Powershell Sensitive File Discovery

calendar Oct 17, 2023 · attack.discovery attack.t1083  ·
Share on: linkedin copy

Detect adversaries enumerate sensitive files

Sigma rule (View on GitHub)

 1title: Powershell Sensitive File Discovery
 2id: 7d416556-6502-45b2-9bad-9d2f05f38997
 3related:
 4    - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
 5      type: derived
 6status: test
 7description: Detect adversaries enumerate sensitive files
 8references:
 9    - https://twitter.com/malmoeb/status/1570814999370801158
10author: frack113
11date: 2022/09/16
12tags:
13    - attack.discovery
14    - attack.t1083
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection_action:
21        ScriptBlockText|contains:
22            - ls
23            - get-childitem
24            - gci
25    selection_recurse:
26        ScriptBlockText|contains: '-recurse'
27    selection_file:
28        ScriptBlockText|contains:
29            - '.pass'
30            - '.kdbx'
31            - '.kdb'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top