Powershell Sensitive File Discovery
Detect adversaries enumerate sensitive files
Sigma rule (View on GitHub)
1title: Powershell Sensitive File Discovery
2id: 7d416556-6502-45b2-9bad-9d2f05f38997
3related:
4 - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
5 type: derived
6status: test
7description: Detect adversaries enumerate sensitive files
8references:
9 - https://twitter.com/malmoeb/status/1570814999370801158
10author: frack113
11date: 2022-09-16
12tags:
13 - attack.discovery
14 - attack.t1083
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection_action:
21 ScriptBlockText|contains:
22 - ls
23 - get-childitem
24 - gci
25 selection_recurse:
26 ScriptBlockText|contains: '-recurse'
27 selection_file:
28 ScriptBlockText|contains:
29 - '.pass'
30 - '.kdbx'
31 - '.kdb'
32 condition: all of selection_*
33falsepositives:
34 - Unknown
35level: medium
References
Related rules
- Capabilities Discovery - Linux
- Cisco Discovery
- DirLister Execution
- File and Directory Discovery - MacOS
- PUA - Seatbelt Execution