66
0

Malicious PowerShell Keywords

66

Detects keywords from well-known PowerShell exploitation frameworks

  • QRadar AQL
SELECT UTF8(payload) as search_payload from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (search_payload ilike '%AdjustTokenPrivileges%' or search_payload ilike '%IMAGE_NT_OPTIONAL_HDR64_MAGIC%' or search_payload ilike '%Management.Automation.RuntimeException%' or search_payload ilike '%Microsoft.Win32.UnsafeNativeMethods%' or search_payload ilike '%ReadProcessMemory.Invoke%' or search_payload ilike '%Runtime.InteropServices%' or search_payload ilike '%SE_PRIVILEGE_ENABLED%' or search_payload ilike '%System.Security.Cryptography%' or search_payload ilike '%System.Runtime.InteropServices%' or search_payload ilike '%LSA_UNICODE_STRING%' or search_payload ilike '%MiniDumpWriteDump%' or search_payload ilike '%PAGE_EXECUTE_READ%' or search_payload ilike '%Net.Sockets.SocketFlags%' or search_payload ilike '%Reflection.Assembly%' or search_payload ilike '%SECURITY_DELEGATION%' or search_payload ilike '%TOKEN_ADJUST_PRIVILEGES%' or search_payload ilike '%TOKEN_ALL_ACCESS%' or search_payload ilike '%TOKEN_ASSIGN_PRIMARY%' or search_payload ilike '%TOKEN_DUPLICATE%' or search_payload ilike '%TOKEN_ELEVATION%' or search_payload ilike '%TOKEN_IMPERSONATE%' or search_payload ilike '%TOKEN_INFORMATION_CLASS%' or search_payload ilike '%TOKEN_PRIVILEGES%' or search_payload ilike '%TOKEN_QUERY%' or search_payload ilike '%Metasploit%' or search_payload ilike '%Mimikatz%')
  • Splunk
(source="WinEventLog:Microsoft-Windows-PowerShell/Operational" ("AdjustTokenPrivileges" OR "IMAGE_NT_OPTIONAL_HDR64_MAGIC" OR "Management.Automation.RuntimeException" OR "Microsoft.Win32.UnsafeNativeMethods" OR "ReadProcessMemory.Invoke" OR "Runtime.InteropServices" OR "SE_PRIVILEGE_ENABLED" OR "System.Security.Cryptography" OR "System.Runtime.InteropServices" OR "LSA_UNICODE_STRING" OR "MiniDumpWriteDump" OR "PAGE_EXECUTE_READ" OR "Net.Sockets.SocketFlags" OR "Reflection.Assembly" OR "SECURITY_DELEGATION" OR "TOKEN_ADJUST_PRIVILEGES" OR "TOKEN_ALL_ACCESS" OR "TOKEN_ASSIGN_PRIMARY" OR "TOKEN_DUPLICATE" OR "TOKEN_ELEVATION" OR "TOKEN_IMPERSONATE" OR "TOKEN_INFORMATION_CLASS" OR "TOKEN_PRIVILEGES" OR "TOKEN_QUERY" OR "Metasploit" OR "Mimikatz"))
  • Elastic Query
event.message:(*AdjustTokenPrivileges* OR *IMAGE_NT_OPTIONAL_HDR64_MAGIC* OR *Management.Automation.RuntimeException* OR *Microsoft.Win32.UnsafeNativeMethods* OR *ReadProcessMemory.Invoke* OR *Runtime.InteropServices* OR *SE_PRIVILEGE_ENABLED* OR *System.Security.Cryptography* OR *System.Runtime.InteropServices* OR *LSA_UNICODE_STRING* OR *MiniDumpWriteDump* OR *PAGE_EXECUTE_READ* OR *Net.Sockets.SocketFlags* OR *Reflection.Assembly* OR *SECURITY_DELEGATION* OR *TOKEN_ADJUST_PRIVILEGES* OR *TOKEN_ALL_ACCESS* OR *TOKEN_ASSIGN_PRIMARY* OR *TOKEN_DUPLICATE* OR *TOKEN_ELEVATION* OR *TOKEN_IMPERSONATE* OR *TOKEN_INFORMATION_CLASS* OR *TOKEN_PRIVILEGES* OR *TOKEN_QUERY* OR *Metasploit* OR *Mimikatz*)
