Nterl0k - T1059 - Generic Malicious Powershell Strings + Lookup#3276
Merged
patel-bhavin merged 26 commits intosplunk:developfrom Feb 18, 2025
Merged
Conversation
nasbench
requested changes
Jan 31, 2025
add case_sesnsitive tag Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Updating to new lookup yml to pass ... I hope, shooting in the dark here
…ous_powershell_strings.csv
updating to new yml to pass testing
update search yaml for better readability / remove single quote in SPL issues
patel-bhavin
requested review from
MHaggis
and removed request for
ljstella and
patel-bhavin
|
Hi @nterl0k very interested to chat about this PR. We are working on something very similar right now at Splunk. Any chance we can setup a time to chat? jyoung@splunk.com |
patel-bhavin
approved these changes
Feb 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Details
I know I know, it's 2025 why am I committing a PowerShell detections. I took the commands/commandlets for a few various / popular offensive powershell toolkits, unique indicators, or known abused functions and dropped them into a lookup that can be maintained / improved so reduce the number of correlations needed for coverage.
I've attached the detections to some existing PowerView detection logging, but it works against multiple things.
The detections will return the first match value, with a brief summary of the match value and toolkit it may be related to.
Fair warning the lookup CSV will trigger AV on Windows.
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.