PowerView PowerShell Cmdlets - ScriptBlock
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
Sigma rule (View on GitHub)
1title: PowerView PowerShell Cmdlets - ScriptBlock
2id: dcd74b95-3f36-4ed9-9598-0490951643aa
3related:
4 - id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
5 type: similar
6status: test
7description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
8references:
9 - https://powersploit.readthedocs.io/en/stable/Recon/README
10 - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
11 - https://thedfirreport.com/2020/10/08/ryuks-return
12 - https://adsecurity.org/?p=2277
13author: Bhabesh Raj
14date: 2021-05-18
15modified: 2023-11-22
16tags:
17 - attack.execution
18 - attack.t1059.001
19logsource:
20 product: windows
21 category: ps_script
22 definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24 selection:
25 ScriptBlockText|contains:
26 - 'Export-PowerViewCSV'
27 - 'Find-DomainLocalGroupMember'
28 - 'Find-DomainObjectPropertyOutlier'
29 - 'Find-DomainProcess'
30 - 'Find-DomainShare'
31 - 'Find-DomainUserEvent'
32 - 'Find-DomainUserLocation'
33 - 'Find-ForeignGroup'
34 - 'Find-ForeignUser'
35 - 'Find-GPOComputerAdmin'
36 - 'Find-GPOLocation'
37 - 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile
38 - 'Find-InterestingFile'
39 - 'Find-LocalAdminAccess'
40 - 'Find-ManagedSecurityGroups'
41 - 'Get-CachedRDPConnection'
42 - 'Get-DFSshare'
43 - 'Get-DomainDFSShare'
44 - 'Get-DomainDNSRecord'
45 - 'Get-DomainDNSZone'
46 - 'Get-DomainFileServer'
47 - 'Get-DomainGPOComputerLocalGroupMapping'
48 - 'Get-DomainGPOLocalGroup'
49 - 'Get-DomainGPOUserLocalGroupMapping'
50 - 'Get-LastLoggedOn'
51 - 'Get-LoggedOnLocal'
52 - 'Get-NetFileServer'
53 - 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
54 - 'Get-NetGPOGroup'
55 - 'Get-NetProcess'
56 - 'Get-NetRDPSession'
57 - 'Get-RegistryMountedDrive'
58 - 'Get-RegLoggedOn'
59 - 'Get-WMIRegCachedRDPConnection'
60 - 'Get-WMIRegLastLoggedOn'
61 - 'Get-WMIRegMountedDrive'
62 - 'Get-WMIRegProxy'
63 - 'Invoke-ACLScanner'
64 - 'Invoke-CheckLocalAdminAccess'
65 - 'Invoke-EnumerateLocalAdmin'
66 - 'Invoke-EventHunter'
67 - 'Invoke-FileFinder'
68 - 'Invoke-Kerberoast'
69 - 'Invoke-MapDomainTrust'
70 - 'Invoke-ProcessHunter'
71 - 'Invoke-RevertToSelf'
72 - 'Invoke-ShareFinder'
73 - 'Invoke-UserHunter'
74 - 'Invoke-UserImpersonation'
75 - 'Remove-RemoteConnection'
76 - 'Request-SPNTicket'
77 - 'Resolve-IPAddress'
78 # - 'Get-ADObject' # prone to FPs
79 # - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
80 # - 'Add-DomainGroupMember'
81 # - 'Add-DomainObjectAcl'
82 # - 'Add-ObjectAcl'
83 # - 'Add-RemoteConnection'
84 # - 'Convert-ADName'
85 # - 'Convert-NameToSid'
86 # - 'ConvertFrom-UACValue'
87 # - 'ConvertTo-SID'
88 # - 'Get-DNSRecord'
89 # - 'Get-DNSZone'
90 # - 'Get-DomainComputer'
91 # - 'Get-DomainController'
92 # - 'Get-DomainGroup'
93 # - 'Get-DomainGroupMember'
94 # - 'Get-DomainManagedSecurityGroup'
95 # - 'Get-DomainObject'
96 # - 'Get-DomainObjectAcl'
97 # - 'Get-DomainOU'
98 # - 'Get-DomainPolicy'
99 # - 'Get-DomainSID'
100 # - 'Get-DomainSite'
101 # - 'Get-DomainSPNTicket'
102 # - 'Get-DomainSubnet'
103 # - 'Get-DomainUser'
104 # - 'Get-DomainUserEvent'
105 # - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
106 # - 'Get-IPAddress'
107 # - 'Get-NetComputer' # Covers: Get-NetComputerSiteName
108 # - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
109 # - 'Get-NetGroup' # Covers: Get-NetGroupMember
110 # - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
111 # - 'Get-NetLoggedon'
112 # - 'Get-NetOU'
113 # - 'Get-NetSession'
114 # - 'Get-NetShare'
115 # - 'Get-NetSite'
116 # - 'Get-NetSubnet'
117 # - 'Get-NetUser'
118 # - 'Get-ObjectAcl'
119 # - 'Get-PathAcl'
120 # - 'Get-Proxy'
121 # - 'Get-SiteName'
122 # - 'Get-UserEvent'
123 # - 'Get-WMIProcess'
124 # - 'New-DomainGroup'
125 # - 'New-DomainUser'
126 # - 'Set-ADObject'
127 # - 'Set-DomainObject'
128 # - 'Set-DomainUserPassword'
129 # - 'Test-AdminAccess'
130 condition: selection
131falsepositives:
132 - Unknown
133level: high
References
-
-
Intro The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerS…
Read More -
PowerShell version 5 is RTM (As of 12/18/2015). Prior to this there was a “production preview” available since August which means it was supported, but not final. With the final release of PowerShe...
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell