-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
/
posh_ps_accessing_win_api.yml
73 lines (73 loc) · 2.41 KB
/
posh_ps_accessing_win_api.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
title: Accessing WinAPI in PowerShell
id: 03d83090-8cba-44a0-b02f-0b756a050306
status: experimental
description: Detecting use WinAPI Functions in PowerShell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Tim Shelton
date: 2020/10/06
modified: 2022/09/29
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains:
- 'WaitForSingleObject'
- 'QueueUserApc'
- 'RtlCreateUserThread'
- 'OpenProcess'
- 'VirtualAlloc'
- 'VirtualFree'
- 'WriteProcessMemory'
- 'CreateUserThread'
- 'CloseHandle'
- 'GetDelegateForFunctionPointer'
- 'CreateThread'
- 'memcpy'
- 'LoadLibrary'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'VirtualProtect'
- 'FreeLibrary'
- 'ReadProcessMemory'
- 'CreateRemoteThread'
- 'AdjustTokenPrivileges'
# - 'WriteByte' # FP with .NET System.IO.FileStream
- 'WriteInt32'
- 'OpenThreadToken'
# - 'PtrToString'
# - 'FreeHGlobal'
- 'ZeroFreeGlobalAllocUnicode'
- 'OpenProcessToken'
- 'GetTokenInformation'
- 'SetThreadToken'
- 'ImpersonateLoggedOnUser'
- 'RevertToSelf'
- 'GetLogonSessionData'
- 'CreateProcessWithToken'
- 'DuplicateTokenEx'
- 'OpenWindowStation'
- 'OpenDesktop'
- 'MiniDumpWriteDump'
- 'AddSecurityPackage'
- 'EnumerateSecurityPackages'
- 'GetProcessHandle'
- 'DangerousGetHandle'
- 'kernel32'
- 'Advapi32'
- 'msvcrt'
- 'ntdll'
# - 'user32' # FP with chocolatey
- 'secur32'
falsepositive1:
ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates.' # aws scripts leverage CreateFile and CloseHandle may filter out these 2 items
condition: selection and not 1 of falsepositive*
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
level: high