Detectioncriticaltest
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
ok invrep_de, oscd.communityCreated Fri Oct 09Updated Sun Dec 258d31a8ce-46b5-4dd6-bdc3-680931f1db86windows
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic1 selector
detection:
selection_4103:
Payload|contains:
- '$DoIt'
- 'harmj0y'
- 'mattifestation'
- '_RastaMouse'
- 'tifkin_'
- '0xdeadbeef'
condition: selection_4103False Positives
Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
Derived
Rule not found73e733cc-1ace-3212-a107-ff2523cc9fc3
Rule Metadata
Rule ID
8d31a8ce-46b5-4dd6-bdc3-680931f1db86
Status
test
Level
critical
Type
Detection
Created
Fri Oct 09
Modified
Sun Dec 25
Author
Path
rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
Raw Tags
attack.executionattack.t1059.001