/
posh_ps_susp_keywords.yml
39 lines (39 loc) · 1.64 KB
/
posh_ps_susp_keywords.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
title: Potential Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: test
description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
date: 2019/02/11
modified: 2023/04/21
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'System.Reflection.Assembly.Load($'
- '[System.Reflection.Assembly]::Load($'
- '[Reflection.Assembly]::Load($'
- 'System.Reflection.AssemblyName'
- 'Reflection.Emit.AssemblyBuilderAccess'
- 'Reflection.Emit.CustomAttributeBuilder'
- 'Runtime.InteropServices.UnmanagedType'
- 'Runtime.InteropServices.DllImportAttribute'
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
# - 'Invoke-WMIMethod' # Prone to FP
# - 'http://127.0.0.1' # Prone to FP
condition: selection
falsepositives:
- Unknown
level: medium