSHCommand.ps1 OR *\\Get\-SecurityPackages.ps1 OR *\\Install\-SSP.ps1 OR *\\Invoke\-BackdoorLNK.ps1 OR *\\PowerBreach.ps1 OR *\\Get\-SiteListPassword.ps1 OR *\\Get\-System.ps1 OR *\\Invoke\-BypassUAC.ps1 OR *\\Invoke\-Tater.ps1 OR *\\Invoke\-WScriptBypassUAC.ps1 OR *\\PowerUp.ps1 OR *\\PowerView.ps1 OR *\\Get\-RickAstley.ps1 OR *\\Find\-Fruit.ps1 OR *\\HTTP\-Login.ps1 OR *\\Find\-TrustedDocuments.ps1 OR *\\Invoke\-Paranoia.ps1 OR *\\Invoke\-WinEnum.ps1 OR *\\Invoke\-ARPScan.ps1 OR *\\Invoke\-PortScan.ps1 OR *\\Invoke\-ReverseDNSLookup.ps1 OR *\\Invoke\-SMBScanner.ps1 OR *\\Invoke\-Mimikittenz.ps1))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()