Sigma rules for PowerSploit
3 rules · scoped to tool · back to PowerSploit
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: test
description: |
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains:
- '$DoIt'
- 'harmj0y'
- 'mattifestation'
- '_RastaMouse'
- 'tifkin_'
- '0xdeadbeef'
condition: selection_4103
falsepositives:
- 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
title: PowerView PowerShell Cmdlets - ScriptBlock
id: dcd74b95-3f36-4ed9-9598-0490951643aa
related:
- id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
type: similar
status: test
description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
author: Bhabesh Raj
date: 2021-05-18
modified: 2023-11-22
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Export-PowerViewCSV'
- 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile
- 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
- 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainGPOComputerLocalGroupMapping'
- 'Get-DomainGPOLocalGroup'
- 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetFileServer'
- 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
- 'Get-NetGPOGroup'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-EnumerateLocalAdmin'
- 'Invoke-EventHunter'
- 'Invoke-FileFinder'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-ProcessHunter'
- 'Invoke-RevertToSelf'
- 'Invoke-ShareFinder'
- 'Invoke-UserHunter'
- 'Invoke-UserImpersonation'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
- 'Resolve-IPAddress'
# - 'Get-ADObject' # prone to FPs
# - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
# - 'Add-RemoteConnection'
# - 'Convert-ADName'
# - 'Convert-NameToSid'
# - 'ConvertFrom-UACValue'
# - 'ConvertTo-SID'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-DomainComputer'
# - 'Get-DomainController'
# - 'Get-DomainGroup'
# - 'Get-DomainGroupMember'
# - 'Get-DomainManagedSecurityGroup'
# - 'Get-DomainObject'
# - 'Get-DomainObjectAcl'
# - 'Get-DomainOU'
# - 'Get-DomainPolicy'
# - 'Get-DomainSID'
# - 'Get-DomainSite'
# - 'Get-DomainSPNTicket'
# - 'Get-DomainSubnet'
# - 'Get-DomainUser'
# - 'Get-DomainUserEvent'
# - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
# - 'Get-IPAddress'
# - 'Get-NetComputer' # Covers: Get-NetComputerSiteName
# - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
# - 'Get-NetGroup' # Covers: Get-NetGroupMember
# - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
# - 'Get-NetLoggedon'
# - 'Get-NetOU'
# - 'Get-NetSession'
# - 'Get-NetShare'
# - 'Get-NetSite'
# - 'Get-NetSubnet'
# - 'Get-NetUser'
# - 'Get-ObjectAcl'
# - 'Get-PathAcl'
# - 'Get-Proxy'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
# - 'New-DomainGroup'
# - 'New-DomainUser'
# - 'Set-ADObject'
# - 'Set-DomainObject'
# - 'Set-DomainUserPassword'
# - 'Test-AdminAccess'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
id: 56c217c3-2de2-479b-990f-5c109ba8458f
status: test
description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
references:
- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
author: Markus Neis, @Karneades
date: 2018-03-06
modified: 2023-03-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.s0111
- attack.g0022
- attack.g0060
- car.2013-08-001
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- 'powershell.exe -NonI'
- '/TN Updater /TR'
CommandLine|contains:
- '/SC ONLOGON'
- '/SC DAILY /ST'
- '/SC ONIDLE'
- '/SC HOURLY'
condition: selection
falsepositives:
- Unlikely
level: high