Bad Opsec Powershell Code Artifacts

calendar Oct 18, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Sigma rule (View on GitHub)

 1title: Bad Opsec Powershell Code Artifacts
 2id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
 3related:
 4    - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
 5      type: derived
 6status: test
 7description: |
 8    focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
 9    Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
10    that often undergo minimal changes by attackers due to bad opsec.    
11references:
12    - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
13    - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
14    - https://www.mdeditor.tw/pl/pgRt
15author: 'ok @securonix invrep_de, oscd.community'
16date: 2020/10/09
17modified: 2022/12/25
18tags:
19    - attack.execution
20    - attack.t1059.001
21logsource:
22    product: windows
23    category: ps_module
24    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
25detection:
26    selection_4103:
27        Payload|contains:
28            - '$DoIt'
29            - 'harmj0y'
30            - 'mattifestation'
31            - '_RastaMouse'
32            - 'tifkin_'
33            - '0xdeadbeef'
34    condition: selection_4103
35falsepositives:
36    - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
37level: critical

References

Related rules

to-top