Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
Sigma rule (View on GitHub)
1title: Powershell Directory Enumeration
2id: 162e69a7-7981-4344-84a9-0f1c9a217a52
3status: test
4description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
7 - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
8author: frack113
9date: 2022-03-17
10tags:
11 - attack.discovery
12 - attack.t1083
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - foreach
21 - Get-ChildItem
22 - '-Path '
23 - '-ErrorAction '
24 - SilentlyContinue
25 - 'Out-File '
26 - '-append'
27 condition: selection
28falsepositives:
29 - Legitimate PowerShell scripts
30level: medium
References
Related rules
- Capabilities Discovery - Linux
- Cisco Discovery
- DirLister Execution
- File and Directory Discovery - MacOS
- PUA - Seatbelt Execution