Last active
April 25, 2022 13:54
-
-
Save svch0stz/5ff8dd3957ea23e90f53f1698f239ca6 to your computer and use it in GitHub Desktop.
Detection Rules for Velociraptor EvtxHunter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| eventlog | id | name | eventid | rule | ignore | |
|---|---|---|---|---|---|---|
| powershell | win_powershell_web | T1059.001-PowerShell Web Request | ^(4104)$ | Invoke-WebRequest|iwr |wget |curl |Net.WebClient|Start-BitsTransfer | Get-SystemDriveInfo | |
| powershell | win_powershell_suspicious_keywords | T1059.001-Suspicious Powershell Commandlets | ^(200|400|800|4100|4103|4104)$ | Invoke-Expression|IEX |-W Hidden|-WindowStyle Hidden|-nop |-noprofile|Set-StrictMode|RunAs32|rundll32|127\.0\.0\.1|System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream|SuspendThread|GzipStream | chocolatey | |
| powershell | win_powershell_base64 | T1059.001-Use of Base64 Commands | ^(200|400|800|4100|4103|4104)$ | FromBase64String|EncodedCommand|-En |-Enc | ||
| powershell | win_powershell_mimikatz | T1059.001-Mimikatz Execution via PowerShell | ^(200|400|800|4100|4103|4104)$ | TOKEN_PRIVILE|SE_PRIVILEGE_ENABLED|mimikatz|lsass\.dmp | ||
| powershell | win_powershell_memoryloader | T1059.001-Loading Powershell in Memory | ^(200|400|800|4100|4103|4104)$ | System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream | ||
| powershell | win_powershell_cobaltstrike_loader | T1059.001-Cobalt Strike Powershell Loader | ^(200|400|800|4100|4103|4104)$ | \$Doit|-bxor 35 | ||
| powershell | win_powershell_malicious_cmdlets | T1059.001-Malicious Powershell Commandlets | ^(200|400|800|4100|4103|4104)$ | Invoke-DllInjection|Invoke-Shellcode|Invoke-WmiCommand|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-Mimikatz|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|VolumeShadowCopyTools|Invoke-ReflectivePEInjection|Invoke-UserHunter|Invoke-ACLScanner|Invoke-DowngradeAccount|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceAbuse|Install-ServiceBinary|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-ApplicationHost|Get-RegAlwaysInstallElevated|Get-Unconstrained|Add-RegBackdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Enabled-DuplicateToken|Invoke-PsUaCme|Remove-Update|Check-VM|Get-LSASecret|Get-PassHashes|Show-TargetScreen|Port-Scan|Invoke-PoshRatHttp|Invoke-PowerShellTCP|Invoke-PowerShellWMI|Add-Exfiltration|Add-Persistence|Do-Exfiltration|Start-CaptureServer|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-IndexedItem|Get-Screenshot|Invoke-Inveigh|Invoke-NetRipper|Invoke-EgressCheck|Invoke-PostExfil|Invoke-PSInject|Invoke-RunAs|MailRaider|New-HoneyHash|Set-MacAttribute|Invoke-DCSync|Invoke-PowerDump|Exploit-Jboss|Invoke-ThunderStruck|Invoke-VoiceTroll|Set-Wallpaper|Invoke-InveighRelay|Invoke-PsExec|Invoke-SSHCommand|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|PowerBreach|Get-SiteListPassword|Get-System|Invoke-BypassUAC|Invoke-Tater|Invoke-WScriptBypassUAC|PowerUp|PowerView|Get-RickAstley|Find-Fruit|HTTP-Login|Find-TrustedDocuments|Invoke-Paranoia|Invoke-WinEnum|Invoke-ARPScan|Invoke-PortScan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|Invoke-Mimikittenz|Invoke-AllChecks|Start-Dnscat|Invoke-PrintNightmare|Kerberoast|Bloodhound|Sharphound | Get-SystemDriveInfo | |
| powershell | win_powershell_tamper_with_windows_defender | T1562.001-Win Defender Disable using Powershell | ^(200|400|800|4100|4103|4104)$ | DisableRealtimeMonitoring|DisableBehaviorMonitoring|DisableScriptScanning|DisableBlockAtFirstSeen|MpPreference -ExclusionPath | ||
| security | win_domain_trust_discovery_execution | T1482-Execution of Domain Trust Discovery Tools | ^(4688|4648)$ | adfind|dsquery|nltest | ||
| security | win_exfiltration_programs | T1567.002-Execution of Exfiltration Programs | ^(4688)$ | meg\.exe|rclone|rsync|megacmd|megasync | ||
| security | win_syswow64_binaries | T1567.002-Use of 32-bit LOLBINs | ^(4688)$ | syswow64 | ||
| system | win_eventlog_clear | T1070.001-Windows Log Cleared | ^(1102)$ | . | ||
| system | win_sus_service | T1543.003-Suspicious Windows Service Creation | ^(7045)$ | COMSPEC|powershell|ADMIN\\$|cmd\.exe | ||
| defender | win_disable_defender | T1562.001-Win Defender Disabled | ^(5001|5010|5012)$ | . | ||
| bits | win_sus_bitsjobs | T1197-Suspicious BitsTransfer Activity | ^(59|60|61)$ | \.(ps1|exe|rar|dll|7z|zip|bat|xyz|tk) | ||
| security | win_vssadmin_execution | T1490-Delete Volume Shadow Copies | ^(4688)$ | vssadmin|bcdedit | ||
| security | win_ntdsutil_execution | T1003.003-Dumping of NTDS Database | ^(4688)$ | ntdsutil |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment