Potential PowerShell HackTool Script by Author
Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/08"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/07/17"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box
11offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common
12author handles found in popular PowerShell scripts used for red team exercises.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-windows.powershell*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Potential PowerShell HackTool Script by Author"
19references = [
20 "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
21]
22risk_score = 73
23rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
24setup = """## Setup
25
26The 'PowerShell Script Block Logging' logging policy must be enabled.
27Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "high"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Execution",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14host.os.type:windows and event.category:process and
15 powershell.file.script_block_text : (
16 "mattifestation" or "JosephBialek" or
17 "harmj0y" or "ukstufus" or
18 "SecureThisShit" or "Matthew Graeber" or
19 "secabstraction" or "mgeeky" or
20 "oddvarmoe" or "am0nsec" or
21 "obscuresec" or "sixdub" or
22 "darkoperator" or "funoverip" or
23 "rvrsh3ll" or "kevin_robertson" or
24 "dafthack" or "r4wd3r" or
25 "danielhbohannon" or "OneLogicalMyth" or
26 "cobbr_io" or "xorrior" or
27 "PetrMedonos" or "citronneur" or
28 "eladshamir" or "RastaMouse" or
29 "enigma0x3" or "FuzzySec" or
30 "424f424f" or "jaredhaight" or
31 "fullmetalcache" or "Hubbl3" or
32 "curi0usJack" or "Cx01N" or
33 "itm4n" or "nurfed1" or
34 "cfalta" or "Scott Sutherland" or
35 "_nullbind" or "_tmenochet" or
36 "jaredcatkinson" or "ChrisTruncer" or
37 "monoxgas" or "TheRealWover" or
38 "splinter_code"
39 )
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Potential Process Injection via PowerShell
- PowerShell PSReflect Script
- PowerShell Suspicious Discovery Related Windows API Functions
- Suspicious .NET Reflection via PowerShell
- PowerShell Share Enumeration Script