The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.
| /* | |
| WARNING: | |
| the newest version of this rule is now hosted here: | |
| https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar | |
| */ | |
| /* | |
| _____ __ __ ___ __ |
| function New-ModuleOverview { | |
| <# | |
| .SYNOPSIS | |
| Generates a Markdown file with a short description of each public command in a module. | |
| .DESCRIPTION | |
| Finds all the public commands in a specified module and produces a simple Markdown file detailing the description or synopsis (user choice) for each. | |
| .PARAMETER ModuleName | |
| Name of the module to generate an overview for. If the module isn't already loaded then it will be loaded. |
| ## Uploaded by @JohnLaTwC | |
| ## Sample hash: fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36 | |
| On Error Resume Next | |
| Dim objShell : Set objShell = CreateObject("WScript.Shell") | |
| If LCase(Right(WScript.FullName, 11)) = "wscript.exe" Then | |
| For Each vArg In WScript.Arguments | |
| sArgs = sArgs & " """ & vArg & """" | |
| Next | |
| objShell.Run("cmd.exe /k cscript.exe //nologo " & Chr(34) & WScript.ScriptFullName & Chr(34) & sArgs & " && exit") |
| # Script author: Matt Graeber (@mattifestation) | |
| # logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets | |
| # Do your malicious things here that would be logged by AMSI | |
| # logman stop AMSITrace -ets | |
| $OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture | |
| $OSArch = $OSArchProperty.OSArchitecture | |
| $OSPointerSize = 32 | |
| if ($OSArch -eq '64-bit') { $OSPointerSize = 64 } |
| StorageUsage.dll,GetStorageUsageInfo | |
| acmigration.dll,ApplyMigrationShims | |
| acproxy.DLL,PerformAutochkOperations | |
| ppioobe.dll,setupcalendaraccountforuser | |
| edgehtml.dll,#125 | |
| edgehtml.dll,#133 | |
| davclnt.dll,davsetcookie | |
| appxdeploymentextensions.onecore.dll,shellrefresh | |
| pla.dll,plahost | |
| aeinv.dll,updatesoftwareinventory |
| Term | Description | Link(s) |
|---|---|---|
| Alias | Another email address that people can use to email | |
| App Password | An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application. | |
| Alternate email address | Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users | |
| AuditAdmin | ||
| AuditDelegate | ||
| Delegate | An account with assigned permissions to a mailbox. | |
| Display Name | Name that appears in the Address Book & on the TO and From lines on an email. | |
| EAC | "Exchange Admin Center" |
| [POWERSHELL-DOWNLOAD-HUNT] | |
| dispatch.earliest_time = -24h@h | |
| dispatch.latest_time = now | |
| dispatchAs = user | |
| display.general.type = statistics | |
| display.page.search.mode = verbose | |
| display.page.search.tab = statistics | |
| display.visualizations.charting.chart = bar | |
| display.visualizations.show = 0 | |
| search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName |
| :: | |
| ::####################################################################### | |
| :: | |
| :: Change file associations to protect against common ransomware attacks | |
| :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
| :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
| :: --------------------- | |
| ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" | |
| ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1" |
