LoFP / administrator script

Techniques

• t1059
• t1059.001
• t1069
• t1069.001

Sample rules

Suspicious Get Information for SMB Share - PowerShell Module

• source: sigma
• technicques:
  • t1069
  • t1069.001

Description

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Detection logic

condition: selection
selection:
- Payload|contains: get-smbshare
- ContextInfo|contains: get-smbshare

Suspicious Get Local Groups Information

• source: sigma
• technicques:
  • t1069
  • t1069.001

Description

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Detection logic

condition: 1 of test_*
test_3:
- Payload|contains:
  - get-localgroup
  - Get-LocalGroupMember
- ContextInfo|contains:
  - get-localgroup
  - Get-LocalGroupMember
test_6:
- Payload|contains|all:
  - Get-WMIObject
  - Win32_Group
- ContextInfo|contains|all:
  - Get-WMIObject
  - Win32_Group

AD Groups Or Users Enumeration Using PowerShell - PoshModule

• source: sigma
• technicques:
  • t1069
  • t1069.001

Description

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Detection logic

condition: 1 of selection_*
selection_ad_principal:
- Payload|contains: get-ADPrincipalGroupMembership
- ContextInfo|contains: get-ADPrincipalGroupMembership
selection_get_aduser:
- Payload|contains|all:
  - get-aduser
  - '-f '
  - '-pr '
  - DoesNotRequirePreAuth
- ContextInfo|contains|all:
  - get-aduser
  - '-f '
  - '-pr '
  - DoesNotRequirePreAuth

Change PowerShell Policies to an Insecure Level - PowerShell

• source: sigma
• technicques:
  • t1059
  • t1059.001

Description

Detects changing the PowerShell script execution policy to a potentially insecure level using the “Set-ExecutionPolicy” cmdlet.

Detection logic

condition: all of selection_* and not 1 of filter_optional_*
filter_optional_chocolatey:
  ScriptBlockText|contains:
  - (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')
  - (New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')
selection_cmdlet:
  ScriptBlockText|contains: Set-ExecutionPolicy
selection_option:
  ScriptBlockText|contains:
  - Unrestricted
  - bypass