Skip to content

Commit efda3a0

Browse files
mgreen27mgreen27
authored
Update Sentinel exclusions to cover escaping
1 parent e722762 commit efda3a0

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

csv/Eventlogs.csv

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,19 +11,19 @@ security,win_vssadmin_execution,T1490-Delete Volume Shadow Copies,^(4688)$,vssad
1111
security,win_ntdsutil_execution,T1003.003-Dumping of NTDS Database,^(4688)$,ntdsutil|NtdsAudit,
1212
VHDMP,virtual_disk_mounted,T1553.005-Subvert Trust Controls: Mark-of-the-Web Bypass,^(1|2|12|22|23)$,C:\\Users\\.+,
1313
powershell,win_powershell_web,T1059.001-PowerShell Web Request,^(4104)$,Invoke-WebRequest|iwr |wget |curl |Net.WebClient|Start-BitsTransfer,Get-SystemDriveInfo|Function Get-Software|Windows Defender Advanced Threat Protection
14-
powershell,win_powershell_suspicious_keywords,T1059.001-Suspicious Powershell Commandlets,^(200|400|800|4100|4103|4104)$,Invoke-Expression|-noP -sta -w 1 -enc |IEX |-W Hidden|-WindowStyle Hidden|-nop |127\.0\.0\.1|System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream|SuspendThread|GzipStream,windows//sentinel//|DisableUnusedSmb1.ps1|chocolatey|Windows Defender Advanced Threat Protection|Microsoft Intune Management Extension|AppData\\Local\\Temp\\SDIAG_|Posh-SSH\.(ps1|psm1)
14+
powershell,win_powershell_suspicious_keywords,T1059.001-Suspicious Powershell Commandlets,^(200|400|800|4100|4103|4104)$,Invoke-Expression|-noP -sta -w 1 -enc |IEX |-W Hidden|-WindowStyle Hidden|-nop |127\.0\.0\.1|System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream|SuspendThread|GzipStream,\\\\windows\\\\sentinel\\\\|DisableUnusedSmb1.ps1|chocolatey|Windows Defender Advanced Threat Protection|Microsoft Intune Management Extension|AppData\\Local\\Temp\\SDIAG_|Posh-SSH\.(ps1|psm1)
1515
powershell,win_powershell_base64,T1059.001-Use of Base64 Commands,^(200|400|800|4100|4103|4104)$,FromBase64String|EncodedCommand|-En |-Enc,struct LSA_ENUMERATION_INFORMATION|Windows Defender Advanced Threat Protection|AppData\\Local\\Temp\\SDIAG_|-Encoding UTF8
16-
powershell,win_powershell_mimikatz,T1059.001-Mimikatz Execution via PowerShell,^(200|400|800|4100|4103|4104)$,TOKEN_PRIVILE|SE_PRIVILEGE_ENABLED|mimikatz|lsass\.dmp|-dumpcr|SEKURLSA::Pth|kerberos::ptt|kerberos::golden,windows//sentinel//|CIS_1.10.1_L1_Monitor.ps1|namespace PS_LSA|Windows Defender Advanced Threat Protection|AppData\\Local\\Temp\\SDIAG_
16+
powershell,win_powershell_mimikatz,T1059.001-Mimikatz Execution via PowerShell,^(200|400|800|4100|4103|4104)$,TOKEN_PRIVILE|SE_PRIVILEGE_ENABLED|mimikatz|lsass\.dmp|-dumpcr|SEKURLSA::Pth|kerberos::ptt|kerberos::golden,\\\\windows\\\\sentinel\\\\|CIS_1.10.1_L1_Monitor.ps1|namespace PS_LSA|Windows Defender Advanced Threat Protection|AppData\\Local\\Temp\\SDIAG_
1717
powershell,win_powershell_memoryloader,T1059.001-Loading Powershell in Memory,^(200|400|800|4100|4103|4104)$,System\.Reflection\.AssemblyName|System\.Reflection\.Emit\.AssemblyBuilderAccess|System\.Runtime\.InteropServices\.MarshalAsAttribute|memorystream,AppData\\Local\\Temp\\SDIAG_|Defender Advanced Threat Protection
1818
powershell,win_powershell_cobaltstrike_loader,T1059.001-Cobalt Strike Powershell Loader,^(200|400|800|4100|4103|4104)$,\$Doit|-bxor 35,
19-
powershell,win_powershell_malicious_cmdlets,T1059.001-Malicious Powershell Commandlets,^(200|400|800|4100|4103|4104)$,Invoke-DllInjection|Invoke-Shellcode|Invoke-WmiCommand|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-Mimikatz|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|VolumeShadowCopyTools|Invoke-ReflectivePEInjection|Invoke-UserHunter|Invoke-ACLScanner|Invoke-DowngradeAccount|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceAbuse|Install-ServiceBinary|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-ApplicationHost|Get-RegAlwaysInstallElevated|Get-Unconstrained|Add-RegBackdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Enabled-DuplicateToken|Invoke-PsUaCme|Remove-Update|Check-VM|Get-LSASecret|Get-PassHashes|Show-TargetScreen|Port-Scan|Invoke-PoshRatHttp|Invoke-PowerShellTCP|Invoke-PowerShellWMI|Add-Exfiltration|Add-Persistence|Do-Exfiltration|Start-CaptureServer|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-IndexedItem|Get-Screenshot|Invoke-Inveigh|Invoke-NetRipper|Invoke-EgressCheck|Invoke-PostExfil|Invoke-PSInject|Invoke-RunAs|MailRaider|New-HoneyHash|Set-MacAttribute|Invoke-DCSync|Invoke-PowerDump|Exploit-Jboss|Invoke-ThunderStruck|Invoke-VoiceTroll|Set-Wallpaper|Invoke-InveighRelay|Invoke-PsExec|Invoke-SSHCommand|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|PowerBreach|Get-SiteListPassword|Get-System|Invoke-BypassUAC|Invoke-Tater|Invoke-WScriptBypassUAC|PowerUp|PowerView|Get-RickAstley|Find-Fruit|HTTP-Login|Find-TrustedDocuments|Invoke-Paranoia|Invoke-WinEnum|Invoke-ARPScan|Invoke-PortScan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|Invoke-Mimikittenz|Invoke-SessionGopher|Invoke-AllChecks|Start-Dnscat|Invoke-KrbRelayUp|Invoke-Rubeus|Invoke-Pandemonium|Invoke-Mongoose|Invoke-NETMongoose|Invoke-SecretsDump|Invoke-NTDS|Invoke-SharpRDP|Invoke-Kirby|Invoke-SessionHunter|Invoke-PrintNightmare|Invoke-Monkey365|Invoke-AzureHound|Kerberoast|Bloodhound|Sharphound,windows//sentinel//|Get-SystemDriveInfo|Posh-SSH\.(ps1|psm1)|Microsoft System Center
19+
powershell,win_powershell_malicious_cmdlets,T1059.001-Malicious Powershell Commandlets,^(200|400|800|4100|4103|4104)$,Invoke-DllInjection|Invoke-Shellcode|Invoke-WmiCommand|Get-GPPPassword|Get-Keystrokes|Get-TimedScreenshot|Get-VaultCredential|Invoke-CredentialInjection|Invoke-Mimikatz|Invoke-NinjaCopy|Invoke-TokenManipulation|Out-Minidump|VolumeShadowCopyTools|Invoke-ReflectivePEInjection|Invoke-UserHunter|Invoke-ACLScanner|Invoke-DowngradeAccount|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceAbuse|Install-ServiceBinary|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-ApplicationHost|Get-RegAlwaysInstallElevated|Get-Unconstrained|Add-RegBackdoor|Add-ScrnSaveBackdoor|Gupt-Backdoor|Invoke-ADSBackdoor|Enabled-DuplicateToken|Invoke-PsUaCme|Remove-Update|Check-VM|Get-LSASecret|Get-PassHashes|Show-TargetScreen|Port-Scan|Invoke-PoshRatHttp|Invoke-PowerShellTCP|Invoke-PowerShellWMI|Add-Exfiltration|Add-Persistence|Do-Exfiltration|Start-CaptureServer|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-IndexedItem|Get-Screenshot|Invoke-Inveigh|Invoke-NetRipper|Invoke-EgressCheck|Invoke-PostExfil|Invoke-PSInject|Invoke-RunAs|MailRaider|New-HoneyHash|Set-MacAttribute|Invoke-DCSync|Invoke-PowerDump|Exploit-Jboss|Invoke-ThunderStruck|Invoke-VoiceTroll|Set-Wallpaper|Invoke-InveighRelay|Invoke-PsExec|Invoke-SSHCommand|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|PowerBreach|Get-SiteListPassword|Get-System|Invoke-BypassUAC|Invoke-Tater|Invoke-WScriptBypassUAC|PowerUp|PowerView|Get-RickAstley|Find-Fruit|HTTP-Login|Find-TrustedDocuments|Invoke-Paranoia|Invoke-WinEnum|Invoke-ARPScan|Invoke-PortScan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|Invoke-Mimikittenz|Invoke-SessionGopher|Invoke-AllChecks|Start-Dnscat|Invoke-KrbRelayUp|Invoke-Rubeus|Invoke-Pandemonium|Invoke-Mongoose|Invoke-NETMongoose|Invoke-SecretsDump|Invoke-NTDS|Invoke-SharpRDP|Invoke-Kirby|Invoke-SessionHunter|Invoke-PrintNightmare|Invoke-Monkey365|Invoke-AzureHound|Kerberoast|Bloodhound|Sharphound,\\\\windows\\\\sentinel\\\\|Get-SystemDriveInfo|Posh-SSH\.(ps1|psm1)|Microsoft System Center
2020
powershell,win_powershell_tamper_with_windows_defender,T1562.001-Win Defender Disable using Powershell,^(200|400|800|4100|4103|4104)$,Set-MpPreference -DisableRealtimeMonitoring|Set-MpPreference DisableBehaviorMonitoring|Set-MpPreference -DisableScriptScanning|Set-MpPreference -DisableBlockAtFirstSeen|MpPreference -ExclusionPath,
2121
"{Powershell,Security,Sysmon}",win_proxy_hunter,T0884-Connection Proxy,.,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5} :\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}:socks",
2222
powershell,win_powershell_tcpsocket^(4103|4104)$,C2-Powershell Socket Connection,^(4103|4104)$,Net\.Sockets\.TCPClient,\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\\PSScript_.+\.ps1
2323
powershell,win_powershell_dns,Powershell potential DNS disruption,^(4103|4104)$,Add-DnsClientNrptRule|New-NetRoute|drivers\\etc\\hosts,Microsoft\.PowerShell\.Cmdletization\.MethodParameter
2424
powershell,win_powershell_downgrade,Powershell potential downgrade attack,^(4103|4104)$,-ve*r*s*i*o*n*\s+2|powershell -version,Microsoft Azure AD Sync
2525
powershell,win_powershell_large_b64,Powershell large Base64 blob - IN DEVELOPMENT,^(4103|4104)$,"[a-z0-9+\/]{44,}([a-z0-9+\/]{4}|[a-z0-9+\/]{3}=|[a-z0-9+\/]{2}==)",Microsoft Azure AD Sync|# Remote Desktop Management Localization File|Microsoft System Center 2025|New-remoteConnectorCertificate.ps1
26-
powershell,win_powershell_suspicious_cmdlet,Powershell Suspicious CommandLet - IN DEVELOPMENT,^(4103|4104)$,Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut,windows//sentinel//|Microsoft Azure AD Sync|Lenovo.ThinkPad
27-
powershell,win_powershell_suspicious_keywords2,Suspicious Powershell Keywords2 - IN DEVELOPMENT,^(4103|4104)$,bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|Rc4ByteStream|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon,windows//sentinel//|Microsoft Azure AD Sync|# Remote Desktop Management Localization File|Microsoft System Center 2025|New-remoteConnectorCertificate.ps1
26+
powershell,win_powershell_suspicious_cmdlet,Powershell Suspicious CommandLet - IN DEVELOPMENT,^(4103|4104)$,Add-Exfiltration|Add-Persistence|Add-RegBackdoor|Add-ScrnSaveBackdoor|Check-VM|Do-Exfiltration|Enabled-DuplicateToken|Exploit-Jboss|Find-Fruit|Find-GPOLocation|Find-TrustedDocuments|Get-ApplicationHost|Get-ChromeDump|Get-ClipboardContents|Get-FoxDump|Get-GPPPassword|Get-IndexedItem|Get-Keystrokes|LSASecret|Get-PassHash|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-RickAstley|Get-Screenshot|Get-SecurityPackages|Get-ServiceFilePermission|Get-ServicePermission|Get-ServiceUnquoted|Get-SiteListPassword|Get-System|Get-TimedScreenshot|Get-UnattendedInstallFile|Get-Unconstrained|Get-VaultCredential|Get-VulnAutoRun|Get-VulnSchTask|Gupt-Backdoor|HTTP-Login|Install-SSP|Install-ServiceBinary|Invoke-ACLScanner|Invoke-ADSBackdoor|Invoke-ARPScan|Invoke-AllChecks|Invoke-BackdoorLNK|Invoke-BypassUAC|Invoke-CredentialInjection|Invoke-DCSync|Invoke-DllInjection|Invoke-DowngradeAccount|Invoke-EgressCheck|Invoke-Inveigh|Invoke-InveighRelay|Invoke-Mimikittenz|Invoke-NetRipper|Invoke-NinjaCopy|Invoke-PSInject|Invoke-Paranoia|Invoke-PortScan|Invoke-PoshRat|Invoke-PostExfil|Invoke-PowerDump|Invoke-PowerShellTCP|Invoke-PsExec|Invoke-PsUaCme|Invoke-ReflectivePEInjection|Invoke-ReverseDNSLookup|Invoke-RunAs|Invoke-SMBScanner|Invoke-SSHCommand|Invoke-Service|Invoke-Shellcode|Invoke-Tater|Invoke-ThunderStruck|Invoke-Token|Invoke-UserHunter|Invoke-VoiceTroll|Invoke-WScriptBypassUAC|Invoke-WinEnum|MailRaider|New-HoneyHash|Out-Minidump|Port-Scan|PowerBreach|PowerUp|PowerView|Remove-Update|Set-MacAttribute|Set-Wallpaper|Show-TargetScreen|Start-CaptureServer|VolumeShadowCopyTools|NEEEEWWW|(Computer|User)Property|CachedRDPConnection|get-net\S+|invoke-\S+hunter|Install-Service|get-\S+(credent|password)|remoteps|Kerberos.*(policy|ticket)|netfirewall|Uninstall-Windows|Verb\s+Runas|AmsiBypass|nishang|Invoke-Interceptor|EXEonRemote|NetworkRelay|PowerShelludp|PowerShellIcmp|CreateShortcut|copy-vss|invoke-dll|invoke-mass|out-shortcut,\\\\windows\\\\sentinel\\\\|Microsoft Azure AD Sync|Lenovo.ThinkPad
27+
powershell,win_powershell_suspicious_keywords2,Suspicious Powershell Keywords2 - IN DEVELOPMENT,^(4103|4104)$,bitstransfer|mimik|metasp|AssemblyBuilderAccess|Reflection\.Assembly|shellcode|injection|cnvert|shell\.application|Rc4ByteStream|lsass\.exe|localadmin|LastLoggedOn|hijack|BackupPrivilege|ngrok|comsvcs|backdoor|brute.?force|Port.?Scan|Exfiltration|exploit|DisableRealtimeMonitoring|beacon,\\\\windows\\\\sentinel\\\\|Microsoft Azure AD Sync|# Remote Desktop Management Localization File|Microsoft System Center 2025|New-remoteConnectorCertificate.ps1
2828
powershell,win_powershell_encoded_command,Powershell encoded command - IN DEVELOPMENT,^(4103|4104)$,[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-],
2929
powershell,win_powershell_hyperv,T1564.006 Hide Artifacts: Run Virtual Instance,^(200|400|800|4100|4103|4104)$,FeatureName:(microsoft-hyper-v|microsoft-hyper-v-Management-clients)|Start-VM|import-vm,

0 commit comments

Comments
 (0)