  • Qualys
(AdjustTokenPrivileges or IMAGE_NT_OPTIONAL_HDR64_MAGIC or Management.Automation.RuntimeException or Microsoft.Win32.UnsafeNativeMethods or ReadProcessMemory.Invoke or Runtime.InteropServices or SE_PRIVILEGE_ENABLED or System.Security.Cryptography or System.Runtime.InteropServices or LSA_UNICODE_STRING or MiniDumpWriteDump or PAGE_EXECUTE_READ or Net.Sockets.SocketFlags or Reflection.Assembly or SECURITY_DELEGATION or TOKEN_ADJUST_PRIVILEGES or TOKEN_ALL_ACCESS or TOKEN_ASSIGN_PRIMARY or TOKEN_DUPLICATE or TOKEN_ELEVATION or TOKEN_IMPERSONATE or TOKEN_INFORMATION_CLASS or TOKEN_PRIVILEGES or TOKEN_QUERY or Metasploit or Mimikatz)
  • Windows PowerShell
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match "AdjustTokenPrivileges" -or $_.message -match "IMAGE_NT_OPTIONAL_HDR64_MAGIC" -or $_.message -match "Management.Automation.RuntimeException" -or $_.message -match "Microsoft.Win32.UnsafeNativeMethods" -or $_.message -match "ReadProcessMemory.Invoke" -or $_.message -match "Runtime.InteropServices" -or $_.message -match "SE_PRIVILEGE_ENABLED" -or $_.message -match "System.Security.Cryptography" -or $_.message -match "System.Runtime.InteropServices" -or $_.message -match "LSA_UNICODE_STRING" -or $_.message -match "MiniDumpWriteDump" -or $_.message -match "PAGE_EXECUTE_READ" -or $_.message -match "Net.Sockets.SocketFlags" -or $_.message -match "Reflection.Assembly" -or $_.message -match "SECURITY_DELEGATION" -or $_.message -match "TOKEN_ADJUST_PRIVILEGES" -or $_.message -match "TOKEN_ALL_ACCESS" -or $_.message -match "TOKEN_ASSIGN_PRIMARY" -or $_.message -match "TOKEN_DUPLICATE" -or $_.message -match "TOKEN_ELEVATION" -or $_.message -match "TOKEN_IMPERSONATE" -or $_.message -match "TOKEN_INFORMATION_CLASS" -or $_.message -match "TOKEN_PRIVILEGES" -or $_.message -match "TOKEN_QUERY" -or $_.message -match "Metasploit" -or $_.message -match "Mimikatz")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
  • RegEx
^(?:.*(?:.*AdjustTokenPrivileges|.*IMAGE_NT_OPTIONAL_HDR64_MAGIC|.*Management\.Automation\.RuntimeException|.*Microsoft\.Win32\.UnsafeNativeMethods|.*ReadProcessMemory\.Invoke|.*Runtime\.InteropServices|.*SE_PRIVILEGE_ENABLED|.*System\.Security\.Cryptography|.*System\.Runtime\.InteropServices|.*LSA_UNICODE_STRING|.*MiniDumpWriteDump|.*PAGE_EXECUTE_READ|.*Net\.Sockets\.SocketFlags|.*Reflection\.Assembly|.*SECURITY_DELEGATION|.*TOKEN_ADJUST_PRIVILEGES|.*TOKEN_ALL_ACCESS|.*TOKEN_ASSIGN_PRIMARY|.*TOKEN_DUPLICATE|.*TOKEN_ELEVATION|.*TOKEN_IMPERSONATE|.*TOKEN_INFORMATION_CLASS|.*TOKEN_PRIVILEGES|.*TOKEN_QUERY|.*Metasploit|.*Mimikatz))

Leave a Reply

Your email address will not be published.