Automated Collection Command PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Sigma rule (View on GitHub)
1title: Automated Collection Command PowerShell
2id: c1dda054-d638-4c16-afc8-53e007f3fbc5
3status: test
4description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
7author: frack113
8date: 2021-07-28
9modified: 2022-12-25
10tags:
11 - attack.collection
12 - attack.t1119
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection_ext:
19 ScriptBlockText|contains:
20 - '.doc'
21 - '.docx'
22 - '.xls'
23 - '.xlsx'
24 - '.ppt'
25 - '.pptx'
26 - '.rtf'
27 - '.pdf'
28 - '.txt'
29 selection_cmd:
30 ScriptBlockText|contains|all:
31 - 'Get-ChildItem'
32 - ' -Recurse '
33 - ' -Include '
34 condition: all of selection*
35falsepositives:
36 - Unknown
37level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Automated Collection Command Prompt
- Recon Information for Export with Command Prompt
- Recon Information for Export with PowerShell
- 7Zip Compressing Dump Files
- ADFS Database Named Pipe Connection By Uncommon Tool