Potential PowerShell HackTool Script by Author
Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/08"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box
13offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common
14author handles found in popular PowerShell scripts used for red team exercises.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-windows.powershell*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Potential PowerShell HackTool Script by Author"
21references = [
22 "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
23]
24risk_score = 73
25rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
26setup = """## Setup
27
28The 'PowerShell Script Block Logging' logging policy must be enabled.
29Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "high"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Execution",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14host.os.type:windows and event.category:process and
15 powershell.file.script_block_text : (
16 "mattifestation" or "JosephBialek" or
17 "harmj0y" or "ukstufus" or
18 "SecureThisShit" or "Matthew Graeber" or
19 "secabstraction" or "mgeeky" or
20 "oddvarmoe" or "am0nsec" or
21 "obscuresec" or "sixdub" or
22 "darkoperator" or "funoverip" or
23 "rvrsh3ll" or "kevin_robertson" or
24 "dafthack" or "r4wd3r" or
25 "danielhbohannon" or "OneLogicalMyth" or
26 "cobbr_io" or "xorrior" or
27 "PetrMedonos" or "citronneur" or
28 "eladshamir" or "RastaMouse" or
29 "enigma0x3" or "FuzzySec" or
30 "424f424f" or "jaredhaight" or
31 "fullmetalcache" or "Hubbl3" or
32 "curi0usJack" or "Cx01N" or
33 "itm4n" or "nurfed1" or
34 "cfalta" or "Scott Sutherland" or
35 "_nullbind" or "_tmenochet" or
36 "jaredcatkinson" or "ChrisTruncer" or
37 "monoxgas" or "TheRealWover" or
38 "splinter_code"
39 )
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Actionable data for Security Operations. Contribute to atc-project/atc-data development by creating an account on GitHub.
Read More
Related rules
- Potential PowerShell HackTool Script by Function Names
- Potential Process Injection via PowerShell
- PowerShell PSReflect Script
- PowerShell Share Enumeration Script
- PowerShell Suspicious Discovery Related Windows API Functions