具有发现功能的PowerShell脚本
编辑具有发现功能的PowerShell脚本
编辑识别与发现活动相关的Cmdlet和方法的使用。攻击者可以使用这些方法执行各种与态势感知相关的活动,例如枚举用户、共享、会话、域信任、组等。
规则类型: 查询
规则索引:
- winlogbeat-*
- logs-windows.powershell*
严重性: 低
风险评分: 21
每隔: 60 分钟
搜索索引自: now-119m (日期数学格式,另见 额外回溯时间
)
每次执行的最大告警数: 100
参考: 无
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 策略:收集
- 策略:发现
- 数据源:PowerShell 日志
- 规则类型:BBR
版本: 209
规则作者:
- Elastic
规则许可证: Elastic License v2
设置
编辑设置
必须启用PowerShell脚本块日志记录日志策略。使用高级审核配置实施日志策略的步骤
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
通过注册表实施日志策略的步骤
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
规则查询
编辑event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ( "Get-ADDefaultDomainPasswordPolicy" or "Get-ADDomain" or "Get-ComputerInfo" or "Get-Disk" or "Get-DnsClientCache" or "Get-GPOReport" or "Get-HotFix" or "Get-LocalUser" or "Get-NetFirewallProfile" or "get-nettcpconnection" or "Get-NetAdapter" or "Get-PhysicalDisk" or "Get-Process" or "Get-PSDrive" or "Get-Service" or "Get-SmbShare" or "Get-WinEvent" ) or ( ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or "gcim" or "Management.ManagementObjectSearcher" or "System.Management.ManagementClass" or "[WmiClass]" or "[WMI]") and ( "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or "CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or "Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or "Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or "Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or "Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or "win32_service" or "Win32_Share" or "Win32_UserAccount" ) ) or ( ("ADSI" and "WinNT") or ("Get-ChildItem" and "sysmondrv.sys") or ("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or ("ServiceProcess.ServiceController" and "::GetServices") or ("Diagnostics.Process" and "::GetProcesses") or ("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or ("DirectoryServices.AccountManagement" and "PrincipalSearcher") or ("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or ("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or ("Automation.PSDriveInfo") or ("Microsoft.Win32.RegistryHive") ) or ( "Get-ItemProperty" and ( "\Control\SecurityProviders\WDigest" or "\microsoft\windows\currentversion\explorer\runmru" or "\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or "\Microsoft\Windows\CurrentVersion\Uninstall" or "\Microsoft\Windows\WindowsUpdate" or "Policies\Microsoft\Windows\Installer" or "Software\Microsoft\Windows\CurrentVersion\Policies" or ("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or ("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable") ) ) or ( ("Directoryservices.Activedirectory" or "DirectoryServices.AccountManagement") and ( "Domain Admins" or "DomainControllers" or "FindAllGlobalCatalogs" or "GetAllTrustRelationships" or "GetCurrentDomain" or "GetCurrentForest" ) or "DirectoryServices.DirectorySearcher" and ( "samAccountType=805306368" or "samAccountType=805306369" or "objectCategory=group" or "objectCategory=groupPolicyContainer" or "objectCategory=site" or "objectCategory=subnet" or "objectClass=trustedDomain" ) ) or ( "Get-Process" and ( "mcshield" or "windefend" or "savservice" or "TMCCSF" or "symantec antivirus" or "CSFalcon" or "TmPfw" or "kvoop" ) ) ) and not powershell.file.script_block_text : ( ( "__cmdletization_BindCommonParameters" and "Microsoft.PowerShell.Core\Export-ModuleMember" and "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter" ) or "CmdletsToExport=@(\"Add-Content\"," ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
框架: MITRE ATT&CKTM
-
策略
- 名称:发现
- ID:TA0007
- 参考网址:https://attack.mitre.org/tactics/TA0007/
-
技术
- 名称:帐户发现
- ID:T1087
- 参考网址:https://attack.mitre.org/techniques/T1087/
-
子技术
- 名称:本地帐户
- ID:T1087.001
- 参考网址:https://attack.mitre.org/techniques/T1087/001/
-
子技术
- 名称:域帐户
- ID:T1087.002
- 参考网址:https://attack.mitre.org/techniques/T1087/002/
-
技术
- 名称:域信任发现
- ID:T1482
- 参考网址:https://attack.mitre.org/techniques/T1482/
-
技术
- 名称:系统信息发现
- ID:T1082
- 参考网址:https://attack.mitre.org/techniques/T1082/
-
技术
- 名称:文件和目录发现
- ID:T1083
- 参考网址:https://attack.mitre.org/techniques/T1083/
-
技术
- 名称:组策略发现
- ID:T1615
- 参考网址:https://attack.mitre.org/techniques/T1615/
-
技术
- 名称:网络共享发现
- ID:T1135
- 参考网址:https://attack.mitre.org/techniques/T1135/
-
技术
- 名称:密码策略发现
- ID:T1201
- 参考网址:https://attack.mitre.org/techniques/T1201/
-
技术
- 名称:进程发现
- ID:T1057
- 参考网址:https://attack.mitre.org/techniques/T1057/
-
技术
- 名称:软件发现
- ID:T1518
- 参考网址:https://attack.mitre.org/techniques/T1518/
-
子技术
- 名称:安全软件发现
- ID:T1518.001
- 参考网址:https://attack.mitre.org/techniques/T1518/001/
-
技术
- 名称:查询注册表
- ID:T1012
- 参考网址:https://attack.mitre.org/techniques/T1012/
-
技术
- 名称:系统信息发现
- ID:T1082
- 参考网址:https://attack.mitre.org/techniques/T1082/
-
技术
- 名称:系统网络连接发现
- ID:T1049
- 参考网址:https://attack.mitre.org/techniques/T1049/
-
技术
- 名称:系统服务发现
- ID:T1007
- 参考网址:https://attack.mitre.org/techniques/T1007/
-
策略
- 名称:执行
- ID:TA0002
- 参考网址:https://attack.mitre.org/tactics/TA0002/
-
技术
- 名称:命令和脚本解释器
- ID:T1059
- 参考网址:https://attack.mitre.org/techniques/T1059/
-
子技术
- 名称:PowerShell
- ID:T1059.001
- 参考网址:https://attack.mitre.org/techniques/T1059/001/